CVE-2022-21894

This repository contains a proof-of-concept exploit for CVE-2022-21894, a Secure Boot bypass vulnerability in Windows Boot Applications. The exploit leverages the `truncatememory` BCD element to remove the serialised Secure Boot policy from memory, allowing dangerous settings to be used.

This PoC demonstrates exploitation of CVE-2022-21894 by mapping a second-stage payload to call EFI services. It allocates executable memory and copies an EFI application into it, then executes it in firmware context.

This repository contains a working exploit for CVE-2022-21894, targeting ARMv7-based Windows RT devices (MSM8960). The exploit leverages a baton drop technique to achieve code execution by loading unsigned EFI payloads via a modified boot process.

This PoC exploits CVE-2022-21894, a vulnerability in Windows Boot Manager, by leveraging a crafted EFI application to achieve arbitrary code execution in the firmware context. The code demonstrates memory allocation and context switching to execute payloads in a privileged environment.

This repository provides detection methods and guidance for investigating CVE-2022-21894, a vulnerability related to the BlackLotus bootkit. It includes commands for checking EFI partition files, registry settings, and event logs, but does not contain exploit code.

This PowerShell script detects indicators of compromise (IOCs) for CVE-2022-21894 (BlackLotus UEFI bootkit) by checking the EFI partition for suspicious files, registry keys, and generating hashes of EFI files. It outputs findings to a text file for analysis.