From edef0b233ee69ea1e3899cb810a637bd1877bf21 Mon Sep 17 00:00:00 2001 From: xerox Date: Mon, 17 Aug 2020 22:08:38 +0000 Subject: [PATCH] Update README.md --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 8a99d0c..806d71f 100644 --- a/README.md +++ b/README.md @@ -5,4 +5,8 @@ is not something you can inject from usermode, lsass.exe is (although it can be The reason this proxy of a syscall is a vulnerability is simply because their is no validation of R/W access on the specified handle passed to `BEDaisy`. In other words: you can open a handle with `PROCESS_QUERY_LIMITED_INFORMATION` and use that handle to read/write any usermode memory that is also read/writeable. The handle access is not important to bedaisy -rather they use the handle to get the EPROCESS of the process that the handle is opened on. \ No newline at end of file +rather they use the handle to get the EPROCESS of the process that the handle is opened on. + + + +As you can see you can open any handle with any access and then pass it along to bedaisy and it will read/write for you... \ No newline at end of file