The best ways to automate this type of input, is using expect
or better pexpect
.
most servers come with python, at least with a modern distribution.
First off you said your VM does not have expect
installed? I'm not sure why that matters. Is there any reason why you cannot install/execute something, under your local account?
Next consideration, why must you even use passwd
??? You can also change a password by replacing the hash specified in /etc/shadow
. You obviously would need to correctly pregenerate a hash first, but as long as you use a supported one it should work as expected. Now how you would script such an action, that's an exercise for you to work out.
I also want to mention, passwd
does not read it's input from STDIN. If i'm not mistaken, it reads from a tty. So no fancy combo of just echo
and sleep
would work. However it's possible using a HEREDOC, but assumes system is sufficiently responsive. You may be able to break it up and sleep
between entires. I just tested this, it worked on my Ubuntu workstation.
#!/bin/bash
passwd root <<'EOF'
newpassword
newpassword
EOF
1If you are able to write to /etc/passwd, then surely you have already elevated to root? In that case, couldn't you setuid on /bin/bash and run it? – Paul – 2012-01-24T22:50:12.263
I don't have root on the vm. We are to exploit a given backup program that has setuid set. By passing it malicious arguments I can get it to change the owner of /etc/passwd. – noobler – 2012-01-25T03:16:42.753
Can you pass the setuid process malicious arguments to do a setuid on /bin/bash? – Paul – 2012-01-25T03:31:56.107
@noobler Do you have the source for the backup program? If not, you need to find a buffer overflow by trial and error.
su
opens /dev/tty to read the password. You need to find a way to persuadesu
to use your very own /dev/tty. – ott-- – 2012-05-23T20:35:52.717