1 1 00:00:01,380 --> 00:00:03,807 Code Execution Vulnerabilities. 2 2 00:00:03,807 --> 00:00:06,407 These type of vulnerabilities allow us to execute 3 3 00:00:06,407 --> 00:00:09,389 operating system code on the target server. 4 4 00:00:09,389 --> 00:00:11,579 So, if the target server uses Windows, 5 5 00:00:11,579 --> 00:00:13,334 we'll be able to execute Windows command, 6 6 00:00:13,334 --> 00:00:17,000 if it uses Linux, then we'll be able to use Linux commands. 7 7 00:00:17,000 --> 00:00:20,772 Clearly, this is a really critical problem, 8 8 00:00:20,772 --> 00:00:23,444 that would allow us to do anything we want 9 9 00:00:23,444 --> 00:00:25,120 with the target, really. 10 10 00:00:25,120 --> 00:00:26,623 We can upload a PHP shell, 11 11 00:00:26,623 --> 00:00:30,840 using wget command or upload a payload, 12 12 00:00:30,840 --> 00:00:32,135 a virus, anything we want, 13 13 00:00:32,135 --> 00:00:35,131 using the wget Linux command. 14 14 00:00:35,131 --> 00:00:37,213 You just need to make sure that you're uploading it 15 15 00:00:37,213 --> 00:00:39,185 to a file or to a directory, 16 16 00:00:39,185 --> 00:00:41,201 which you're allowed to write stuff to. 17 17 00:00:41,201 --> 00:00:44,154 Another way of exploiting this vulnerability, 18 18 00:00:44,154 --> 00:00:48,448 is, to just run OS commands and get a reverse shield 19 19 00:00:48,448 --> 00:00:50,280 based on these commands. 20 20 00:00:50,280 --> 00:00:52,970 So, because we can run operating system commands, 21 21 00:00:52,970 --> 00:00:55,210 we can use the programming languages supported 22 22 00:00:55,210 --> 00:00:58,523 by that operating system to try and get 23 23 00:00:58,523 --> 00:01:01,113 a reverse connection on our computer. 24 24 00:01:02,470 --> 00:01:05,360 So, first of all, let's just assume 25 25 00:01:05,360 --> 00:01:06,571 that we're browsing here, 26 26 00:01:06,571 --> 00:01:09,507 and we manage to we're going around 27 27 00:01:09,507 --> 00:01:13,214 and then we got to a tab in the website 28 28 00:01:13,214 --> 00:01:15,460 where it allows you to, 29 29 00:01:15,460 --> 00:01:16,920 for example do a ping. 30 30 00:01:16,920 --> 00:01:18,614 Now what you should do is, you should always 31 31 00:01:18,614 --> 00:01:22,048 try to experiment with any input works you see. 32 32 00:01:22,048 --> 00:01:25,020 Try to see what that input works does 33 33 00:01:25,020 --> 00:01:27,051 and what can you inject into it, 34 34 00:01:27,051 --> 00:01:30,038 what can you do to get stuff running. 35 35 00:01:30,038 --> 00:01:32,070 So, for example, this input works 36 36 00:01:32,070 --> 00:01:34,030 is telling you its going to do a ping. 37 37 00:01:34,030 --> 00:01:35,310 And, if you put an IP, 38 38 00:01:35,310 --> 00:01:38,400 for example I'm going to put 10 20 14 203, 39 39 00:01:38,400 --> 00:01:39,524 which is my own IP. 40 40 00:01:39,524 --> 00:01:42,239 Just to see it, to use it as a normal person, 41 41 00:01:42,239 --> 00:01:45,560 I'm going to do a submit and it's going to go ahead 42 42 00:01:45,560 --> 00:01:47,750 and ping it for me and give me the ping results. 43 43 00:01:47,750 --> 00:01:50,120 So, what looks like here, 44 44 00:01:50,120 --> 00:01:52,593 it's actually executing the ping command, 45 45 00:01:53,970 --> 00:01:54,970 in Linux systems. 46 46 00:01:54,970 --> 00:01:57,400 Now, let's see if we can exploit that. 47 47 00:01:57,400 --> 00:02:00,100 If it's actually executing the ping command. 48 48 00:02:00,100 --> 00:02:01,815 So, what it's doing is, it's going, 49 49 00:02:01,815 --> 00:02:03,793 and it's doing. 50 50 00:02:04,780 --> 00:02:09,780 So, we're sending 10 20 14 203 as the ping. 51 51 00:02:10,060 --> 00:02:12,039 And then it's going to the web server 52 52 00:02:12,039 --> 00:02:16,607 and the web server is doing ping, 10 20 14 203. 