Merge c687e6c633 into 408d368b18

classic backdoor shell on 1524

.gitignore

@@ -2,6 +2,7 @@
 packer_cache/
 packer/builds/
 resources/drivers/
+resources/windows_pre_downloads/
 *.vfd
 *.exe
 *.msi

README.md

@@ -61,25 +61,39 @@ Requirements:
 
 ### ub1404 Development and Modification
 
-Using Vagrant and a lightweight Ubuntu 14.04 vagrant cloud box image, you can quickly set up and customize ub1404 Metasploitable3 for development or customization.
-To do so, install Vagrant and a hypervisor such as VirtualBox. Then, visit the `bento/ubuntu-14.04` page and find a version that supports
-your hypervisor. For instance, version `v201808.24.0` is compatible with VirtualBox.
+Using Vagrant and a lightweight Ubuntu 14.04 vagrant cloud box image, you can
+quickly set up and customize ub1404 Metasploitable3 for development or
+customization. To do so, install Vagrant and a hypervisor such as VirtualBox,
+VMWare, or libvirt.
 
-Install the vagrant virtualbox vbguest plugin:
+Install the relevant provider plugin:
 
+    # virtualbox
     vagrant plugin install vagrant-vbguest
-    
-Then, navigate to the `/chef/dev/ub1404` directory in this repository. Examine the Vagrantfile there. Metasploitable ub1404 uses the vagrant `chef-solo` provisioner.
-To this Vagrantfile, add the metasploitable chef recipes that you desire -- you can browse them in the `/chef/cookbooks/metasploitable` folder. Or, 
-add or edit your own cookbook and/or recipes there.
 
-From the `/chef/dev/ub1404` directory, you can run `vagrant up` to get a development virtual ub1404 instance. After the initial `up` build and provision, 
-when you edit the chef runlist or when you edit a chef recipe, run `vagrant provision` from the same directory. For faster development, you can comment-out 
-recipes that you do not need to rerun -- but even if they are all enabled, vagrant provisioning should not take longer one or two minutes. 
-Chef aims to be idempotent, so you can rerun this command often.
+    # libvirt
+    vagrant plugin install vagrant-libvirt
 
-Consider taking a snapshot (e.g., `vagrant snapshot new fresh`) before modifying recipes, so that you can always return to an initial state (`vagrant restore fresh`).
-If you want a _totally_ fresh snapshot, you can do the initialization with `vagrant up --no-provision`, then take a snapshot, followed by `vagrant provision`.
+Then, navigate to the [chef/dev/ub1404](chef/dev/ub1404) directory in this repository.
+Examine the Vagrantfile there. Select a base box that supports your provider.
+
+Metasploitable ub1404 uses the vagrant `chef-solo` provisioner. Configure the
+chef_solo block in the Vagrantfile with the metasploitable chef recipes that you
+desire -- you can browse them in the [chef/cookbooks/metasploitable](chef/cookbooks/metasploitable)
+folder. Or, add or edit your own cookbook and/or recipes there.
+
+From the [chef/dev/ub1404](chef/dev/ub1404) directory, you can run `vagrant up`
+to get a development virtual ub1404 instance. After the initial `up` build and provision,
+when you edit the chef runlist or when you edit a chef recipe, run
+`vagrant rsync && vagrant provision` from the same directory. For faster
+development, you can comment-out recipes that you do not need to rerun -- but
+even if they are all enabled, vagrant re-provisioning should not take longer than
+one or two minutes. Chef aims to be idempotent, so you can rerun this command often.
+
+Consider taking a snapshot (e.g., `vagrant snapshot save fresh`) before modifying
+recipes, so that you can always return to an initial state (`vagrant restore fresh`).
+If you want a _totally_ fresh snapshot, you can do the initialization with
+`vagrant up --no-provision`, then take a snapshot, followed by `vagrant provision`.
 
