6-14 vulnerability exploitation rpcbind vulnerability exploitation

rpcbind Introduce

In layman's terms ,rpcbind yes NFS A service used for message notification in .

In general rpcbind Running on the 111、31 port . also NFS Configuration on rpcbind_enable=“YES”

Let's probe the open port of the current machine , Generally open rpcbind, There will be nfs Functions of network sharing ,nfs The port is 2049

nmap 192.168.42.137

Target detection rpcbind

Use nmap -sV -p 111 IP Address Target detection rpcbind Version information .

nmap -sV -p 111 192.168.42.137

In the real world , After we detect the service and version , We can use

searchsploit rpcbind2

, Check whether there are exploitable vulnerabilities

You can see rpcbind There are some vulnerabilities and scripts like this , Use a few rce Script and vulnerability mining script , I won't use these dos And the content of the script

In some cases , You will find that it has rce In the case of remote code execution , We can use the probe script , Test script , Make a corresponding rebound shell The operation of , I didn't find it here

nmap Script probe

stay nmap in , Use nmap -p 111 --script=rpcinfo Destination address To detect the target rpcinfo Information .

nmap -p 111 --script=rpcinfo 192.168.42.137

The above port information is only used nmap To detect

metasploit Module detection

Use metasploit Under the auxiliary/scanner/misc/sunrpc_portymapper Conduct target detection

msfconsole
use auxiliary/scanner/misc/sunrpc_portmapper
// A module for discovering port information 
show options
set rhosts 192.168.1.106
show info
// View module information 
run

The mapping content is the port number corresponding to the program , utilize metasploit Find out nfs Corresponding combination port ,nlockmgr and mountd, adopt metasploit You can find , We're open nfs, We can carry out the next detection , If nfs Port is not 2049, This is the time ,rpcbind It has played a great role , To find the corresponding nfs Port number