Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-21551 PoC — Dell dbutil Driver 安全漏洞

Source
https://github.com/mathisvickie/CVE-2021-21551
Associated Vulnerability
Title:Dell dbutil Driver 安全漏洞 (CVE-2021-21551)
Description:Dell dbutil Driver是美国戴尔(Dell)公司的一个应用软件。提供了戴尔公司设备的一个驱动程序。 Dell dbutil Driver 存在安全漏洞,该漏洞源于戴尔dbutil驱动程序dbutil 2 .sys中不正确的访问限制。以下产品及版本受到影响:DBUtil: 2.3 。
Description
arbitrary kernel read/write in dbutil_2_3.sys, Proof of Concept Local Privilege Escalation to nt authority/system
Readme
# CVE-2021-21551
Simple PoC for exploiting CVE-2021-21551 for LPE by spawning system cmd.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21551

An issue was discovered in signed dell windows driver (dbutil_2_3.sys) which may lead to compromisation of whole local system. Driver's ioctl dispatch routine lacks of validation of user supplied buffer.

## IOCTL
Anyone can create handle and issue ioctl requests to these ioctl codes which break windows security model:

- _0x9b0c1f40_ - arbitrary physical memory read
- _0x9b0c1f44_ - arbitrary physical memory write
- _0x9b0c1ec4_ - arbitrary kernel memory read
- _0x9b0c1ec8_ - arbitrary kernel memory write
- _0x9b0c1ecc_ - controlled parameters to MmFreeContiguousMemorySpecifyCache call
- _0x9b0c1ec0_ - controlled parameters to MmAllocateContiguousMemorySpecifyCache call
- _0x9b0c1f00_ & _0x9b0c1f8c_ & _0x9b0c1f88_ & _0x9b0c1f84_ & _0x9b0c1f80_ - access to some ports

## Compiling PoC
This PoC exploits _0x9b0c1ec4_/_0x9b0c1ec8_ ioctl codes for arbitrary kernel memory read/write respectively. Firstly it locates _PsInitialSystemProcess_ in kernel to get system token and then it writes this token to current process _EPROCESS_ struct. Before compiling update your _EPROCESS_ offsets to avoid BSOD using https://www.vergiliusproject.com/
```c
DWORD EPROCESS_ActiveProcessLinks = 0x2e8;
DWORD EPROCESS_Token = 0x348;
```
Use visual studio to compile (requires windows header). Ntdll SDK header: https://github.com/mathisvickie/segy-software/blob/main/external/ntdll.h

## Running
Tested on:
- Windows 8
- Windows 10 2004
- Windows 10 20H2

Successful exploit will run system cmd. If you get bugcheck _PAGE_FAULT_IN_NONPAGED_AREA_ then the offsets are probably incorrect. Sample output:
![404](https://github.com/mathisvickie/CVE-2021-21551/blob/main/pic.png)
File Snapshot

 [4.0K]  /data/pocs/7c902a5591de126d069c243280129e86027cf068
├── [5.7K]  CVE-2021-21551.c
├── [ 12K]  dbutil_2_3.c
├── [ 14K]  dbutil_2_3.sys
├── [1.1M]  pic.png
└── [1.8K]  README.md

0 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.