 
 ## Vulnerabilities

chef/cookbooks/metasploitable/recipes/ingreslock.rb

@@ -0,0 +1,27 @@
+#
+# Cookbook:: metasploitable
+# Recipe:: ingreslock
+#
+# Copyright:: 2020, Rapid7, All Rights Reserved.
+
+include_recipe 'iptables::default'
+
+iptables_rule '01_ingreslock' do
+  lines "-A INPUT -p tcp --dport 1524 -j ACCEPT"
+end
+
+package 'inetutils-inetd' do
+  action :install
+end
+
+# needs to happen before starting the service --
+# otherwise, if no services listed in inetd.conf,
+# inetd will refuse to start.
+execute 'add ingreslock to /etc/inetd.conf' do
+  command "echo 'ingreslock stream tcp nowait root /bin/bash bash -i' >> /etc/inetd.conf"
+  not_if "grep -q 'ingreslock stream tcp nowait root /bin/bash bash -i' /etc/inetd.conf"
+end
+
+service 'inetutils-inetd' do
+  action [:enable, :start]
+end

chef/dev/ub1404/Vagrantfile

@@ -1,19 +1,23 @@
 # This Vagrantfile can be used to quickly spin up a development instance of ub1404
 
 Vagrant.configure("2") do |config|
-  config.vm.define "dev" do |dev|
-    dev.vm.box = "bento/ubuntu-14.04"
-    dev.vm.box_version = "201808.24.0"
-    dev.ssh.username = 'vagrant'
-    dev.ssh.password = 'vagrant'
-    dev.vm.network "forwarded_port", guest: 21, host:2121
 
-    dev.vm.provider "virtualbox" do |v|
-      v.name = "Metasploitable3-ub1404-dev"
-      v.memory = 2048
-    end
+  config.vm.define "Metasploitable3-dev"
+  config.vm.box = "bento/ubuntu-14.04"
+  config.vm.box_version = "201808.24.0"
+
+  config.vm.provider :libvirt do |libvirt, override|
+    override.vm.box = "peru/ubuntu-14.04-server-amd64"
+    override.vm.box_version = "20190901.01"
+    libvirt.memory = 2048
   end
-  
+
+  config.ssh.username = 'vagrant'
+  config.ssh.password = 'vagrant'
+  config.vm.network "forwarded_port", guest: 21, host:2121
+
+  # manually rsync recipe changes before re-provisioning. e.g.,
+  # `vagrant rsync && vagrant provision`
   config.vm.provision "chef_solo" do |chef|
     chef.arguments = '--chef-license accept'
     chef.cookbooks_path = [ '../../cookbooks' ]
@@ -37,8 +41,12 @@ Vagrant.configure("2") do |config|
     chef.add_recipe "metasploitable::cups"
     chef.add_recipe "metasploitable::drupal"
     chef.add_recipe "metasploitable::knockd"
+    chef.add_recipe "metasploitable::ingreslock"
     chef.add_recipe "metasploitable::iptables"
     chef.add_recipe "metasploitable::flags"
     chef.add_recipe "metasploitable::clear_cache"
   end
-end
+
+  # Disable NFS sharing (==> default: Mounting NFS shared folders...)
+  config.vm.synced_folder ".", "/vagrant", type: "nfs", disabled: true
+end

packer/answer_files/2008_r2/Autounattend.xml

@@ -261,16 +261,6 @@
                     <CommandLine>cmd.exe /c mkdir -p C:\vagrant\scripts</CommandLine>
                     <Description>Create directory for vagrant files to avoid provisioner bug with packer.</Description>
                     <Order>26</Order>
-                </SynchronousCommand>
-                <SynchronousCommand wcm:action="add">
-                    <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\install_dotnet45.ps1 -AutoStart</CommandLine>
-                    <Order>97</Order>
-                    <Description>Install .NET 4.5.1</Description>
-                </SynchronousCommand>
-                <SynchronousCommand wcm:action="add">
-                    <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\install_wmf.ps1 -AutoStart</CommandLine>
-                    <Order>98</Order>
-                    <Description>Installing Windows Management Framework 5.0</Description>
                 </SynchronousCommand>
                  <!--WITHOUT WINDOWS UPDATES -->
                 <SynchronousCommand wcm:action="add">

packer/templates/pro/windows_2008_r2_pro.json

@@ -135,7 +135,7 @@
     }
   ],
   "variables": {
-    "iso_url": "http://download.microsoft.com/download/7/5/E/75EC4E54-5B02-42D6-8879-D8D3A25FBEF7/7601.17514.101119-1850_x64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso",
+    "iso_url": "https://download.microsoft.com/download/4/1/D/41DEA7E0-B30D-4012-A1E3-F24DC03BA1BB/7601.17514.101119-1850_x64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso",
     "iso_checksum": "4263be2cf3c59177c45085c0a7bc6ca5",
     "autounattend": "{{template_dir}}/../../answer_files/2008_r2/Autounattend.xml",
     "scripts_dir": "{{template_dir}}/../../../scripts",

packer/templates/ubuntu_1404.json

@@ -175,6 +175,7 @@
         "metasploitable::cups",
         "metasploitable::drupal",
         "metasploitable::knockd",
+        "metasploitable::ingreslock",
         "metasploitable::iptables",
         "metasploitable::flags",
         "metasploitable::ifnames"

packer/templates/windows_2008_r2.json

@@ -18,8 +18,6 @@
         "{{user `scripts_dir`}}/configs/microsoft-updates.bat",
         "{{user `scripts_dir`}}/configs/win-updates.ps1",
         "{{user `scripts_dir`}}/installs/openssh.ps1",
-        "{{user `scripts_dir`}}/installs/install_dotnet45.ps1",
-        "{{user `scripts_dir`}}/installs/install_wmf.ps1",
         "{{user `resources_dir`}}/certs/oracle-cert.cer",
         "{{user `resources_dir`}}/certs/gdig2.crt",
         "{{user `resources_dir`}}/certs/comodorsadomainvalidationsecureserverca.crt",
@@ -56,8 +54,6 @@
         "{{user `scripts_dir`}}/configs/microsoft-updates.bat",
         "{{user `scripts_dir`}}/configs/win-updates.ps1",
         "{{user `scripts_dir`}}/installs/openssh.ps1",
-        "{{user `scripts_dir`}}/installs/install_dotnet45.ps1",
-        "{{user `scripts_dir`}}/installs/install_wmf.ps1",
         "{{user `resources_dir`}}/certs/oracle-cert.cer",
         "{{user `resources_dir`}}/certs/gdig2.crt",
         "{{user `resources_dir`}}/certs/comodorsadomainvalidationsecureserverca.crt",
@@ -99,8 +95,6 @@
         "{{user `scripts_dir`}}/configs/microsoft-updates.bat",
         "{{user `scripts_dir`}}/configs/win-updates.ps1",
         "{{user `scripts_dir`}}/installs/openssh.ps1",
-        "{{user `scripts_dir`}}/installs/install_dotnet45.ps1",
-        "{{user `scripts_dir`}}/installs/install_wmf.ps1",
         "{{user `resources_dir`}}/certs/oracle-cert.cer",
         "{{user `resources_dir`}}/certs/gdig2.crt",
         "{{user `resources_dir`}}/certs/comodorsadomainvalidationsecureserverca.crt",
@@ -150,8 +144,6 @@
         "{{user `scripts_dir`}}/configs/microsoft-updates.bat",
         "{{user `scripts_dir`}}/configs/win-updates.ps1",
         "{{user `scripts_dir`}}/installs/openssh.ps1",
-        "{{user `scripts_dir`}}/installs/install_dotnet45.ps1",
-        "{{user `scripts_dir`}}/installs/install_wmf.ps1",
         "{{user `resources_dir`}}/certs/oracle-cert.cer",
         "{{user `resources_dir`}}/certs/gdig2.crt",
         "{{user `resources_dir`}}/certs/comodorsadomainvalidationsecureserverca.crt",
