How can I automatically pass the password to 'su'?

2

0

I am working on an exploit for a security course. The object is to obtain a root shell in a linux virtual machine. So far, I can write to /etc/passwd and change root's password to an arbitrary string.

Now, I want to use su to get the root shell. Since my exploit has to be automated, it can't prompt for a password, and the vm doesn't have expect installed. Does anybody have any idea how I can pass the password to the su command? Or is there a better way?

noobler

Posted 2012-01-24T20:46:39.653

Reputation: 157

1If you are able to write to /etc/passwd, then surely you have already elevated to root? In that case, couldn't you setuid on /bin/bash and run it? – Paul – 2012-01-24T22:50:12.263

I don't have root on the vm. We are to exploit a given backup program that has setuid set. By passing it malicious arguments I can get it to change the owner of /etc/passwd. – noobler – 2012-01-25T03:16:42.753

Can you pass the setuid process malicious arguments to do a setuid on /bin/bash? – Paul – 2012-01-25T03:31:56.107

@noobler Do you have the source for the backup program? If not, you need to find a buffer overflow by trial and error. su opens /dev/tty to read the password. You need to find a way to persuade su to use your very own /dev/tty. – ott-- – 2012-05-23T20:35:52.717

Answers

0

The best ways to automate this type of input, is using expect or better pexpect. most servers come with python, at least with a modern distribution.

First off you said your VM does not have expect installed? I'm not sure why that matters. Is there any reason why you cannot install/execute something, under your local account?

Next consideration, why must you even use passwd??? You can also change a password by replacing the hash specified in /etc/shadow. You obviously would need to correctly pregenerate a hash first, but as long as you use a supported one it should work as expected. Now how you would script such an action, that's an exercise for you to work out.

I also want to mention, passwd does not read it's input from STDIN. If i'm not mistaken, it reads from a tty. So no fancy combo of just echo and sleep would work. However it's possible using a HEREDOC, but assumes system is sufficiently responsive. You may be able to break it up and sleep between entires. I just tested this, it worked on my Ubuntu workstation.

#!/bin/bash
passwd root <<'EOF'
newpassword
newpassword
EOF

J. M. Becker

Posted 2012-01-24T20:46:39.653

Reputation: 593

-2

Your exploit could also write to the groups file and make the current user part of the 'wheel' group (or whatever group can run sudo commands w/o a password). Then you'll be able to sudo su root (or any other user) w/o a password.

Running visudo should give you some direction on the setup of the 'wheel' group on your machine.

To clarify: once a user becomes part of the wheel group, they can run sudo commands without needing a password.

CamelBlues

Posted 2012-01-24T20:46:39.653

Reputation: 265

Sudo is not installed on the vm.. – noobler – 2012-01-24T21:23:44.323

Asked: 2012-01-24T20:46:39.653

Viewed: 2 328 times

Active: 2019-11-18T06:02:10.280