Once again we dive into the hot topic of security flaws that were widely exposed by the leaking of NSA tools by the ShadowBrokers last April. Upon the release of these tools, Microsoft responded by saying that they had patched most of the related vulnerabilities almost exactly a month before the tools were leaked. This in itself struck many people as odd timing, but that’s a whole different topic.
The item we are here to talk about today is a tool called Esteemaudit. This tool takes advantage of a Smart Card Authentication flaw in both Windows XP and Windows Server 2003. It is also one of the few vulnerabilities that Microsoft says wasn’t patched. This is because both XP and 2003 are past “End of Life”. If you are not familiar with End of Life in the IT world, it is basically when Microsoft (or any vendor for that matter) officially stops maintaining and/or supporting a piece of software or hardware. This is troubling however as there are still many computers all around the world that run on these two operating systems. While running these systems internally on your local network is dangerous, having these machines facing externally(internet-facing) is EXTREMELY DANGEROUS.
There are various methods for finding web-facing devices. One easy way is by visiting https://www.shodan.io/. You will need to sign up for a free account, and then you can use the search feature at the top of the page. There are tons of other cool features on the site also. Here is an example of a search I did that is applicable to our subject today.
and the results….(which are terrifying by the way).
You will also see a list of IP addresses and some details on each. I will leave that for you to explore on your own further. I’ve noticed some false-positives where a machine was listed as XP but the screenshot that came along with it was one that belonged to a Windows Server 2003 machine. You will also notice that I specified in the search bar “port: 3389”. This port is used for Windows Remote Desktop Protocol (RDP). We know the machines listed currently have this port open; and therefore this protocol (most likely) facing the web.
Esteemaudit (as mentioned above) takes advantage of a Smart Card Authentication flaw. The vulnerability in this form of authentication in XP/Server 2003 exists in the “MyCPAcquireContext()” function in “gpkcsp.dll” as explained by
I am going to demonstrate how a machine running Window Server 2003 with RDP enabled and port 3389 open can quickly be compromised using a combination of EsteemAudit (exploit), MSFVenom (payload generator), and Metasploit (payload handler).
(If you don’t know this already) – Think of the general concept of exploits and payloads like the Trojan Horse. The exploit would be the horse itself (the way in) and the payload would be the guys who jumped out of the horse and took some action once inside the target. The payload handler is needed when one of the payloads’ “action once inside” is to call back to a machine (usually one under the control of the attacker). The handler is not inside the Trojan horse or the target, but it waits to get some information from the guys who are inside, which can then further the attack.
Lets see this in action!
Although this is not a “HowTo:” I will happily answer questions or create a step-by-step in greater detail if people ask! Setting up the NSA tools can be a little tricky as documentation is extremely limited (being that they weren’t intended for public use). Setting up Metasploit and MSFVenom on the other hand- there are much larger support communities to assist and documentation is more plentiful. Again, ask me your questions first as I may have been stuck where you are stuck and can save you a few hours of searching.
The NSA tools were all created to be ran in 32-bit environment, so I personally downloaded a free Windows XP (32-bit) virtual machine to keep things simple. I run it with VirtualBox. This seems that’s what a number of other folks testing these tools also did from my research.
On the XP virtual machine I’m going to fire up Fuzzbunch which is the framework from which the NSA tools can be easily accessed. I will configure a target and a callback target and then run Esteemaudit. Before Esteemaudit runs, it executes EsteemauditTouch. For most of the exploits in the Fuzzbunch framework, there is a corresponding “touch”. The “touch” for each exploit essentially runs some prerequisite checks against the target to ensure it is vulnerable to the matching exploit. It will then automatically grab much of the information that you would otherwise have to manually enter when the exploit gets setup. The more I think about it, the more I can see why these tools were referred to as “Point and shoot” by the media when they were first leaked. They really do so much of the work for you.
We then choose to validate the settings and confirm up to the point where we are asked for a CallbackPayloadDLL. Due to EsteemAuditTouch running first and prepopulating many fields, we are basically just hitting “enter” a bunch of times on our keyboard.
***The images below are just sample clips of some of the things you see while running through this process, these are not clips of the entire process. I have edited out chunks of IP’s also.****
The reason we stopped at “CallbackPayloadDLL”, is because rather than use the capa_x86.dll that is defaulted, we are going to create our own callback dll using MSFVenom. This way we can easily get ourselves a Meterpreter shell on the target.
I’ll now use the “callback.dll” file created in MSFvenom as the callback payload in Esteemaudit and then go through just a few more configurations before running the exploit.
***Note: Because this exploit and payload work only inside of the RAM/memory of the target, and no files are ever actually copied to the target hard drive, this attack can be difficult to detect. Also it only runs until the machine is rebooted. There are other “post-exploit” methods of creating a more persistent backdoor (a way in even after target is rebooted), but I wont be covering that in this article.***
Lastly, lets set up the payload callback handler with Metasploit.
And now lets inject the callback payload we created by executing the EsteemAudit RDP/Smart Card Authentication exploit. We should see the Metasploit payload handler “catch” the connection back!
Esteemaudit thinks it failed because the payload didn’t call it back, however if we look at our Metasploit handler you will see we did get a callback and now have a meterpreter shell!
For those of you familiar with meterpreter shells, you know what your options are from here, there are quite a few. For those of you unfamiliar with what happened, let me show you an example of what we can do now…
For just a minute let’s pretend we have normal “trusted access” to the server. We can log-in and see there is a “SensitiveDoc.txt” on the desktop.
We can open it and see it’s contents.
Now let’s go back to being “the hacker”… So we have our meterpreter shell… let’s see if as the hacker we can get the contents of that sensitive file.
Prior to this screenshot I navigated to the proper directory with the “cd” command. You will then see I used “ls” to list the contents of the desktop directory. You can see the file we are trying to get is listed! Below it you can see two different options/approaches to getting the contents of the file.
download SensitiveDoc.txt – Actually downloads a copy to the machine you are running Metasploit from.
cat SensitiveDoc.txt – Displays text content right in the shell.
And there you have it! There was no end-user interaction needed, no credentials, no phishing, nothing. A truly concerning vulnerability. Although it currently seems like Microsoft has no intention on patching this, if an exploit like this is leveraged to launch another massive worldwide ransomware attack similar to Wannacry you never know. There are certainly a large enough number of End of Life devices still floating around on the web. After all it was just one of the other tools in the Fuzzbunch framework that was heavily utilized to spread the ransomware in Wannacry.
What can be done to protect yourself if you are running XP or Server 2003? Well simply turn off RDP if that is an option. I assume you already know the best recommendation, which is to UPGRADE!!! That being said, if you cannot turn off RDP or upgrade then a group called enSilo has released a “3rd party patch” for this issue. More on that can be found here.
Until next time~!
As of 6/13/17 Microsoft has released patches for the XP/2003 machines that may have been potentially effected by the EsteemAudit exploit. These need to be manually applied and will not be found automatically with Windows Updates at this time. I guess enough people brought to light the potential for another disaster if these patches were not rolled out. More on that here.