@@ -184,6 +176,16 @@
     }
   ],
   "provisioners": [
+    {
+        "type": "shell-local",
+        "only_on": ["linux", "darwin"],
+        "inline": ["cd {{user `resources_dir`}} && {{user `resources_dir`}}/download-windows-files.sh"]
+    },
+    {
+        "type": "shell-local",
+        "only_on": ["windows"],
+        "inline": ["cd {{user `resources_dir`}} && powershell {{user `resources_dir`}}/download-windows-files.ps1"]
+    },
     {
       "type": "file",
       "source": "{{user `scripts_dir`}}",
@@ -200,7 +202,6 @@
       "execute_command": "{{.Vars}} cmd /c C:/Windows/Temp/script.bat",
       "scripts": [
         "{{user `scripts_dir`}}/configs/update_root_certs.bat",
-        "{{user `scripts_dir`}}/configs/disable-auto-logon.bat",
         "{{user `scripts_dir`}}/configs/enable-rdp.bat"
       ]
     },
@@ -215,6 +216,25 @@
     {
       "type": "windows-restart"
     },
+    {
+      "type": "powershell",
+      "scripts": [
+        "{{user `scripts_dir`}}/installs/install_dotnet45.ps1"
+      ]
+    },
+    {
+      "type": "windows-restart"
+    },
+    {
+      "type": "powershell",
+      "scripts": [
+        "{{user `scripts_dir`}}/installs/install_wmf.ps1"
+      ]
+    },
+    {
+      "type": "windows-restart",
+      "pause_before": "180s"
+    },
     {
       "type": "powershell",
       "scripts": [
@@ -240,7 +260,9 @@
       "remote_path": "C:/Windows/Temp/script.bat",
       "execute_command": "{{.Vars}} cmd /c C:/Windows/Temp/script.bat",
       "scripts": [
-        "{{user `scripts_dir`}}/installs/install_boxstarter.bat",
+        "{{user `scripts_dir`}}/configs/disable-auto-logon.bat",
+        "{{user `scripts_dir`}}/chocolatey_installs/chocolatey-compatibility.bat",
+        "{{user `scripts_dir`}}/chocolatey_installs/boxstarter.bat",
         "{{user `scripts_dir`}}/chocolatey_installs/7zip.bat",
         "{{user `scripts_dir`}}/configs/apply_password_settings.bat",
         "{{user `scripts_dir`}}/configs/create_users.bat",
@@ -267,7 +289,7 @@
         "{{user `scripts_dir`}}/installs/install_wordpress.bat",
         "{{user `scripts_dir`}}/installs/install_openjdk6.bat",
         "{{user `scripts_dir`}}/installs/setup_jmx.bat",
-        "{{user `scripts_dir`}}/installs/install_ruby.bat",
+        "{{user `scripts_dir`}}/chocolatey_installs/ruby.bat",
         "{{user `scripts_dir`}}/installs/install_devkit.bat"
       ]
     },
@@ -342,7 +364,7 @@
     }
   ],
   "variables": {
-    "iso_url": "http://download.microsoft.com/download/7/5/E/75EC4E54-5B02-42D6-8879-D8D3A25FBEF7/7601.17514.101119-1850_x64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso",
+    "iso_url": "https://download.microsoft.com/download/4/1/D/41DEA7E0-B30D-4012-A1E3-F24DC03BA1BB/7601.17514.101119-1850_x64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso",
     "iso_checksum": "4263be2cf3c59177c45085c0a7bc6ca5",
     "autounattend": "{{template_dir}}/../answer_files/2008_r2/Autounattend.xml",
     "scripts_dir": "{{template_dir}}/../../scripts",

