Microsoft Authenticode WinVerifyTrust signature verification bypass in PE files

This repository is a small standalone PowerShell proof-of-concept for CVE-2013-3900, the Windows Authenticode certificate padding issue. It is not part of a larger exploit framework. The repository contains four files: the main PowerShell PoC, a README explaining the vulnerability and usage, a .reg remediation file that enables EnableCertPaddingCheck, and a license file. The main script, CVE-2013-3900-PoC-padding-injection.ps1, operates entirely locally on PE files. It takes an input executable, verifies that it has a valid embedded Authenticode signature, parses the PE header to locate DataDirectory[4] (the Certificate Table), reads the first WIN_CERTIFICATE structure, inserts attacker-controlled padding bytes into the certificate blob, updates the certificate length metadata, and writes out a modified executable. The default padding is 4096 bytes of 0x41. After modification, it checks the resulting file with both Get-AuthenticodeSignature and a direct P/Invoke call to WinVerifyTrust from wintrust.dll using the generic verification GUID. This lets the operator observe whether the host still trusts the tampered file under current policy. The exploit capability is therefore simulation and validation of the CVE-2013-3900 condition, not remote compromise or code execution. It demonstrates how a signed PE can be altered in its certificate area while potentially retaining a trusted status on systems where strict padding checks are disabled. The included remediation-64bit-win.reg file sets EnableCertPaddingCheck=1 in both native and Wow6432Node Wintrust registry paths, which causes modified files with extra certificate padding to be rejected. There are no network callbacks, C2 endpoints, or remote targets in the code. The only fingerprintable artifacts are local file paths, the Wintrust DLL/API usage, the verification GUID, and the registry keys used for remediation. Overall, this is a legitimate educational PoC and local test harness for assessing whether a Windows system remains susceptible to the Authenticode padding behavior associated with CVE-2013-3900.

This repository provides a PowerShell proof-of-concept (PoC) exploit for CVE-2013-3900, a vulnerability in the Windows Authenticode signature validation process. The main script, 'CVE-2013-3900-PoC-padding-injection.ps1', takes a signed PE file (by default, MSBuild.exe), injects artificial padding into its certificate section, and saves a modified copy. It then checks the digital signature status of both the original and modified files using Authenticode and the WinVerifyTrust API, demonstrating whether the system accepts or rejects the altered file. The exploit shows that, on unpatched systems, the signature remains valid even after modification, highlighting the risk of malicious code injection into signed binaries. The repository also includes a registry file ('remediation-64bit-win.reg') to enable the mitigation (EnableCertPaddingCheck=1), which causes Windows to reject such tampered files. The README provides context, usage instructions, and a link to the official Microsoft advisory. The repository is structured for educational and research purposes, with clear separation between the exploit script, documentation, and mitigation instructions.