BeRoot – Windows Privilege Escalation Tool

BeRoot(s) is a post exploitation tool to check commun Windows misconfigurations to find a way to escalate our privilege.

A compiled version is available here.

It will be added to the pupy project as a post exploitation module (so it will be executed all in memory without touching the disk).

Except one method, this tool is only used to detect and not to exploit. If something is found, templates could be used to exploit it. To use it, just create a test.bat file located next to the service / DLL used. It should execute it once called. Depending on the Redistributable Packages installed on the target host, these binaries may not work.

Run it

|====================================================================|| || Windows Privilege Escalation || || ! BANG BANG ! || ||====================================================================|usage: beRoot.exe [-h] [-l] [-w] [-c CMD]Windows Privilege Escalationoptional arguments: -h, –help show this help message and exit -l, –list list all softwares installed (not run by default) -w, –write write output -c CMD, –cmd CMD cmd to execute for the webclient check (default: whoami)

All detection methods are described on the following document.Path containing space without quotes
Consider the following file path:

C:\Program Files\Some Test\binary.exe

If the path contains spaces and no quotes, Windows would try to locate and execute programs in the following order:

C:\Program.exeC:\Program Files\Some.exeC:\Program Files\Some Folder\binary.exe

Following this example, if “C:\” folder is writeable, it would be possible to create a malicious executable binary called “Program.exe”. If “binary.exe” run with high privilege, it could be a good way to escalate our privilege.
Note: BeRoot realized these checks on every service path, scheduled tasks and startup keys located in HKLM.How to exploit:
The vulnerable path runs as:

a service: create a malicious service (or compile the service template)

a classic executable: Create your own executable.

Writeable directory
Consider the following file path:

C:\Program Files\Some Test\binary.exe

If the root directory of “binary.exe” is writeable (“C:\Program Files\Some Test”) and run with high privilege, it could be used to elevate our privileges.Note: BeRoot realized these checks on every service path, scheduled tasks and startup keys located in HKLM.How to exploit:

The service is not running:

Replace the legitimate service by our own, restart it or check how it’s triggered (at reboot, when another process is started, etc.).

The service is running and could not be stopped:

Most exploitation will be like that, checks for dll hijacking and try to restart the service using previous technics.

Writeable directory on %PATH%
This technic affects the following Windows version:

6.0 => Windows Vista / Windows Server 20086.1 => Windows 7 / Windows Server 2008 R26.2 => Windows 8 / Windows Server 2012

On a classic Windows installation, when DLLs are loaded by a binary, Windows would try to locate it using these following steps:

– Directory where the binary is located- C:\Windows\System32- C:\Windows\System- C:\Windows\- Current directory where the binary has been launched- Directory present in %PATH% environment variable

If a directory on the %PATH% variable is writeable, it would be possible to realize DLL hijacking attacks. Then, the goal would be to find a service which loads a DLL not present on each of these path. This is the case of the default “IKEEXT” service which loads the inexistant “wlbsctrl.dll”.How to exploit: Create a malicious DLL called “wlbsctrl.dll” (use the DLL template) and add it to the writeable path listed on the %PATH% variable. Start the service “IKEEXT”. To start the IKEEXT service without high privilege, a technic describe on the french magazine MISC 90 explains the following method:
Create a file as following:

C:\Users\bob\Desktop>type test.txt[IKEEXTPOC]MEDIA=rastapiPort=VPN2-0Device=Wan Miniport (IKEv2)DEVICE=vpnPhoneNumber=127.0.0.1

Use the “rasdial” binary to start the IKEEXT service. Even if the connection failed, the service should have been started.

C:\Users\bob\Desktop>rasdial IKEEXTPOC test test /PHONEBOOK:test.txt

MS16-075
For French user, I recommend the article written on the MISC 90 which explain in details how it works.
This vulnerability has been corrected by Microsoft with MS16-075, however many servers are still vulnerable to this kind of attack. I have been inspired from the C++ POC available here
Here are some explaination (not in details):

Start Webclient service (used to connect to some shares) using some magic tricks (using its UUID)

Start an HTTP server locally

Find a service which will be used to trigger a SYSTEM NTLM hash.

Enable file tracing on this service modifying its registry key to point to our webserver (\\127.0.0.1@port\tracing)

Start this service

Our HTTP Server start a negotiation to get the SYSTEM NTLM hash

Use of this hash with SMB to execute our custom payload (SMBrelayx has been modify to realize this action)

Clean everything (stop the service, clean the regritry, etc.).

How to exploit: BeRoot realize this exploitation, change the “-c” option to execute custom command on the vulnerable host.

beRoot.exe -c “net user Zapata LaLuchaSigue /add”beRoot.exe -c “net localgroup Administrators Zapata /add”

AlwaysInstallElevated registry keyAlwaysInstallElevated is a setting that allows non-privileged users the ability to run Microsoft Windows Installer Package Files (MSI) with elevated (SYSTEM) permissions. To allow it, two registry entries have to be set to 1:

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevatedHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

How to exploit: create a malicious msi binary and execute it.Unattended Install files
This file contains all the configuration settings that were set during the installation process, some of which can include the configuration of local accounts including Administrator accounts. These files are available on these following path:

C:\Windows\Panther\Unattend.xmlC:\Windows\Panther\Unattended.xmlC:\Windows\Panther\Unattend\Unattended.xmlC:\Windows\Panther\Unattend\Unattend.xmlC:\Windows\System32\Sysprep\unattend.xml C:\Windows\System32\Sysprep\Panther\unattend.xml

How to exploit: open the unattend.xml file to check if passwords are present on it. Should looks like:

RmFrZVBhc3N3MHJk false Local Administrator Administrator Administrators Administrator

Other possible misconfigurations
Other tests are realized to check if it’s possible to:

Modify an existing service

Create a new service

Modify a startup key (on HKLM)

Modify directory where all scheduled tasks are stored: “C:\Windows\system32\Tasks”

Special thanks

Good description of each checks: http://ift.tt/2oIRIOQ

C++ POC: http://ift.tt/2oIL2Am

Impacket as always, awesome work: http://ift.tt/2c5FGJK

Download BeRoot http://ift.tt/2nZfdGt http://ift.tt/2aM8QhC

Anúncios

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s