poniedziałek, 8 maja 2017

Napalm 2.1 feat. Bitnami

I started creating the code basing on ideas from wrapper I created some time ago. Other tool – similar to this one – is of course grabash but here, I decided to change an approach of the tool to the one idea grabbed from the eternalblue-paper – targeted attacks.

In the middle of time I found a very interesting website – www.bitnami.com where you can find pre-installed (mostly) webapps. I though it will be ideal environment for my testing purposes. The only change I’ve done after the OS started was changing display_errors in php.ini from Off to On.

(But for later exploitation it is not really needed. I changed it only for easier spotting SQL-bugs during blackbox testing.)

As an example we will grab 2 webapps from Bitnami: latest DokuWiki and latest Concrete5 CMS. When your app will be ready to run, start the OS (I used VirtualBox to do that). Default credentials you will find on Bitnami’s website.

As you will shortly see, there is no problem to ‘code an exploit’ (or use/rewrite existing one;]) which is ‘for not authenticated users’. In our examples, both ‘ways’ to shell we will achieve assuming we already know the admin’s password.

Our DokuWiki is now ready:

Concrete5 seems to be ready too:
So now few words about the „Napalm Framework”: I assume that you already read the ‘eternal-blue paper’. Idea for creating Napalm was similar to the ‘framework’ created by NSA (and Metasploit… and grabash ;P): „point&click to get the shell”. I decide to prepare my own ‘super cool framework’ and that’s how the Napalm started to live. ;)
Let’s get to work:

As you can see we have a small menu with few options: list (to check available modules/sploits), use (to use one of them) and info to get some details about the bug we would like to „use”. In the listing below you will see some already prepared proof-of-concepts (as well as some skeletons of codes started in the middle of time) but for our purposes we will use only 2 of them: dokuwiki.py and concrete5_shellup.py.

Let's check it out:

Exploitation scenario as you can see is pretty similar to the bug exploited as https://www.exploit-db.com/exploits/36575/: you need a vulnerable webapp, credentials and link with your shellIn.zip to grab. Results?

So far so good. :] Now let’s prepare Napalm to exploit latest (8.1.0) Concrete5 CMS. Info about the module:

Let’s get our shell:

Should be ready now. ;]

(If you want a copy: mail me for the password to the zipfile. You will need it.)

As you can see coding ‘your own exploitation framework’ is not so hard today. If you want, feel free to extend Napalm’s code and (re)write your own „module”. ;)


Brak komentarzy:

Prześlij komentarz