Insufficient access control in Dell dbutil_2_3.sys driver

This repository contains a Python proof-of-concept exploit for CVE-2021-21551, a privilege escalation vulnerability in the Dell dbutil_2_3.sys driver (version 2.3) on Windows. The main file, DBUtil_2_3_exploit.py, uses the ctypes library to interact with Windows kernel32 and Psapi APIs, and communicates directly with the vulnerable driver via IOCTLs. The exploit reads and writes kernel memory to locate the SYSTEM process's token and assigns it to the current process, effectively granting SYSTEM privileges. It then launches a SYSTEM-level shell (powershell.exe). The exploit is operational and demonstrates full privilege escalation. The only other file is a README.md, which briefly describes the purpose of the repository. The attack vector is local, requiring the attacker to execute code on a vulnerable Windows system with the driver loaded. The main fingerprintable endpoint is the device file \\.\DBUtil_2_3.

This repository is a Proof-of-Concept (PoC) exploit for CVE-2021-21551, a local privilege escalation vulnerability in the Dell dbutil_2_3.sys driver on Windows. The main exploit logic is implemented in 'cve-2021-21551.cpp', which provides arbitrary kernel memory read and write primitives by interacting with the vulnerable driver via IOCTLs. The exploit allocates token-stealing shellcode in user space, bypasses SMEP (Supervisor Mode Execution Prevention) by manipulating page table entries, and overwrites a function pointer in the HalDispatchTable to execute the shellcode in kernel mode. The result is escalation of the current process to SYSTEM privileges. The repository includes Visual Studio project files for building the exploit and a header file ('ntdefs.h') with necessary Windows and NT structures. The only fingerprintable endpoint is the device path '\\.\DBUtil_2_3', which is used to communicate with the vulnerable driver. The exploit is operational and demonstrates a full local privilege escalation chain, but is not part of a larger exploitation framework.

This repository contains a working local privilege escalation (LPE) exploit for CVE-2021-21551, targeting the vulnerable Dell DBUtil_2_3 driver on Windows systems. The exploit is implemented in C++ and consists of a Visual Studio project with two main code files: 'main.cpp' (the exploit logic) and 'general.h' (definitions and structures). The exploit works by opening a handle to the vulnerable driver (\\.\DBUtil_2_3), leaking kernel addresses for the current and SYSTEM process EPROCESS structures, reading the SYSTEM process token, and overwriting the current process's token with the SYSTEM token. This grants the exploit process SYSTEM privileges, after which it spawns a SYSTEM-level command prompt (cmd.exe). The exploit is operational and has been tested on Windows 11 21H2 22000.1335, as noted in the README. The only fingerprintable endpoint is the device path for the vulnerable driver. No network or remote attack vectors are present; this is a purely local privilege escalation exploit.

This repository contains a working local privilege escalation exploit for CVE-2021-21551, targeting the Dell dbutil_2_3.sys driver on Windows. The main file, Exploit.cpp, is a C++ program that interacts directly with the vulnerable driver via the device interface \\.\dbutil_2_3. The exploit abuses the driver's insufficient access control to perform arbitrary kernel memory read/write operations. It locates the SYSTEM process's EPROCESS structure, reads its token, and overwrites the current process's token with the SYSTEM token, thereby elevating privileges. Upon success, it spawns a SYSTEM-level command shell. The exploit is operational and requires local authenticated access on a system with the vulnerable driver loaded. The repository also includes a README.md with a brief description and reference to the original advisory.

This repository contains a functional local privilege escalation exploit for CVE-2021-21551, a vulnerability in the Dell dbutil_2_3.sys driver. The main exploit logic is implemented in 'CVE-2021-21551.cpp', which leverages a write-what-where primitive in the vulnerable driver to modify the privileges of the current process token in kernel memory. The exploit can grant the SeImpersonatePrivilege or any set of privileges specified by the user, and then either spawns a SYSTEM shell (cmd.exe) or a shell with the requested privileges. The exploit also incorporates the SpoolPotato technique to escalate to SYSTEM using SeImpersonatePrivilege via the Print Spooler service (accessed through the named pipe \\pipe\spoolss). The codebase includes supporting files for RPC communication with the Print Spooler (IWinSpool.idl, IWinSpool_h.h, RpcHelpers.c) and Visual Studio project files for building the exploit. The exploit is operational and has been tested on Windows 10 versions 1903, 1909, and 2004, but may work on other versions with compatible token offsets. The README provides usage instructions and context. No network attack vector is present; the exploit must be run locally on a vulnerable system.

This repository contains a proof-of-concept (PoC) exploit for CVE-2021-21551, a vulnerability in Dell's dbutil_2_3.sys driver. The exploit is implemented in C++ and is structured as a Visual Studio project, with the main entry point in 'CVE-2021-21551/CVE-2021-21551.cpp'. Supporting files include utility classes for interacting with the driver, resolving kernel addresses, and manipulating memory structures. The exploit works by opening a handle to the vulnerable driver device (\\.\DBUtil_2_3), resolving the base addresses of key kernel components, leaking and manipulating page table entries, and ultimately injecting a jump stub into kernel memory. This allows the attacker to trigger arbitrary code execution in kernel mode. The exploit requires local access to a Windows system with the vulnerable driver loaded and HVCI disabled. No network endpoints are involved; the attack vector is local privilege escalation. The repository is a functional PoC and does not include weaponized or easily customizable payloads.

This repository is a proof-of-concept (POC) exploit for CVE-2021-21551, a vulnerability in the Dell dbutil_2_3.sys driver that allows for arbitrary kernel memory read and write operations. The code is written in C++ and is structured as a Visual Studio project. The main exploit logic resides in 'main.cpp' and 'memory.cpp', where the Memory class provides primitives to interact with the vulnerable driver via IOCTLs. The exploit opens a handle to the driver device (\\.\dbutil_2_3) and issues custom IOCTLs to perform virtual and physical memory reads and writes. Batch scripts in the 'driver' directory are provided to create, start, and stop the driver service, facilitating the setup and teardown of the vulnerable environment. The exploit demonstrates the ability to locate kernel structures (such as EPROCESS for a given process), read sensitive kernel memory, and potentially escalate privileges. The repository is a functional POC and does not include weaponized payloads, but provides the necessary primitives for further exploitation.

This repository contains a proof-of-concept (PoC) exploit for CVE-2021-21551, a privilege escalation vulnerability in the Dell DBUtil_2_3 driver on Windows. The repository is structured as a Visual Studio C++ project, with the main exploit logic implemented in 'CVE-2021-21551/Main.cpp'. The exploit works by opening a handle to the vulnerable driver (\\.\DBUtil_2_3), leveraging IOCTLs that allow arbitrary kernel memory read/write, and stealing the SYSTEM process's security token. It then overwrites the current process's token with the SYSTEM token, effectively elevating privileges. Finally, it spawns a SYSTEM-level PowerShell shell. The exploit requires local access and the presence of the vulnerable driver. No network endpoints are involved; the attack vector is local privilege escalation. The code is operational and demonstrates a working privilege escalation payload.

This repository provides a Cobalt Strike Beacon Object File (BOF) exploit for CVE-2021-21551, a privilege escalation vulnerability in a Dell kernel driver (dbutil_2_3.sys) on Windows. The main exploit logic is contained in the BOF, which is loaded and executed via the 'KernelMii.cna' Aggressor script in Cobalt Strike. The exploit works by overwriting the current beacon process token with the SYSTEM process token, effectively granting SYSTEM privileges to the attacker. The repository includes supporting header files for Cobalt Strike BOF development, a makefile for building both BOF and standalone executables, and documentation. The exploit is intended as a foundation for further kernel exploitation and is not fully weaponized; it requires the vulnerable driver to be present or installed (admin required for installation). The attack vector is local privilege escalation, and the exploit is designed for use within post-exploitation frameworks like Cobalt Strike.

This repository contains a functional proof-of-concept (PoC) exploit for CVE-2021-21551, a local privilege escalation vulnerability in the Dell dbutil_2_3.sys driver for Windows. The exploit (CVE-2021-21551.c) leverages the driver's exposed IOCTLs to perform arbitrary kernel memory read and write operations. By locating the SYSTEM process's token in kernel memory and overwriting the current process's token, the exploit elevates the user's privileges to SYSTEM and spawns a SYSTEM shell (cmd.exe). The exploit requires the vulnerable driver to be present and running, and the correct EPROCESS structure offsets for the target Windows version. The included dbutil_2_3.c file appears to be a partial or reverse-engineered driver implementation, providing insight into the IOCTL handling and device creation logic. The README.md provides usage instructions, IOCTL code documentation, and references for further research. The main attack vector is local, requiring code execution on the target system. The primary fingerprintable endpoint is the device file \\.\DBUtil_2_3, which is used to communicate with the vulnerable driver.