Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-13162 PoC — Pulse Secure Client 安全漏洞

Source
https://github.com/redtimmy/tu-TOCTOU-kaiu-TOCMEU-CVE-2020-13162-
Associated Vulnerability
Title:Pulse Secure Client 安全漏洞 (CVE-2020-13162)
Description:Pulse Secure Client是美国Pulse Secure公司的一套用于访问Pulse Secure网关的终端设备的客户端软件。 Pulse Secure Client 5.3 R70版本至9.1.6版本(Windows)中的PulseSecureService.exe文件存在安全漏洞。攻击者可利用该漏洞使其以SYSTEM权限执行任意的二进制文件,进而获取管理权限。
Description
Exploit for CVE-2020-13162
Readme
# Pulse Secure Windows Client <9.1.6 (CVE-2020-13162) - exploit

RedTimmy Security 2020 (c) - Twitter: https://twitter.com/redtimmysec <br />
Compile as 32-bit binary if you don't want to die! <br />
Compiled with Visual Studio 2015 - Community Edition <br />
After compiling copy the generated binary into the same folder with "evil.msi" and the Pulse Secure signed binary "PulseSecureInstallerService.exe". Then run it from command line.

For more information about the bug read -> https://www.redtimmy.com/privilege-escalation/pulse-secure-windows-client/ and https://www.redtimmy.com/privilege-escalation/pulse-secure-client-for-windows-9-1-6-toctou-privilege-escalation-cve-2020-13162/
File Snapshot

 [4.0K]  /data/pocs/e8a28fbeaeeae666b12f66b3c810e74c3a2b1610
├── [4.0K]  bin
│   ├── [176K]  evil.msi
│   ├── [2.1M]  PulseSecureInstallerService.exe
│   └── [ 16K]  tu-TOCTOU-kaiù-TOCMEU.exe
├── [ 693]  README.md
├── [4.0K]  tu-TOCTOU-kaiù-TOCMEU
│   ├── [4.9K]  FileOpLock.cpp
│   ├── [ 785]  FileOpLock.h
│   ├── [ 308]  stdafx.cpp
│   ├── [ 384]  stdafx.h
│   ├── [ 314]  targetver.h
│   ├── [4.3K]  tu-TOCTOU-kaiù-TOCMEU.cpp
│   ├── [8.0K]  tu-TOCTOU-kaiù-TOCMEU.vcxproj
│   └── [1.5K]  tu-TOCTOU-kaiù-TOCMEU.vcxproj.filters
└── [1.3K]  tu-TOCTOU-kaiù-TOCMEU.sln

2 directories, 13 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.