Add winpeas privilege escalation checks from: Windows Exploitation Technique: Amplifying Race Windows via Slow Object Manager

2025-12-24 00:39:02 +00:00 · 2025-12-17 01:34:41 +00:00
parent b4a1382e8a
commit 488d388830
4 changed files with 63 additions and 0 deletions
--- a/winPEAS/winPEASexe/README.md
+++ b/winPEAS/winPEASexe/README.md
@@ -77,6 +77,8 @@ The goal of this project is to search for possible **Privilege Escalation Paths*
 New in this version:
 - Detect potential GPO abuse by flagging writable SYSVOL paths for GPOs applied to the current host and by highlighting membership in the "Group Policy Creator Owners" group.

+- Added Object Manager race-window amplification guidance (Project Zero 2025): winPEAS now checks if the current user can create named objects under \\BaseNamedObjects and reminds you how to build extremely long names/deep directory chains to stretch kernel race windows.
+

 It should take only a **few seconds** to execute almost all the checks and **some seconds/minutes during the lasts checks searching for known filenames** that could contain passwords (the time depened on the number of files in your home folder). By default only **some** filenames that could contain credentials are searched, you can use the **searchall** parameter to search all the list (this could will add some minutes).

--- a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
@@ -81,6 +81,7 @@ namespace winPEAS.Checks
                PrintKrbRelayUp,
                PrintInsideContainer,
                PrintAlwaysInstallElevated,
+                PrintObjectManagerRaceAmplification,
                PrintLSAInfo,
                PrintNtlmSettings,
                PrintLocalGroupPolicy,
@@ -667,6 +668,31 @@ namespace winPEAS.Checks
            }
        }

+        static void PrintObjectManagerRaceAmplification()
+        {
+            try
+            {
+                Beaprint.MainPrint("Object Manager race-window amplification primitives");
+                Beaprint.LinkPrint("https://projectzero.google/2025/12/windows-exploitation-techniques.html", "Project Zero write-up:");
+
+                if (ObjectManagerHelper.TryCreateSessionEvent(out var objectName, out var error))
+                {
+                    Beaprint.BadPrint($"    Created a test named event ({objectName}) under \\BaseNamedObjects.");
+                    Beaprint.InfoPrint("    -> Low-privileged users can slow NtOpen*/NtCreate* lookups using ~32k-character names or ~16k-level directory chains.");
+                    Beaprint.InfoPrint("    -> Point attacker-controlled symbolic links to the slow path to stretch kernel race windows.");
+                    Beaprint.InfoPrint("    -> Use this whenever a bug follows check -> NtOpenX -> privileged action patterns.");
+                }
+                else
+                {
+                    Beaprint.InfoPrint($"    Could not create a test event under \\BaseNamedObjects ({error}). The namespace might be locked down.");
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+
        private static void PrintNtlmSettings()
        {
            Beaprint.MainPrint($"Enumerating NTLM Settings");
--- a/winPEAS/winPEASexe/winPEAS/Helpers/ObjectManagerHelper.cs
+++ b/winPEAS/winPEASexe/winPEAS/Helpers/ObjectManagerHelper.cs
@@ -0,0 +1,34 @@
+using System;
+using System.Diagnostics;
+using System.Threading;
+
+namespace winPEAS.Helpers
+{
+    internal static class ObjectManagerHelper
+    {
+        public static bool TryCreateSessionEvent(out string objectName, out string error)
+        {
+            objectName = $"PEAS_OMNS_{Process.GetCurrentProcess().Id}_{Guid.NewGuid():N}";
+            error = string.Empty;
+
+            try
+            {
+                using (var handle = new EventWaitHandle(initialState: false, EventResetMode.ManualReset, objectName, out var createdNew))
+                {
+                    if (!createdNew)
+                    {
+                        error = "A test event with the generated name already existed.";
+                        return false;
+                    }
+                }
+
+                return true;
+            }
+            catch (Exception ex)
+            {
+                error = ex.Message;
+                return false;
+            }
+        }
+    }
+}
--- a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj
+++ b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj
@@ -1359,6 +1359,7 @@
    <Compile Include="KnownFileCreds\Vault\Structs\VAULT_ITEM_WIN8.cs" />
    <Compile Include="KnownFileCreds\Vault\VaultCli.cs" />
    <Compile Include="Helpers\MyUtils.cs" />
+    <Compile Include="Helpers\ObjectManagerHelper.cs" />
    <Compile Include="Info\UserInfo\SAM\Enums.cs" />
    <Compile Include="Info\UserInfo\SAM\SamServer.cs" />
    <Compile Include="Info\UserInfo\SAM\Structs.cs" />