Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-3153 PoC — Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerability

Source
https://github.com/shubham0d/CVE-2020-3153
Associated Vulnerability
Title:Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerability (CVE-2020-3153)
Description:A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. An exploit could allow the attacker to copy malicious files to arbitrary locations with system level privileges. This could include DLL pre-loading, DLL hijacking, and other related attacks. To exploit this vulnerability, the attacker needs valid credentials on the Windows system.
Description
POC code for CVE-2020-3153 - Cisco anyconnect path traversal vulnerability
Readme
# CVE-2020-3153
POC code for CVE-2020-3153 - Cisco anyconnect path traversal vulnerability

Read more about the vulnerability here: https://ssd-disclosure.com/ssd-advisory-cisco-anyconnect-privilege-elevation-through-path-traversal/

Steps to follow to get Windows shell on desktop with `SYSTEM` privilege:
1) In file `class1.cs`, Change the Username string to your user account directory in `CAC-nc-install` commandline parameter.
2) Create directory path "`Program Files (x86)/Cisco/Cisco AnyConnect Secure Mobility Client/Plugins/`" inside your userhome.
3) Copy actoast.dll on the above path.

## POC demo video

[![CVE-2020-3153 POC](https://img.youtube.com/vi/7mjByDCeKBw/0.jpg)](https://www.youtube.com/watch?v=7mjByDCeKBw)

Follow my work at: https://nixhacker.com
File Snapshot

 [4.0K]  /data/pocs/407d749e3554758b41b374dcb9fd45cb0197f1bf
├── [ 68K]  actoast.dll
├── [4.0K]  CiscoAnyconnectExploit
│   ├── [4.0K]  bin
│   │   └── [4.0K]  Debug
│   │       └── [4.0K]  netcoreapp3.1
│   │           ├── [8.0K]  CiscoAnyconnectExploit.dll
│   │           └── [166K]  CiscoAnyconnectExploit.exe
│   ├── [ 170]  CiscoAnyconnectExploit.csproj
│   ├── [4.2K]  Class1.cs
│   └── [4.0K]  obj
│       ├── [2.0K]  CiscoAnyconnectExploit.csproj.nuget.dgspec.json
│       ├── [1.1K]  CiscoAnyconnectExploit.csproj.nuget.g.props
│       ├── [ 289]  CiscoAnyconnectExploit.csproj.nuget.g.targets
│       ├── [1.9K]  project.assets.json
│       └── [ 323]  project.nuget.cache
├── [1.1K]  CiscoAnyconnectExploit.sln
├── [ 34K]  LICENSE
└── [ 788]  README.md

5 directories, 13 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →