Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-21551 PoC — Dell dbutil Driver 安全漏洞

Source
https://github.com/mathisvickie/CVE-2021-21551
Associated Vulnerability
Title:Dell dbutil Driver 安全漏洞 (CVE-2021-21551)
Description:Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.
Description
arbitrary kernel read/write in dbutil_2_3.sys, Proof of Concept Local Privilege Escalation to nt authority/system
Readme
# CVE-2021-21551
Simple PoC for exploiting CVE-2021-21551 for LPE by spawning system cmd.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21551

An issue was discovered in signed dell windows driver (dbutil_2_3.sys) which may lead to compromisation of whole local system. Driver's ioctl dispatch routine lacks of validation of user supplied buffer.

## IOCTL
Anyone can create handle and issue ioctl requests to these ioctl codes which break windows security model:

- _0x9b0c1f40_ - arbitrary physical memory read
- _0x9b0c1f44_ - arbitrary physical memory write
- _0x9b0c1ec4_ - arbitrary kernel memory read
- _0x9b0c1ec8_ - arbitrary kernel memory write
- _0x9b0c1ecc_ - controlled parameters to MmFreeContiguousMemorySpecifyCache call
- _0x9b0c1ec0_ - controlled parameters to MmAllocateContiguousMemorySpecifyCache call
- _0x9b0c1f00_ & _0x9b0c1f8c_ & _0x9b0c1f88_ & _0x9b0c1f84_ & _0x9b0c1f80_ - access to some ports

## Compiling PoC
This PoC exploits _0x9b0c1ec4_/_0x9b0c1ec8_ ioctl codes for arbitrary kernel memory read/write respectively. Firstly it locates _PsInitialSystemProcess_ in kernel to get system token and then it writes this token to current process _EPROCESS_ struct. Before compiling update your _EPROCESS_ offsets to avoid BSOD using https://www.vergiliusproject.com/
```c
DWORD EPROCESS_ActiveProcessLinks = 0x2e8;
DWORD EPROCESS_Token = 0x348;
```
Use visual studio to compile (requires windows header). Ntdll SDK header: https://github.com/mathisvickie/segy-software/blob/main/external/ntdll.h

## Running
Tested on:
- Windows 8
- Windows 10 2004
- Windows 10 20H2

Successful exploit will run system cmd. If you get bugcheck _PAGE_FAULT_IN_NONPAGED_AREA_ then the offsets are probably incorrect. Sample output:
![404](https://github.com/mathisvickie/CVE-2021-21551/blob/main/pic.png)
File Snapshot

 [4.0K]  /data/pocs/7c902a5591de126d069c243280129e86027cf068
├── [5.7K]  CVE-2021-21551.c
├── [ 12K]  dbutil_2_3.c
├── [ 14K]  dbutil_2_3.sys
├── [1.1M]  pic.png
└── [1.8K]  README.md

0 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →