Exploitation Tools

Windows Downdate – Mastering The Art Of OS Downgrade Attacks

A tool that takes over Windows Updates to craft custom downgrades and expose past fixed vulnerabilities. Presented at Black Hat USA 2024 Briefings and DEFCON 32 under the title “Windows Downdate: Downgrade Attacks Using Windows Updates”.

Using Windows Downdate you can downgrade critical OS components, DLLs, Drivers, the NT kernel, the Secure Kernel, the Hyper-V hypervisor, Credential Guard and much more!

Setup

To install Windows Downdate, follow the steps below.

  1. Clone this repository
  2. Launch CMD and change directory to the cloned repository directory
  3. Run the following command
python311 setup.py install
  1. You can now execute Windows Downdate

Release Binary

Windows Downdate also supports PyInstaller pre-compiled binary that you can download here

Usage

Windows Downdate operates on a config XML file that specifies the files to downgrade

windows_downdate.py --config-xml <CONFIG XML PATH> <ADDITIONAL ARGS>

Config XML Format

<Configuration>
    <UpdateFilesList>
        <UpdateFile source="path\to\source.exe" destination="path\to\destination.exe" />
    </UpdateFilesList>
</Configuration>

<Configuration>: The root element that encapsulates the entire configuration.

<UpdateFilesList>: A container element that holds one or more elements.

<UpdateFile>: Defines a single file downgrade operation.

source: The path of the downgrade source file. Note that if the source file does not exist, Windows Downdate attempts to retrieve its base version from the component store.

destination: The path of the downgrade destination file.

Simply put – take the XML snippet and insert <UpdateFile> elements, the source replaces the destination.

You can also refer to the examples directory as reference for finalized config XML files.

Execution Options

Windows Downdate supports two execution options.

1. Custom Downgrades

Windows Downdate supports crafting custom downgrades. To craft custom downgrade, you need to create a config XML file and just feed the tool with this config XML.

2. Downgrade Usage Examples

Windows Downdate has built-in usage examples with ready config XML files and vulnerable modules. The supported usage examples are listed below.

  1. CVE-2021-27090 Secure Kernel Elevation of Privilege Patch Downgrade
  2. CVE-2022-34709 Credential Guard Elevation of Privilege Patch Downgrade
  3. CVE-2023-21768 AFD Driver Elevation of Privilege Patch Downgrade
  4. Hyper-V Hypervisor Downgrade
  5. Kernel Suite Downgrade
  6. PPLFault Patch Downgrade
  7. VBS UEFI Lock Bypass
Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Leave a Comment
Share
Published by
Varshini
Tags: cybersecurityinformationsecuritykalilinuxkalilinuxtoolsWindows Downdate
5 months ago

Recent Posts

garak, LLM Vulnerability Scanner : The Comprehensive Tool For Assessing Language Model Security

garak checks if an LLM can be made to fail in a way we don't…

23 hours ago

Vermilion : Mastering Linux Post-Exploitation For Red Team Success

Vermilion is a simple and lightweight CLI tool designed for rapid collection, and optional exfiltration…

23 hours ago

AD-CS-Forest-Exploiter : Mastering Security Through PowerShell For AD CS Misconfiguration

ADCFFS is a PowerShell script that can be used to exploit the AD CS container…

23 hours ago

Usage Of Tartufo – A Comprehensive Guide To Securing Your Git Repositories

Tartufo will, by default, scan the entire history of a git repository for any text…

23 hours ago

Loco : A Rails-Inspired Framework For Rust Developers

Loco is strongly inspired by Rails. If you know Rails and Rust, you'll feel at…

2 days ago

Monolith : The Ultimate Tool For Storing Entire Web Pages As Single HTML Files

A data hoarder’s dream come true: bundle any web page into a single HTML file.…

2 days ago