Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-3153 PoC — Cisco AnyConnect Secure Mobility Client for Windows 代码问题漏洞

Source
https://github.com/shubham0d/CVE-2020-3153
Associated Vulnerability
Title:Cisco AnyConnect Secure Mobility Client for Windows 代码问题漏洞 (CVE-2020-3153)
Description:Cisco AnyConnect Secure Mobility Client for Windows是美国思科(Cisco)公司的一款基于Windows平台的可通过任何设备安全访问网络和应用的安全移动客户端。 基于Windows平台的Cisco AnyConnect Secure Mobility Client 4.8.02042之前版本中的安装程序组件存在代码问题漏洞,该漏洞源于对目录路径的不正确处理。攻击者可利用该漏洞将恶意文件复制到系统层面的目录。
Description
POC code for CVE-2020-3153 - Cisco anyconnect path traversal vulnerability
Readme
# CVE-2020-3153
POC code for CVE-2020-3153 - Cisco anyconnect path traversal vulnerability

Read more about the vulnerability here: https://ssd-disclosure.com/ssd-advisory-cisco-anyconnect-privilege-elevation-through-path-traversal/

Steps to follow to get Windows shell on desktop with `SYSTEM` privilege:
1) In file `class1.cs`, Change the Username string to your user account directory in `CAC-nc-install` commandline parameter.
2) Create directory path "`Program Files (x86)/Cisco/Cisco AnyConnect Secure Mobility Client/Plugins/`" inside your userhome.
3) Copy actoast.dll on the above path.

## POC demo video

[![CVE-2020-3153 POC](https://img.youtube.com/vi/7mjByDCeKBw/0.jpg)](https://www.youtube.com/watch?v=7mjByDCeKBw)

Follow my work at: https://nixhacker.com
File Snapshot

 [4.0K]  /data/pocs/407d749e3554758b41b374dcb9fd45cb0197f1bf
├── [ 68K]  actoast.dll
├── [4.0K]  CiscoAnyconnectExploit
│   ├── [4.0K]  bin
│   │   └── [4.0K]  Debug
│   │       └── [4.0K]  netcoreapp3.1
│   │           ├── [8.0K]  CiscoAnyconnectExploit.dll
│   │           └── [166K]  CiscoAnyconnectExploit.exe
│   ├── [ 170]  CiscoAnyconnectExploit.csproj
│   ├── [4.2K]  Class1.cs
│   └── [4.0K]  obj
│       ├── [2.0K]  CiscoAnyconnectExploit.csproj.nuget.dgspec.json
│       ├── [1.1K]  CiscoAnyconnectExploit.csproj.nuget.g.props
│       ├── [ 289]  CiscoAnyconnectExploit.csproj.nuget.g.targets
│       ├── [1.9K]  project.assets.json
│       └── [ 323]  project.nuget.cache
├── [1.1K]  CiscoAnyconnectExploit.sln
├── [ 34K]  LICENSE
└── [ 788]  README.md

5 directories, 13 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.