resources/download-windows-files.ps1

@@ -0,0 +1,23 @@
+$Logfile = "C:\Windows\Temp\wmf-install.log"
+function LogWrite {
+   Param ([string]$logstring)
+   $now = Get-Date -format s
+   Add-Content $Logfile -value "$now $logstring"
+   Write-Host $logstring
+}
+
+LogWrite "Downloading dotNet 4.5.2"
+try {
+    (New-Object System.Net.WebClient).DownloadFile('https://download.microsoft.com/download/E/2/1/E21644B5-2DF2-47C2-91BD-63C560427900/NDP452-KB2901907-x86-x64-AllOS-ENU.exe', 'windows_pre_downloads/dotnet.exe')
+} catch {
+    LogWrite $_.Exception | Format-List -force
+    LogWrite "Failed to download file."
+}
+
+LogWrite "Downloading Windows Management Framework 5.1"
+try {
+    (New-Object System.Net.WebClient).DownloadFile('https://download.microsoft.com/download/6/F/5/6F5FF66C-6775-42B0-86C4-47D41F2DA187/Win7AndW2K8R2-KB3191566-x64.zip', 'windows_pre_downloads/wmf.zip')
+} catch {
+    LogWrite $_.Exception | Format-List -force
+    LogWrite "Failed to download file."
+}

resources/download-windows-files.sh

@@ -0,0 +1,3 @@
+#!/bin/bash -e
+curl -L --output windows_pre_downloads/dotnet.exe https://download.microsoft.com/download/E/2/1/E21644B5-2DF2-47C2-91BD-63C560427900/NDP452-KB2901907-x86-x64-AllOS-ENU.exe
+curl -L --output windows_pre_downloads/wmf.zip https://download.microsoft.com/download/6/F/5/6F5FF66C-6775-42B0-86C4-47D41F2DA187/Win7AndW2K8R2-KB3191566-x64.zip

scripts/chocolatey_installs/chocolatey-compatibility.bat

@@ -0,0 +1,4 @@
+chocolatey feature enable -n=allowGlobalConfirmation
+choco install chocolatey-compatibility.extension
+chocolatey feature disable -n=allowGlobalConfirmation
+exit

scripts/installs/chocolatey.cmd

@@ -1 +0,0 @@
-@powershell -NoProfile -ExecutionPolicy Bypass -File "%systemdrive%\vagrant\scripts\installs\install_chocolatey.ps1"

scripts/installs/chocolatey.ps1

@@ -40,12 +40,17 @@ function Invoke-CLR4PowerShellCommand {
 
 }
 
+if (!(Test-Path -Path $PROFILE)) {
+  New-Item -ItemType File -Path $PROFILE -Force
+}
+
 $ErrorActionPreference = 'Stop'
 Set-StrictMode -Version Latest
 
 $isWin8 = wmic os get caption | find /i '" 8 "'
 $isWin2012 = wmic os get caption | find /i '" 2012 "'
 
+$env:chocolateyVersion = '0.10.13'
 # skip wrapping for 8 or 2012?
 if ($isWin8 -or $isWin2012){
    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))

scripts/installs/install_dotnet45.ps1

@@ -6,17 +6,9 @@ function LogWrite {
    Write-Host $logstring
 }
  
-LogWrite "Downloading dotNet 4.5.1"
-try {
-    (New-Object System.Net.WebClient).DownloadFile('http://download.microsoft.com/download/1/6/7/167F0D79-9317-48AE-AEDB-17120579F8E2/NDP451-KB2858728-x86-x64-AllOS-ENU.exe', 'C:\Windows\Temp\dotnet.exe')
-} catch {
-    LogWrite $_.Exception | Format-List -force
-    LogWrite "Failed to download file."
-}
-
 LogWrite "Starting installation process..."
 try {
-    Start-Process -FilePath "C:\Windows\Temp\dotnet.exe" -ArgumentList "/I /q /norestart" -Wait -PassThru
+    Start-Process -FilePath "C:\vagrant\resources\windows_pre_downloads\dotnet.exe" -ArgumentList "/I /q /norestart" -Wait -PassThru
 } catch {
     LogWrite $_.Exception | Format-List -force
     LogWrite "Exception during install process."

