CVE-2021-21551 PoC — Dell dbutil Driver 安全漏洞

Source

Associated Vulnerability

Title:Dell dbutil Driver 安全漏洞 (CVE-2021-21551)
Description:Dell dbutil Driver是美国戴尔（Dell）公司的一个应用软件。提供了戴尔公司设备的一个驱动程序。 Dell dbutil Driver 存在安全漏洞，该漏洞源于戴尔dbutil驱动程序dbutil 2 .sys中不正确的访问限制。以下产品及版本受到影响：DBUtil: 2.3 。

Description

Cobalt Strike (CS) Beacon Object File (BOF) foundation for kernel exploitation using CVE-2021-21551.

Readme

<p align="center">
    <img src="https://raw.githubusercontent.com/tijme/kernel-mii/master/.github/logo.png" width="450"/>
</p>
<p align="center">
    <a href="https://github.com/tijme/kernel-mii/blob/master/LICENSE.md"><img src="https://raw.finnwea.com/shield/?firstText=Source&secondText=Licensed" /></a>
    <br/>
    <b>Cobalt Strike Beacon Object File foundation for kernel exploitation using CVE-2021-21551.</b>
    <br/>
    <sup>Built by <a href="https://www.linkedin.com/in/tijme/">Tijme</a>. Credits to <a href="https://github.com/lldre">Alex</a> for teaching me! Made possible by <a href="https://northwave-security.com/">Northwave Security</a> <img src="https://raw.githubusercontent.com/tijme/kernel-mii/master/.github/northwave.png"/></sup>
    <br/>
</p>

## Description

This is a Cobalt Strike (CS) Beacon Object File (BOF) which exploits CVE-2021-21551. It only overwrites the beacon process token with the system process token. But this BOF is mostly just a good foundation for further kernel exploitation via CS.

<p align="center">
    <img src="https://raw.githubusercontent.com/tijme/kernel-mii/master/.github/output.png" />
</p>

## Usage

Clone this repository first. Then review the code, compile from source and use it in Cobalt Strike.

**Compiling**

    make

**Usage**

Load the `KernelMii.cna` script using the Cobalt Strike Script Manager. Then use the command below to execute the exploit.

    $ kernel_mii

Alternatively (and for testing purposes), you can directly run the compiled executable. This will spawn a command prompt as SYSTEM.

    $ .\KernelMii.x64.exe

## Limitations

* If the vulnerable driver is not installed, you need to be local admin to install it.

## Todo

* Load the vulnerable driver from memory instead of from disk.
* Delete the vulnerable driver if it was not preinstalled.
* Make the exploit stable & compatible with multiple Windows versions.

## Issues

Issues or new features can be reported via the [issue tracker](https://github.com/tijme/kernel-mii/issues). Please make sure your issue or feature has not yet been reported by anyone else before submitting a new one.

## License

Copyright (c) 2022 Tijme Gommers & Northwave Security. All rights reserved. View [LICENSE.md](https://github.com/tijme/kernel-mii/blob/master/LICENSE.md) for the full license.

File Snapshot


 [4.0K]  /data/pocs/dd82928e1224e5db1465437ed81de2b401eb6796
├── [ 14K]  driver.sys
├── [4.0K]  headers
│   ├── [2.9K]  beacon.h
│   ├── [4.9K]  imports.h
│   └── [1.3K]  structs.h
├── [103K]  KernelMii.c
├── [ 467]  KernelMii.cna
├── [282K]  KernelMii.x64.exe
├── [ 23K]  KernelMii.x64.o
├── [262K]  KernelMii.x86.exe
├── [ 22K]  KernelMii.x86.o
├── [1.1K]  LICENSE.md
├── [ 409]  makefile
└── [2.3K]  README.md

1 directory, 13 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!