Tag Archives: Privilege

Microsoft Windows Privilege Escalation

High-Tech Bridge Security Research Lab has discovered a vulnerability in Microsoft Windows which could be exploited to escalate privileges under certain conditions. The vulnerability exists due to the “IKE and AuthIP IPsec Keying Modules” system service, which tries to load the wlbsctrl.dll DLL that is missing after default Windows installation. Proof of concept included.
View Source

Windows Escalate UAC Protection Bypass
This Metasploit module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off.
View Source

Windows Escalate Service Permissions Local Privilege Escalation
This Metasploit module attempts to exploit existing administrative privileges to obtain a SYSTEM session. If directly creating a service fails, this module will inspect existing services to look for insecure file or configuration permissions that may be hijacked. It will then attempt to restart the replaced service to run the payload. This will result in a new session when this succeeds. If the module is able to modify the service but does not have permission to start and stop the affected service, the attacker must wait for the system to restart before a session will be created.
View Source

Windows Service Trusted Path Privilege Escalation
This Metasploit module exploits a logic flaw due to how the lpApplicationName parameter is handled. When the lpApplicationName contains a space, the file name is ambiguous. Take this file path as example: C:\program files\hello.exe; The Windows API will try to interpret this as two possible paths: C:\program.exe, and C:\program files\hello.exe, and then execute all of them. To some software developers, this is an unexpected behavior, which becomes a security problem if an attacker is able to place a malicious executable in one of these unexpected paths, sometimes escalate privileges if run as SYSTEM. Some softwares such as OpenVPN 2.1.1, or OpenSSH Server 5, etc… all have the same problem.
View Source

Windows Escalate Task Scheduler XML Privilege Escalation
This Metasploit module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges.
View Source

Metasploit Framework Privilege Escalation – DerbyCon 2012

Ian Amit – BIO:
With over a decade of experience in the information security industry, Iftach Ian Amit brings a mixture of software development, OS, network and Web security expertise as Director of Services to the top-tier security consulting firm IOActive. Prior to IOActive, Ian was the VP consulting for Security Art, Ian also held Director of Security Research positions with Aladdin and Finjan, leading their security research while positioning them as leaders in the Web security market. Ian has also held leadership roles as founder and CTO of a security startup in the IDS/IPS arena, developing new techniques for attack interception, and a director at Datavantage, responsible for software development and information security, as well as designing and building a financial datacenter. Prior to Datavantage, he managed the Internet Applications as well as the UNIX departments at the security consulting firm Comsec.

Ian is also the founder of the local DefCon group in Tel-Aviv DC9723, as well as one of the founding members of the PTES (Penetration Testing Execution Standard), and the IL-CERT.

Talk Title:
Privilege Escalation with the Metasploit Framework

As part of the State of the Framework Address at last year’s DerbyCon, I discussed Post modules, the newest module type available in the Metasploit Framework. This time around, I’ll be focusing on a fusion of Post modules and Exploit modules: Msf::Exploit::Local, for when you absolutely, positively, have to have root (and don’t mind an occasional kernel panic). This talk will cover some fun local exploits, from antiquity to modern times, including how to use and create them for the Metasploit Framework.
View Source