Share
## https://sploitus.com/exploit?id=D44C28D0-98AF-537B-934C-8CEC37673EF8
# CVE-2024-31771 TotalAV Arbitrary File Write 

TotalAV version 6.0.x 


https://github.com/restdone/CVE-2024-31771/assets/42227817/ffe0c2ec-4ea6-4c29-852f-456b2e62f5b1


Timeline:

13th Feb, 2024 : Discovered 6.0.740 vulnerable and reported to TotalAV.

15th Feb, 2024: TotalAV confirmed and reproduced the issue.

19th Feb, 2024: TotalAV was liaising with another vendor. That vendor advised that they were working on it.

18th Mar, 2024 - 19th Apr: Asked for update, no response from TotalAV.

3rd May, 2024: Requested CVE ID and asked TotalAV for further updates. TotalAV replied no update regarding this issue.

11th May, 2024: Version 6.0.1028 was still vulnerable. No mitigation timeline from the vendor.        


Steps:
1. Download a malicious DLL generated by msfvenom (part of the metasploit exploitation software package). In the video, I was targeting a DLL loaded by Windows Update service. 
2. After the DLL has been quarantined, create a junction to link the download file location to C:\Windows\System32\ for example linking c:\users\<username>\downloads\test

   C:\Users\player1\Desktop\CreateMountPoint.exe "C:\Users\player1\Downloads\test" "C:\Windows\System32"

3. Restore the DLL, the file is now written to the mount point- C:\Windows\System32\
   - Using eicar as example, it was written by NT\SYSTEM
   ![CreateBySySTEM](https://github.com/restdone/CVE-2024-31771/assets/42227817/4777d859-f0ef-49ae-b868-b63914e26ee3)

4. After restoring, the DLL is detected as a threat the second time and moved to quarantine again 
5. If the DLL is restored from Quarantine again, the file is written to C:\Windows\System32\ again
6. If Windows Update services are then triggered, it loads the malicious DLL and the attacker obtains nt authority\SYSTEM privileges.

   (New-Object -ComObject Microsoft.Update.Session).CreateUpdateSearcher().Search('IsInstalled=0')



Reference:
https://github.com/googleprojectzero/symboliclink-testing-tools


Special thanks to Filip !!! (https://github.com/Wh04m1001)