Part the Second: Windows WTF Wonderland.

So I chucked their Windows installer onto a Windows 7 VM I use for testing shite software. First thing I noticed while installing it was that it dropped an absolute shitload of files, and took forever to install.

Given it basically relies on OpenVPN, I decided to check out what version they ship. Its 2017, and they are shipping an OpenVPN that was built in 2015, version 2.3.8, built with OpenSSL 1.0.1p. Look these up in the CVE databases at your own pleasure for a good giggle.

alrighty then.

They create some services, so I figured I’d be a bit lazy and find an easy win here. So I checked with “PowerSploit’s PowerUp” by doing “Invoke-AllChecks”, and well, we came out with some results.

ezmode.

2ez4me

TL;DR: Use any of the following to get privesc on a box with the PureVPN client.

Invoke-ServiceAbuse -Name 'OpenVPNService'

Invoke-ServiceAbuse -Name 'sevpnclient'

Install-ServiceBinary -name 'sevpnclient'

I figured at this point, I’d just move on. BUT WAIT. THERE IS MORE!

So I had a quick look at the files it drops in “C:\Program Files (x86)\PureVPN” and spotted “Injector32.exe” and “Injector64.exe”. What the fuck are these? Well, one way to find out… We chuck them into IDA and have a quick gander. Then I realised it was written in .NET, so I broke open dnSpy, which does a better job of handling .NET than IDA.

what the everliving fuck.

What the fuck its got a DLL injector that injects something called “Split.dll” (or “Split_64.dll”) into something. I took a brief look at it, and basically, what happens is the following.

1. It takes 1 argument, which is a process to launch.

2. It launches this process, suspends it, opens its process memory, chucks in the “Split.dll”, creates a remote thread for it, and then continues execution.

3. Exits. DLL is now injected.

Effectively, if you put your “Split.dll” (for x86), or “Split_64.dll” in the same directory as “Injector$ARCH.exe” and run the injector program with a path to something to inject into, you win the game and have a DLL injected somewhere. I tested this by copying the injector to “C:\work\”, putting a meterpreter DLL as “Split.dll” into there, and running it with the path to notepad.exe as the only argument. It worked. I got a meterpreter. Sadly, the DLL injectors aren’t codesigned…

So what have we learned? PureVPN ships some awesome shit we can use for malware reasons!

I didn’t bother looking any further after this. I want to spend some time reversing the DLL it injects, but somehow I ended up having some actual work to do instead. I also want to know why its injecting crap into things…

Anyway, in conclusion: The PureVPN client software for Windows and routers is shady as fuck. On Windows, the installer unpacks to about 80mb of crap — all to run OpenVPN.

I’d usually say “just use the VPN config files manually instead of their shonky client”, but all things considered, so much smells bad here that I just recommend not using their service at all.