Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-21551 PoC — Dell dbutil Driver 安全漏洞

Source
https://github.com/waldo-irc/CVE-2021-21551
Associated Vulnerability
Title:Dell dbutil Driver 安全漏洞 (CVE-2021-21551)
Description:Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.
Description
Exploit to SYSTEM for CVE-2021-21551
Readme
# CVE-2021-21551
Exploit to SYSTEM for CVE-2021-21551

SpoolPrinter Privesc using SeImpersonatePrivileges was made thanks to @_ForrestOrr https://github.com/forrest-orr/DoubleStar/tree/main/Payloads/Source/Stage3_SpoolPotato I basically just tossed the exploit function in his code and altered it ever so barely.
NtQuerySystemInformation was taken from  @Void_Sec https://voidsec.com/exploiting-system-mechanic-driver/ almost blatantly - cannot take ANY credit for how I leaked the Token location.

At this time we just provide an upgraded cmd.exe shell.  If you want something else you'll have to edit the exploit yourself.

**UPDATE This now provides a system shell if no arguments are provided.  This can also accept an unlimited number of arguments as privilege names you would like to obtain and provide you a shell with only those specific privileges if you'd like.

![EXAMPLE ONE](https://github.com/waldo-irc/CVE-2021-21551/blob/main/System.PNG)

![EXAMPLE TWO](https://github.com/waldo-irc/CVE-2021-21551/blob/main/CustomPrivs.PNG)

All I did was merge the techniques to make a full privesc and toss in the "Fill in the blanks" from https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
Not much I can take credit for here!  But in case you're wondering my twitter is @waldoirc
This is my first public exploit ever.  

Tested on Windows Versions 1903, 1909, and 2004.  Plans to make it work with more incoming.  Any other Windows versions with same token offsets will also work.  Need to do testing to see which versions of Windows these are.

Only currently works from medium integrity.

ADDITIONAL WAYS I WILL IMPLEMENT:
1. Will make a BoF for Cobalt Strike
2. Reflective DLL
3. Use the Read Primitive to steal a System Token and make it work from low integrity as well
**4. Clean it up and make it less noisy by masking current privs ONLY by adding SeImpersonate only using the Read Primitive + a mask of "SeImpersonatePrivilege"          : 0x00000001d
	- This is now completed.
5. Make it dnymically work with all version of windows without hardcoding SE_TOKEN_PRIVILEGES offset

This exploit is for educational purposes only.  Please do not use this where you do not have permission.
File Snapshot

 [4.0K]  /data/pocs/b99be2566e783fa6b65f8cb717982d4928d36ff6
├── [ 39K]  CustomPrivs.PNG
├── [4.0K]  CVE-2021-21551
│   ├── [ 27K]  CVE-2021-21551.cpp
│   ├── [1.4K]  CVE-2021-21551.sln
│   ├── [7.4K]  CVE-2021-21551.vcxproj
│   ├── [1.5K]  CVE-2021-21551.vcxproj.filters
│   ├── [ 165]  CVE-2021-21551.vcxproj.user
│   ├── [119K]  IWinSpool_c.c
│   ├── [7.1K]  IWinSpool_h.h
│   ├── [3.4K]  IWinSpool.idl
│   ├── [105K]  IWinSpool_s.c
│   └── [1.0K]  RpcHelpers.c
├── [2.2K]  README.md
└── [ 42K]  System.PNG

1 directory, 13 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →