Cyber security

CreateToken: Exploiting ZwCreateToken() for SYSTEM Token

In the realm of cybersecurity, understanding and exploiting Windows APIs is pivotal for both defenders and attackers. In this article, we delve into the intricacies of the ZwCreateToken() API and explore how it can be exploited to obtain a coveted SYSTEM token with full privileges.

Through a step-by-step walkthrough, we will uncover the techniques and tools used in this exploit, shedding light on the potential risks it poses and the importance of safeguarding against such vulnerabilities.

PoCs to get full privileged SYSTEM token with ZwCreateToken() API.

Installation

PS C:\> sc.exe create CreateToken type= kernel binpath= C:\Dev\CreateTokenDrv_x64.sys
PS C:\> sc.exe start CreateToken

Client Program Usage

Client program performs NT AUTHORITY\SYSTEM process execution.

PS C:\Dev> .\CreateTokenClient.exe -h

CreateTokenClient - Client for CreateTokenDrv.

Usage: CreateTokenClient.exe [Options]

        -h, --help    : Displays this help message.
        -c, --command : Specifies command to execute. Default is "cmd.exe".
Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

20 hours ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

22 hours ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

24 hours ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

24 hours ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

24 hours ago

Cybersecurity – Tools And Their Function

Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…

2 days ago