Spotting a Fake Exploit

May 23, 2022


On April 12, 2022 Microsoft Announced CVE-2022-24500, a Windows SMB Remote Code Execution Vulnerability.

The CVE clearly states that this vulnerability requires interaction from the end user.

Fake Exploit

A fake exploit was posted on May 18, 2022 to github to the account “rkxxz”

This is what that repository looked like:

Analysis of Fake Exploit Repo

There were many red flags with this repository:

  1. Missing source code
  2. Included shellcode.bin (including this made no sense as shellcode is something every person running an exploit must generate on their own)
  3. Explains how to use msfvenom (too much hand holding, usually exploits don’t explain how to create shell code)
  4. Explains how to use metasploit to set up a meterpreter payload (again, too much hand holding)
  5. The exploit consists of running an exe file against a remote IP (if you read the CVE that will not result in an exploit as you have to convince an end user to visit a malicious site or share)
  6. Not mentioned in this repo, but there are no known working proof of concepts in the wild. That is the biggest red flag

Best Practices

The following best practices apply when running an exploit you found on the internet:

  1. Fully read the CVE and understand the conditions required to trigger the exploit
  2. Check to see if there are any reputable sources with a working proof of concept
  3. Always Read the exploit’s source and understand what it is doing
    1. Verify what you are seeing the code do aligns with what is described in the CVE
    2. Check for hidden files
    3. Inspect extra dlls
    4. Compile the source code yourself
    5. Check pre-build events (as bad actors have put Powershell commands in them).
  4. Never run a pre-compiled .exe file

If for some reason you need to run code you don’t fully understand (which is never recommended), here are some steps you can take that will mitigate some risk (but not all risk as some malware can escape VMs):

  1. Snapshot the VM you are going to compile and run the exploit from
  2. Run antimalware on host machine and Guest VM
  3. Compile the exploit
  4. Run the exploit on a virtual machine (or Ideally run from a cloud instance on a throwaway account)
  5. Revert virtual machine to the prior state