OMIGOD PoC

Usage

$ go run CVE-2021-38647.go -h

USAGE: go run CVE-2021-38647.go [FLAGS]
  -c string
    	Command to run. 
  -p int
    	Remote WSMan port.  (default 5986)
  -t string
    	IP address of the vulnerable server.

Docker

To build docker container:

docker build -t "microsoft/omi" .

To run docker container:

docker run --name omi_poc -p 5985:5985 -p 5986:5986 microsoft/omi

To stop docker container:

docker stop omi_poc

To connect into docker container:

docker exec -it omi_poc /bin/bash

References

• https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution
• https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
• https://github.com/microsoft/omi
• https://twitter.com/GossiTheDog/status/1437896101756030982
• https://msrc-blog.microsoft.com/2021/09/16/additional-guidance-regarding-omi-vulnerabilities-within-azure-vm-management-extensions/
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647
• https://rootsecdev.medium.com/creating-your-own-private-pwn-lab-for-omi-exploitation-b6919fc63956
• https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647