Baton Drop Secure Boot Bypass in Windows Boot Manager

This repository contains a proof-of-concept (PoC) exploit payload for CVE-2022-21894, a Windows vulnerability that allows attackers to execute arbitrary code in the firmware context during the boot process. The main code file, 'main.c', implements a DLL entry point (McUpdateEntry) that, when loaded as a malicious mcupdate_*.dll, locates the Windows boot loader in memory, allocates a buffer for a custom EFI application, copies the application into memory, and executes it in the firmware context. The payload is minimal (just a stub EFI application), but the structure demonstrates how an attacker could leverage the vulnerability to run arbitrary EFI code and call EFI services. The repository is structured as a Visual Studio C/C++ project, with supporting solution and project files, and a readme describing its purpose. No network or remote endpoints are present; the attack is local and requires the ability to place a malicious DLL on the target system.

This repository provides a proof-of-concept (POC) exploit for CVE-2022-21894 ("Baton Drop"), a Secure Boot security feature bypass vulnerability in Microsoft Windows. The exploit leverages manipulation of boot configuration data (BCD) elements such as 'truncatememory' and 'avoidlowmemory' to remove the serialized Secure Boot policy from memory, allowing the use of dangerous boot options and the loading of self-signed payloads during the boot process. The included payload (mcupdate.c) is a simple DLL that demonstrates code execution by entering an infinite wait state, but the mechanism allows for more advanced payloads, such as those that could extract BitLocker keys. The repository also includes a tool (FveAddMetadataForPolicy.c) for manipulating BitLocker metadata, which can assist in setting up the attack. The exploit targets Windows systems with Secure Boot enabled and requires the attacker to supply custom boot applications and payloads. The code is written in C and batch scripts, and the repository is structured with separate directories for payloads and tools. No network endpoints are present; the attack is local and requires physical or privileged access to the target system.

This repository contains a multi-stage exploit chain ('baton drop') targeting ARMv7-based Windows RT devices (specifically MSM8960, e.g., Dell XPS 10). The exploit enables execution of unsigned EFI boot applications by bypassing Secure Boot and code integrity mechanisms. The structure includes C source files for three main components: boot.c (a simple EFI application), mcupdate.c (the initial loader and orchestrator), and stage2.c (the second-stage loader that prepares the environment and executes the payload). Several batch scripts automate building and signing the components. The exploit works by patching the boot process to load mcupdate.dll, which then loads stage2.dll and a user-supplied boot.efi from the EFI system partition. The README provides detailed exploitation steps and device requirements. The attack vector is local, requiring physical access and a prepared USB device. The main fingerprintable endpoints are the file paths used for loading the payload and stage2 components. The exploit is operational, providing a working method to run arbitrary code at boot on affected devices.

This repository contains an operational exploit payload for CVE-2022-21894, a Secure Boot Security Feature Bypass vulnerability affecting Microsoft Windows. The main exploit logic is implemented in 'main.c', which contains code to map and execute a custom EFI application (embedded as a byte array) in the firmware context. The build process (via 'build.bat') signs the malicious DLL and EFI binaries and renames them to mimic legitimate system files (e.g., 'mcupdate_GenuineIntel.dll', 'mcupdate_AuthenticAMD.dll', 'hello.efi'). The exploit demonstrates how an attacker can bypass Secure Boot and execute arbitrary code at the firmware level, enabling further attacks such as persistence or disabling security features. The repository is structured as a Visual Studio C/C++ project, with supporting solution and project files, and a batch script for building and signing the payloads. The exploit is not part of a framework and is a standalone operational PoC with a real payload.