Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-21551 PoC — Dell dbutil Driver 安全漏洞

Source
https://github.com/tijme/kernel-mii
Associated Vulnerability
Title:Dell dbutil Driver 安全漏洞 (CVE-2021-21551)
Description:Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.
Description
Cobalt Strike (CS) Beacon Object File (BOF) foundation for kernel exploitation using CVE-2021-21551.
Readme
<p align="center">
    <img src="https://raw.githubusercontent.com/tijme/kernel-mii/master/.github/logo.png" width="450"/>
</p>
<p align="center">
    <a href="https://github.com/tijme/kernel-mii/blob/master/LICENSE.md"><img src="https://raw.finnwea.com/shield/?firstText=Source&secondText=Licensed" /></a>
    <br/>
    <b>Cobalt Strike Beacon Object File foundation for kernel exploitation using CVE-2021-21551.</b>
    <br/>
    <sup>Built by <a href="https://www.linkedin.com/in/tijme/">Tijme</a>. Credits to <a href="https://github.com/lldre">Alex</a> for teaching me! Made possible by <a href="https://northwave-security.com/">Northwave Security</a> <img src="https://raw.githubusercontent.com/tijme/kernel-mii/master/.github/northwave.png"/></sup>
    <br/>
</p>

## Description

This is a Cobalt Strike (CS) Beacon Object File (BOF) which exploits CVE-2021-21551. It only overwrites the beacon process token with the system process token. But this BOF is mostly just a good foundation for further kernel exploitation via CS.

<p align="center">
    <img src="https://raw.githubusercontent.com/tijme/kernel-mii/master/.github/output.png" />
</p>

## Usage

Clone this repository first. Then review the code, compile from source and use it in Cobalt Strike.

**Compiling**

    make

**Usage**

Load the `KernelMii.cna` script using the Cobalt Strike Script Manager. Then use the command below to execute the exploit.

    $ kernel_mii

Alternatively (and for testing purposes), you can directly run the compiled executable. This will spawn a command prompt as SYSTEM.

    $ .\KernelMii.x64.exe

## Limitations

* If the vulnerable driver is not installed, you need to be local admin to install it.

## Todo

* Load the vulnerable driver from memory instead of from disk.
* Delete the vulnerable driver if it was not preinstalled.
* Make the exploit stable & compatible with multiple Windows versions.

## Issues

Issues or new features can be reported via the [issue tracker](https://github.com/tijme/kernel-mii/issues). Please make sure your issue or feature has not yet been reported by anyone else before submitting a new one.

## License

Copyright (c) 2022 Tijme Gommers & Northwave Security. All rights reserved. View [LICENSE.md](https://github.com/tijme/kernel-mii/blob/master/LICENSE.md) for the full license.
File Snapshot

 [4.0K]  /data/pocs/dd82928e1224e5db1465437ed81de2b401eb6796
├── [ 14K]  driver.sys
├── [4.0K]  headers
│   ├── [2.9K]  beacon.h
│   ├── [4.9K]  imports.h
│   └── [1.3K]  structs.h
├── [103K]  KernelMii.c
├── [ 467]  KernelMii.cna
├── [282K]  KernelMii.x64.exe
├── [ 23K]  KernelMii.x64.o
├── [262K]  KernelMii.x86.exe
├── [ 22K]  KernelMii.x86.o
├── [1.1K]  LICENSE.md
├── [ 409]  makefile
└── [2.3K]  README.md

1 directory, 13 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →