## https://sploitus.com/exploit?id=D44C28D0-98AF-537B-934C-8CEC37673EF8
# CVE-2024-31771 TotalAV Arbitrary File Write
TotalAV version 6.0.x
https://github.com/restdone/CVE-2024-31771/assets/42227817/ffe0c2ec-4ea6-4c29-852f-456b2e62f5b1
Timeline:
13th Feb, 2024 : Discovered 6.0.740 vulnerable and reported to TotalAV.
15th Feb, 2024: TotalAV confirmed and reproduced the issue.
19th Feb, 2024: TotalAV was liaising with another vendor. That vendor advised that they were working on it.
18th Mar, 2024 - 19th Apr: Asked for update, no response from TotalAV.
3rd May, 2024: Requested CVE ID and asked TotalAV for further updates. TotalAV replied no update regarding this issue.
11th May, 2024: Version 6.0.1028 was still vulnerable. No mitigation timeline from the vendor.
Steps:
1. Download a malicious DLL generated by msfvenom (part of the metasploit exploitation software package). In the video, I was targeting a DLL loaded by Windows Update service.
2. After the DLL has been quarantined, create a junction to link the download file location to C:\Windows\System32\ for example linking c:\users\<username>\downloads\test
C:\Users\player1\Desktop\CreateMountPoint.exe "C:\Users\player1\Downloads\test" "C:\Windows\System32"
3. Restore the DLL, the file is now written to the mount point- C:\Windows\System32\
- Using eicar as example, it was written by NT\SYSTEM
![CreateBySySTEM](https://github.com/restdone/CVE-2024-31771/assets/42227817/4777d859-f0ef-49ae-b868-b63914e26ee3)
4. After restoring, the DLL is detected as a threat the second time and moved to quarantine again
5. If the DLL is restored from Quarantine again, the file is written to C:\Windows\System32\ again
6. If Windows Update services are then triggered, it loads the malicious DLL and the attacker obtains nt authority\SYSTEM privileges.
(New-Object -ComObject Microsoft.Update.Session).CreateUpdateSearcher().Search('IsInstalled=0')
Reference:
https://github.com/googleprojectzero/symboliclink-testing-tools
Special thanks to Filip !!! (https://github.com/Wh04m1001)