53 53 00:02:19,790 --> 00:02:21,930 So, let's see if we can exploit this. 54 54 00:02:21,930 --> 00:02:23,153 How would we exploit it? 55 55 00:02:23,153 --> 00:02:25,364 It's taken what we're inputting, right here. 56 56 00:02:25,364 --> 00:02:28,819 And then, it's doing ping, that. 57 57 00:02:28,819 --> 00:02:32,966 Now, in Linux and Unix based commands 58 58 00:02:32,966 --> 00:02:37,966 you can use, the, this sign to execute multiple commands, 59 59 00:02:38,978 --> 00:02:40,630 on one line. 60 60 00:02:40,630 --> 00:02:44,270 So, if you do this, for example in your own terminal, 61 61 00:02:44,270 --> 00:02:46,570 so, I'm just going to go through my terminal, here. 62 62 00:02:46,570 --> 00:02:49,640 And I'm just going to do LS, which is the list command 63 63 00:02:49,640 --> 00:02:51,884 and then PWD is what lists, 64 64 00:02:51,884 --> 00:02:54,220 what shows your working directory. 65 65 00:02:54,220 --> 00:02:57,096 So, if I do an LS, followed by this sign 66 66 00:02:57,096 --> 00:03:00,829 and then do PWD, it will execute both commands. 67 67 00:03:00,829 --> 00:03:03,560 So, it will do this and then it will show 68 68 00:03:03,560 --> 00:03:05,021 where the working directory is. 69 69 00:03:05,021 --> 00:03:08,180 So, we can do the same thing with this 70 70 00:03:08,180 --> 00:03:09,820 and see if it works for us. 71 71 00:03:09,820 --> 00:03:12,268 So, we're going to put in IP, a right IP, 72 72 00:03:12,268 --> 00:03:13,975 and then I'm just going to do PWD 73 73 00:03:13,975 --> 00:03:17,499 and see if it will execute the PWD for me. 74 74 00:03:17,499 --> 00:03:19,030 If it does, 75 75 00:03:19,030 --> 00:03:20,969 then this is a code execution vulnerability 76 76 00:03:20,969 --> 00:03:24,710 and I can execute anything I want on the server. 77 77 00:03:24,710 --> 00:03:26,040 So, let's see what's going to happen. 78 78 00:03:26,040 --> 00:03:28,563 I pasted this, and I'm going to hit submit. 79 79 00:03:29,863 --> 00:03:32,072 And as you can see, we got the ping results, 80 80 00:03:32,072 --> 00:03:33,950 but at the end, 81 81 00:03:33,950 --> 00:03:35,750 we got our current working directory. 82 82 00:03:35,750 --> 00:03:39,777 So, its via wwwdvwa vulnerability is an exec. 83 83 00:03:41,996 --> 00:03:46,024 So, it executed the PWD that I inserted. 84 84 00:03:46,024 --> 00:03:48,970 And that means I can insert any commands I want, 85 85 00:03:48,970 --> 00:03:51,663 in there and they'll be executed. 86 86 00:03:51,663 --> 00:03:54,956 So, I've inserted a resources file 87 87 00:03:54,956 --> 00:03:59,253 that you can use to get reverse connection 88 88 00:03:59,253 --> 00:04:01,570 from the target computer. 89 89 00:04:01,570 --> 00:04:02,860 Now, there's a number of ways, 90 90 00:04:02,860 --> 00:04:04,550 a number of commands that would give you 91 91 00:04:04,550 --> 00:04:05,880 a reverse connection. 92 92 00:04:05,880 --> 00:04:08,330 All of these commands depend on the programming language. 93 93 00:04:08,330 --> 00:04:10,592 So, for example, we have commands in PHP, 94 94 00:04:10,592 --> 00:04:13,304 we have commands in Ruby, you have Pearl commands 95 95 00:04:13,304 --> 00:04:15,070 and we have the one for Bash. 96 96 00:04:15,070 --> 00:04:20,070 Bash is the Linux shell command and language. 97 97 00:04:20,210 --> 00:04:23,707 So, all Unix operating systems will be able to execute 98 98 00:04:23,707 --> 00:04:25,170 Bash commands. 99 99 00:04:25,170 --> 00:04:29,670 So, that's a very good way of doing it. 100 100 00:04:29,670 --> 00:04:32,160 So, most Unix system, 101 101 00:04:32,160 --> 00:04:35,204 this command should work on most Unix based systems. 102 102 00:04:35,204 --> 00:04:37,587 So, this would be a really good way of doing it. 103 103 00:04:37,587 --> 00:04:39,613 Again, most of them would have Python, 104 104 00:04:39,613 --> 00:04:41,458 so, Python would be a good way. 105 105 00:04:41,458 --> 00:04:44,248 Netcat, most of them do have Netcat as well. 106 106 00:04:44,248 --> 00:04:46,158 So, Netcat is a good way of doing that. 107 107 00:04:46,158 --> 00:04:50,200 And, we're actually going to use Netcat in this video. 108 108 00:04:50,200 --> 00:04:51,850 So, what I'm going to do is, 109 109 00:04:51,850 --> 00:04:53,610 first I'm going to listen for connections, 110 110 00:04:53,610 --> 00:04:55,470 just like we used to do with Metasploit, 111 111 00:04:55,470 --> 00:04:57,520 when we used to do multihandler. 