4. Service Exploits

Services are simply programs that run in the background, accepting input or performing regular tasks.

If vulnerable services are running as root, exploiting them can lead to command execution as root.

Service exploits can be found using Searchsploit, Google, and GitHub, just like with Kernel exploits.

The following command will show all processes that are running as root:

$ ps aux | grep "^root"

With any results, try to identify the version number of the program being executed.

Running the program with the --version/-v command line option often shows the version number:

$ <program> --version
$ <program> -v

On Debian-like distributions, dpkg can show installed programs and their version:

$ dpkg -l | grep <program>

On systems that use rpm, the following achieves the same:

$ rpm –qa | grep <program>

In some instances, a root process may be bound to an internal port, through which it communicates.

If for some reason, an exploit cannot run locally on the target machine, the port can be forwarded using SSH to your local machine:

$ ssh -R <local-port>:127.0.0.1:<target-port> <username>@<local-machine>

The exploit code can now be run on your local machine at whichever port you chose.

Last updated 2 years ago