PXE exploitation

Update 2:
See the latest, including the Defcon talk at my new blog: http://www.scriptjunkie.us/2011/08/network-nightmare/

Update:
This complete attack, including the DHCP server, has been incorporated into Metasploit. Update and enjoy. The module is auxiliary/server/pxexploit


PXE booting has been around for over a decade and is supported by most system BIOSs. And I have also seen it left on in production environments. Although it is very convenient for mass OS installs, etc, if left unsecured; it gives full system control to any attacker on the LAN who can run a DHCP+TFTP server. This has been discussed before, but no tools for the pentester have been released as far as I can tell. So I am releasing pxexploit to provide this ability: a number of files and a patch to add to metasploit that provides a DHCP server and slightly modifies the TFTP server to serve a series of files to a client to own any PXE-booting client.

Here’s how it works:
Client PXE environment issues a DHCPDISCOVER answered by pxexploit’s DHCPOFFER; Client sends DHCPREQUEST; pxexploit answers with DHCPRESPONSE.
The responses point to the system running pxexploit as the TFTP boot server, with a filename of update1, and pxelinux-specific options that specify a config file named update2.

Client PXE environment downloads update1, which is really pxelinux.0; renamed so that what is occurring is not readily apparent to someone sitting at the keyboard.

pxelinux takes over client’s system, and downloads the config file update2, which specifies an immediate boot using a kernel named update3 and an initrd named update4

Screen shows loading of update3 and update4 (the kernel and initrd)

pxelinux transfers execution to the kernel, and a small, fast initrd takes over.

The initrd’s init file executes, and iterates through each hard drive partition it can access, including ntfs-3g drivers. If it detects a windows partition, it swaps svchost.exe with a small exe that runs the old svchost.exe with the same command line and also runs a script that installs metsvc, adds an admin user, and disables the firewall, then replaces svchost.exe and reboots. For a linux partition, it adds a uid 0 user with username metasploit and password metasploit. Then the initrd reboots the system, letting the system boot from hard disk. (the DHCP server does not answer a second time to the same client)

To get working, apply this diff:
http://scriptjunkie1.110mb.com/security/pxexploit.diff
and add these new files :
http://scriptjunkie1.110mb.com/security/pxexploitNewFiles.zip

The initrd is based off the LGPL’d puppy linux initrd.

Advertisements
  1. #1 by voidnecron on 11 August 2011 - 1809

    Hi,

    I’ve been trying to get your pxexploit working, but sofar no luck.
    I’m using it in the msfconsole, so perhaps the ruby file isn’t configured right, but it fails at sending the files.
    Well, it can’t actually find the files, hence it fails.
    Setup: Backtrack machine is 192.168.12.30.
    Victim is 192.168.12.33.

    Error is:
    CLIENT MAC ADDR: GUID:
    CLIENT IP: 192.168.12.33 MASK: 255.255.255.0 DHCP IP: 192.168.12.30
    GATEWAY IP: 192.168.12.30
    TFTP.
    PXE-T01: File not found
    PXE-E3B: TFTP Error – File Not found
    PXE-M0F: Exiting Intel PXE ROM.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: