CVE-2022-21894

Example payload for CVE-2022-21894

This is a simple example payload for CVE-2022-21894 that demonstrates how an attacker could map a second stage payload in order to be able to call EFI services A writeup of this vulnerability can be viewed here: githubcom/Wack0/CVE-2022-21894 The code in this repository extends the PoC (poc_amd64_19041) of the repository mentioned above

Public repo for anything CVE-2022-21894

CVE-2022-21894 Public repo for anything CVE-2022-21894 Main page wwwmicrosoftcom/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ Windows Defender now capable of removing this threat "Possible vulnerable EFI bootloader " Basic Detection Mounts the EFI system partition on the specified drive $ mo

baton drop (CVE-2022-21894): Secure Boot Security Feature Bypass Vulnerability

baton drop (CVE-2022-21894): Secure Boot Security Feature Bypass Vulnerability Windows Boot Applications allow the truncatememory setting to remove blocks of memory containing "persistent" ranges of serialised data from the memory map, leading to Secure Boot bypass The truncatememory BCD element will remove all memory above a specified physical address from the memo

This is a simple example payload for CVE-2022-21894 that demonstrates how an attacker could map a second stage payload in order to be able to call EFI services A writeup of this vulnerability can be viewed here: githubcom/Wack0/CVE-2022-21894 The code in this repository extends the PoC (poc_amd64_19041) of the repository mentioned above

Created to help detect IOCs for CVE-2022-21894: The BlackLotus campaign

BlackLotusDetection Created to help detect IOCs for CVE-2022-21894: The BlackLotus campaign wwwmicrosoftcom/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ This creates an output txt file in the c:\temp folder

A script that scans for the presence of the Black Lotus UEFI rootkit.

Introduction This Python script is designed to help detect the presence of the BlackLotus UEFI bootkit on a Windows system BlackLotus is a sophisticated malware that targets the Unified Extensible Firmware Interface (UEFI), which runs before the operating system during the boot process This allows BlackLotus to deploy payloads early on, disabling various security mechanisms a

baton drop (CVE-2022-21894): Secure Boot Security Feature Bypass Vulnerability

baton drop (CVE-2022-21894): Secure Boot Security Feature Bypass Vulnerability Windows Boot Applications allow the truncatememory setting to remove blocks of memory containing "persistent" ranges of serialised data from the memory map, leading to Secure Boot bypass The truncatememory BCD element will remove all memory above a specified physical address from the memo

Public repo for anything CVE-2022-21894

CVE-2022-21894 Public repo for anything CVE-2022-21894 Main page wwwmicrosoftcom/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ Windows Defender now capable of removing this threat "Possible vulnerable EFI bootloader " Basic Detection Mounts the EFI system partition on the specified drive $ mo

Bootkit sample for firmware attack

Bootkit Showcase: Real-World Examples of Infrastructure Security Threats Bootkits are a type of malware that infects the boot process of a computer, allowing attackers to gain persistent access and control over the system Despite their potential to cause significant damage, many people, including security professionals, may not be familiar with the threat they pose to infrastr

POC of the batondrop (CVE-2022-21894) vulnerability

py_batondrop POC of the batondrop (CVE-2022-21894) vulnerability