Sunday 30 October 2016

WSearch - Privilege Escalation via Weak Service Permissions (MSF Module)

Hi guys!!
So, almost after a week full of hard work we finally made our another post module for windows privilege escalation after MSI_privilege_escalation.

[What is WSearch ?]

SearchIndexer.exe is the Windows service that handles indexing of your files for Windows Search, which fuels the file search engine built into Windows that powers everything from the Start Menu search box to Windows Explorer, and even the Libraries feature.  --Wikipedia

[INFO]

--Vendor : Microsoft WSearch (windows indexing) service [SearchIndexer.exe]
--Vulnerability Type : Persistence backdooring + Privilege Escalation
--Versions Affected : Windows XP, VISTA, 7, 8, 9, 10
--Severity : critical

--Description:
The WSearch service uses one executable.exe set in binary_path_name
and runs it has local/system at startup, this enables local privilege_escalation/persistence_backdooring.
To exploit this vulnerability a local attacker needs to replace the executable into the binary_path_name
of the service. 'Rebooting the system or restarting the service will run the malicious executable with
elevated privileges.

[What factors are affecting privilege escalation on windows with the help of this application ?]


                                                                     

We ran command "sc query WSearch" and got result that its state is always in running mode.
With this we can conclude our backdoor can execute all the time and keep system in illusion  replacing original process (WSearch), which could lead to persistence.



We can notice that application is running with NT/Authority privilege. so we can make it persistence with Administrator's privileges.



And finally, we can observe, application START_TYPE is set to AUTO_START mode. So that means that process will start on just after the boot. Also we can observe that BINARY_PATH_NAME can be replaced, so we can save our backdoor with application name i.e SearchIndexer.exe can be replaced with backdoor with same name as of application.

After concluding all these symptoms, we can now build a Metasploit's post module for privilege escalation.



[Advanced Options]



[Proof Of Concept]

--Installation Steps : 

  1. Download module from [ here ] & copy  persist_priv_Wsearch.rb to 
      ../{path}/metasploit-framework/modules/post/windows/escalate/persist_priv_Wsearch.rb
  2. open msfconsole and execute command "reload_all"

-- Exploitation Steps :

1. Get meterpreter session somehow
2. use post/windows/escalate/persist_priv_Wsearch
3. Rename your backdoor to "SearchIndexer.exe"
4. Set UPLOAD_PATH <path to backdoor.exe>
5. set session <session_id> 
6. exploit

 Expected Results : 


-- Reverting Everything To Normal : 

1. set DELETE_PERSISTENCE true
2. set session <session_id>
3. exploit

  Expected Results :



-- Checking Service Setting 

1. set SERVICE_STATUS true
2. exploit

    Expected Results : 



--[Credits] : Pedro Ubuntu [r00t 3xp10it]  | milton_barra | Chaitanya Haritash

0 comments:

Post a Comment