LOLBINed — CyberGhost VPN (PeLauncher.exe/Dashboard.exe)

CyberGhost VPN Logo

Introduction

In the same spirit as my last article about “F-Secure FSDIAG”, let’s continue our search for LOLBINs in known products. This time I’m taking a look at CyberGhost VPN

Note: Since the CyberGhost team doesn’t have a vulnerability program, I’ve reported this issue to the support team which they forwarded to the appropriate teams. Unfortunately, they didn’t deem this as a major vulnerability. So no “fix” is available as of me writing this blog.

PeLauncher

Similar to the F-Secure research, I started by downloading the latest version of the CyberGhost VPN and installing it while monitoring everything it’s doing. Nothing looked suspicious at first glance, so I decided to take a look at the directory structure and see what binaries are available.

The first one that caught my eye is called conveniently “PeLauncher.exe” and is located by default in “C:\Program Files\CyberGhost 8\Applications\VPN”.

Inspecting the file with PESutdio we see that it’s written in “.NET” so that means we can hopefully see the “source”.

Inspecting it reveals only one class called “Program” with an interesting main function that takes a relative path to a binary named “Dashboard.exe” and executes it with the “!!launch” argument and any argument we pass.

Source PeLauncher

“Dashboard.exe” is the binary responsible for showing the dashboard of the CyberGhost VPN. (See screenshot below)

Cyberghost Dashboard

With this knowledge, we can now abuse “Dashboard.exe” as follow

  • Take any binary of your choosing and rename it “Dashboard.exe”.
  • Create two nested folders “A” and “B” and copy “PeLauncher.exe” inside.
  • Copy the fake “Dashboard.exe” two levels from where “PeLauncher” is located.
  • Execute the following command. (The arg is necessary to bypass the check seen in the source)
PeLauncher.exe [ARG]
  • Your binary will be executed as a child of “PeLauncher”. (Note your binary must know how to handle the “!!launch” and the argument you provide as they are hardcoded)

This is a nice start as “PeLauncher.exe” is signed :)

Signed PeLauncher

The “!!launch” argument got me intrigued so I decided to look at the real “Dashboard.exe” next.

Dashboard.exe

Again checking the binary we see that it’s also written in “.NET”. This makes our life a little bit easier to perform the analysis.

Looking for the “!!launch” didn’t yield any meaningful results. Fortunately the string “!!” did give us a lead.

We can use the “!!launch” argument to launch any executable we want by specifying it as follow

Dashboard.exe !!launch [PathToBinary]

Let’s try this with an example of launching “calc”

Launching “calc.exe” via “Dashboard.exe”

As a bonus, this binary is signed :)

Signed Dashboard

Note: Contrary to the “PeLauncher.exe” binary above, the “Dashboard.exe” binary is dependent on a lot of DLLs so it’s better to launch it directly from the installation folder if you have the necessary privileges.

Conclusion

That’s it for this short blog and I hope you enjoyed reading it. If you want to discuss this blog or anything related to infosec you can find me on Twitter @nas_bench

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nasreddine Bencherchali

Nasreddine Bencherchali

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.