Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-26258 PoC — Intel Killer Control Center 安全漏洞

Source
https://github.com/zwclose/CVE-2021-26258
Associated Vulnerability
Title:Intel Killer Control Center 安全漏洞 (CVE-2021-26258)
Description:Intel Killer Control Center是美国英特尔(Intel)公司的一个程序,它可检查应用程序并设置优先级,以便对速度有要求的应用程序可优先分配访问带宽。 Intel Killer Control Center software 2.4.3337.0之前版本存在安全漏洞,经过身份验证的用户利用该漏洞可以实现权限升级。
Description
Files and tools for CVE-2021-26258
Readme
This repo contains tools and supplementary files for CVE-2021-26258 PoC. See the [blogpost](https://zwclose.github.io/2022/12/18/killer1.html) for details of the vuln.

**List of files**:
* rn.stg.original: original .stg file that comes with Intel Killer
* rn.xml.original: .xml file extracted from rn.stg.original by using rnstg-tool
* rn_custom.xml: custom .xml file that disables network access for Discord.exe and starts RemoteRegistry service
* rn_custom.stg: custom .stg file derived from rn_custom.xml by using rnstg-tool
* WebSrv.py: tiny web server written in Python3 for simulation of person-in-the-middle attack. The server just replies all HTTP requests with rn_custom.stg file located in the same directory as the server
* rnstg-tool: source files of the tool for packing and unpacking Killer storage files. The tool has two commands: "unpack" command extracts rn.xml stream of the input file pased as first argument, decrypts it and stores the decrypted XML to the output file which is second argument of the command. Similarly, "unpack" command takes XML file as input, encrypts it and stores the ecnrypted content to the .stg file passed as the second argument. The storage file then can be fed to Killer via its update mechanism. The tool is pretty simplistic, it doesn't verify input and output files, so do not confuse commands and their arguments!

To run the demo add the following line to .hosts file "127.0.0.1 www.killernetworking.com", put rn_custom.stg to the same directory as WebSrv.py and run the script. Next, go to Killer UI, navigate to Settings tab and click "Download Latest App Priorities" button. For details of environment setup and video of the attack refer to Demo section of the [blogpost](https://zwclose.github.io/2022/12/18/killer1.html). Feel free to ask questions in [Twitter](https://twitter.com/zwclose)
File Snapshot

 [4.0K]  /data/pocs/35dfade55d58b9543b5f87e2ed105b3e217d3873
├── [1.8K]  README.md
├── [ 21K]  rn_custom.stg
├── [ 18K]  rn_custom.xml
├── [1.0M]  rn.stg.original
├── [4.0K]  rnstg-tool
│   ├── [4.0K]  Release
│   │   └── [ 14K]  rnstg-tool.exe
│   ├── [ 11K]  rnstg-tool.cpp
│   ├── [1.4K]  rnstg-tool.sln
│   ├── [7.0K]  rnstg-tool.vcxproj
│   └── [ 983]  rnstg-tool.vcxproj.filters
└── [ 766]  WebSrv.py

2 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.