scripts/installs/install_manageengine.bat

@@ -1,5 +1,5 @@
 powershell -Command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object System.Net.WebClient).DownloadFile('https://metasploitable-binaries.s3.amazonaws.com/metasploitable3/ManageEngine_DesktopCentral.exe', 'C:\Windows\Temp\ManageEngine_DesktopCentral.exe')" <NUL
-start /WAIT C:\Windows\Temp\ManageEngine_DesktopCentral.exe /w /s /f1C:\Vagrant\resources\manageengine\setup.iss
+start /WAIT C:\Windows\Temp\ManageEngine_DesktopCentral.exe /w /s /f1"C:\Vagrant\resources\manageengine\setup.iss"
 net stop "ManageEngine Desktop Central Server"
 net stop "MEDC Server Component - Apache"
 net stop "MEDC Server Component - Notification Server"

scripts/installs/install_wmf.ps1

@@ -5,19 +5,31 @@ function LogWrite {
    Add-Content $Logfile -value "$now $logstring"
    Write-Host $logstring
 }
- 
-LogWrite "Downloading Windows Management Framework 5.0"
-try {
-    (New-Object System.Net.WebClient).DownloadFile('https://download.microsoft.com/download/2/C/6/2C6E1B4A-EBE5-48A6-B225-2D2058A9CEFB/Win7AndW2K8R2-KB3134760-x64.msu', 'C:\Windows\Temp\wmf.msu')
-} catch {
-    LogWrite $_.Exception | Format-List -force
-    LogWrite "Failed to download file."
+
+
+LogWrite "Extracting Archive..."
+
+$extractLocation = "C:\vagrant\resources\windows_pre_downloads\wmf_install"
+New-Item -Path $extractLocation -ItemType Directory
+
+$shell = New-Object -ComObject shell.application
+$zip = $shell.NameSpace("C:\vagrant\resources\windows_pre_downloads\wmf.zip")
+foreach ($item in $zip.items()) {
+  $shell.Namespace($extractLocation).CopyHere($item)
 }
 
+Set-Location -Path $extractLocation -PassThru
+$installCmd = "powershell.exe -ExecutionPolicy Bypass -Command " + '"' + ${extractLocation} + "\Install-WMF5.1.ps1 -AcceptEula" + '"'
+
 LogWrite "Starting installation process..."
-try {
-    Start-Process -FilePath "wusa.exe" -ArgumentList "C:\Windows\Temp\wmf.msu /quiet /norestart" -Wait -PassThru
-} catch {
-    LogWrite $_.Exception | Format-List -force
-    LogWrite "Exception during install process."
-}
+
+New-Item C:\vagrant\resources\windows_pre_downloads\wmf_install\install_wmf.bat -ItemType "file"
+Set-Content C:\vagrant\resources\windows_pre_downloads\wmf_install\install_wmf.bat $installCmd
+
+$Taskname = "updatepsh"
+
+SCHTASKS /CREATE /sc ONCE /st 00:00 /TN $Taskname /RU SYSTEM /RL HIGHEST /TR "C:\vagrant\resources\windows_pre_downloads\wmf_install\install_wmf.bat"
+schtasks /Run /TN $Taskname
+start-sleep -s 5
+schtasks /delete /tn $Taskname /f
+start-sleep -s 30

versions/pro/Vagrantfile

@@ -69,6 +69,7 @@ Vagrant.configure("2") do |config|
       chef.add_recipe "metasploitable::cups"
       chef.add_recipe "metasploitable::drupal"
       chef.add_recipe "metasploitable::knockd"
+      chef.add_recipe "metasploitable::ingreslock"
       chef.add_recipe "metasploitable::iptables"
       chef.add_recipe "metasploitable::flags"
       chef.add_recipe "metasploitable::clear_cache"