for some reason i don't think people have realised this:

you can still exploit baton drop booting from latest win8.x bootmgr, using it to load a vulnerable boot application of course :)

because with win8.x bootmgr you don't need to use the trick of loading bootmgr from bootmgr that got patched, you can just set {bootmgr} avoidlowmemory ... ; set {default} truncatememory ... and win (obviously assuming you're loading from a crafted bitlocker-encrypted vhd)

i just tested this working with bootmgfw 6.3.9600.20772 (winblue_ltsb_escrow.221214-1721)

and of course, with VBS disabled you don't need to use that trick either (i mentioned this in my emfcamp 2022 talk, still waiting for the recording to be uploaded to youtube, hi @emf video upload eta wen?)

if you want to avoid hvloader blocklisting then load a vulnerable winload with testsigning=on, I already mentioned in a post some time ago, the bare minimum fileset required for win8.1 winload to load and execute mcupdate.dll :)

#BatonDrop #CVE_2022_21894 #SecureBoot

>bootkit in the wild exploits baton drop

will ms take revocation seriously now?

https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/

my thoughts: just using baton drop to set up a mok key is lame

also: it can download vulnerable binaries from the ms symbol server? wow someone really has been following my research haven't they

#infosec #BlackLotus #bootkit #CVE_2022_21894