112 112 00:04:57,520 --> 00:04:59,333 You can actually use a multihandler for this, 113 113 00:04:59,333 --> 00:05:00,661 and listen for a connection. 114 114 00:05:00,661 --> 00:05:02,730 Well, I'm just going to keep it simpler 115 115 00:05:02,730 --> 00:05:04,240 and show you a new way. 116 116 00:05:04,240 --> 00:05:05,450 And, I'm going to use Netcat. 117 117 00:05:05,450 --> 00:05:06,763 So, Netcat. 118 118 00:05:11,510 --> 00:05:13,400 Netcat is just a tool that allows you 119 119 00:05:13,400 --> 00:05:16,023 to listen and connect computers together. 120 120 00:05:16,870 --> 00:05:18,797 So, I'm going to listen on port 80 80. 121 121 00:05:18,797 --> 00:05:20,410 So, Netcat is the program. 122 122 00:05:20,410 --> 00:05:22,440 vv is just to see verbose output, 123 123 00:05:22,440 --> 00:05:24,020 so we can see a lot of output, 124 124 00:05:24,020 --> 00:05:25,381 anything goes wrong, we can see it. 125 125 00:05:25,381 --> 00:05:27,580 And, we're telling it to listen, 126 126 00:05:27,580 --> 00:05:30,203 using the L option on port 8080. 127 127 00:05:31,140 --> 00:05:32,570 So, I'm going to hit enter, 128 128 00:05:32,570 --> 00:05:35,430 and that's saying just listening on port 8080, 129 129 00:05:35,430 --> 00:05:36,824 that's all it's going to do. 130 130 00:05:36,824 --> 00:05:39,920 The next command we're going to do, is, 131 131 00:05:39,920 --> 00:05:42,536 we're going to try to connect from the web server 132 132 00:05:42,536 --> 00:05:45,950 back to my computer, using Netcat, as well. 133 133 00:05:45,950 --> 00:05:47,934 So, we're assuming the web server has Netcat. 134 134 00:05:47,934 --> 00:05:49,811 We're going to try it and see if that works. 135 135 00:05:49,811 --> 00:05:51,930 So, the command is very simple. 136 136 00:05:51,930 --> 00:05:54,968 It's Netcat and we're telling it to use bin bash. 137 137 00:05:54,968 --> 00:05:59,503 And we're giving it the IP of my device. 138 138 00:05:59,503 --> 00:06:03,613 My attacker device, which is 10 20 14. 139 139 00:06:06,240 --> 00:06:09,300 And, then the port which is 8080. 140 140 00:06:09,300 --> 00:06:11,988 Which is where we're listening on, right here. 141 141 00:06:11,988 --> 00:06:14,063 So, I'm going to copy that. 142 142 00:06:15,630 --> 00:06:17,550 And I'm just going to execute it the same way 143 143 00:06:17,550 --> 00:06:18,394 we used to execute the PWD 144 144 00:06:18,394 --> 00:06:21,183 command. 145 145 00:06:22,810 --> 00:06:26,587 So, the last thing we did, was, 10 20 14 203. 146 146 00:06:32,690 --> 00:06:34,400 And then we did PWD. 147 147 00:06:34,400 --> 00:06:35,340 So, what I'm going to do now, 148 148 00:06:35,340 --> 00:06:37,020 I'm going to remove the PWD 149 149 00:06:37,020 --> 00:06:39,383 and paste the code that we just created, 150 150 00:06:39,383 --> 00:06:42,401 which we'll try to connect from the web server 151 151 00:06:42,401 --> 00:06:45,313 back to the cally machine to the attacker machine. 152 152 00:06:45,313 --> 00:06:47,510 And, I'm going to come here. 153 153 00:06:47,510 --> 00:06:50,363 And, as you can see, we got a connection back 154 154 00:06:50,363 --> 00:06:54,794 from, to us, from 10 20 14 204. 155 155 00:06:54,794 --> 00:06:57,434 So, that's the tarried computer. 156 156 00:06:57,434 --> 00:07:00,773 And, if we do a PWD, you'll see that we have 157 157 00:07:00,773 --> 00:07:02,802 a reverse shell if we do an LS. 158 158 00:07:02,802 --> 00:07:07,607 If we do an ID, you'll see that we're wwwdata 159 159 00:07:07,607 --> 00:07:11,534 and you're free to (mumbles) you name A, just to confirm. 160 160 00:07:11,534 --> 00:07:14,690 That I'm in the Metasploitable and you can see 161 161 00:07:14,690 --> 00:07:16,260 that I'm in the Metasploitable. 162 162 00:07:16,260 --> 00:07:18,970 And, I'm able to run any command that I want 163 163 00:07:18,970 --> 00:07:19,803 on the target computer. 164 164 00:07:19,803 --> 00:07:23,393 So, basically I have full access to the target computer.