POC详情: 1a3dc4e78bf27e792fc758f1625957b5077f2913

来源
https://github.com/elvi7major/snap_priv_esc
关联漏洞
标题: Canonical snapd 输入验证错误漏洞 (CVE-2019-7304)
描述:Canonical snapd是英国科能(Canonical)公司的一套软件部署和包管理系统。 Canonical snapd 2.37.1之前版本中存在安全漏洞。攻击者可利用该漏洞以root权限执行任意命令。
描述
Another implementation for linux privilege escalation exploit via snap(d) (CVE-2019-7304)
介绍
# snap_priv_esc
Another implementation for linux privilege escalation exploit via snap(d) (CVE-2019-7304)
# What is snap?
**Snap** is a software [packaging](https://en.wikipedia.org/wiki/Package_manager "Package manager") and [deployment](https://en.wikipedia.org/wiki/Software_deployment "Software deployment") system developed by [Canonical](https://en.wikipedia.org/wiki/Canonical_(company) "Canonical (company)") for the [operating systems](https://en.wikipedia.org/wiki/Operating_system "Operating system") that use the [Linux](https://en.wikipedia.org/wiki/Linux "Linux") kernel. The packages, called _snaps_, and the tool for using them, _snapd_, work across a range of [Linux distributions](https://en.wikipedia.org/wiki/Linux_distribution "Linux distribution") and allow [upstream](https://en.wikipedia.org/wiki/Upstream_(software_development) "Upstream (software development)") software developers to distribute their applications directly to users. Snaps are self-contained applications running in a sandbox with mediated access to the host system. Snap was originally released for [cloud](https://en.wikipedia.org/wiki/Cloud_computing "Cloud computing") applications[\[1\]](https://en.wikipedia.org/wiki/Snap_(package_manager)#cite_note-:6-1) but was later ported to work for [Internet of Things](https://en.wikipedia.org/wiki/Internet_of_things "Internet of things") devices[\[3\]](https://en.wikipedia.org/wiki/Snap_(package_manager)#cite_note-3)[\[4\]](https://en.wikipedia.org/wiki/Snap_(package_manager)#cite_note-4) and desktop[\[5\]](https://en.wikipedia.org/wiki/Snap_(package_manager)#cite_note-5)[\[6\]](https://en.wikipedia.org/wiki/Snap_(package_manager)#cite_note-6) applications too.

# other snap's esploits :

[dirty_sock: Linux Privilege Escalation (via snapd)](https://github.com/initstring/dirty_sock)

# exploit (without 'snapd' just snap )
### this exploit needs 
	- snap installed on system
	- you have sudo with or without password on snap

# Usage :
```bash
./exp.sh "snap_path" "pwd"
ex:
	./exp.sh "/usr/bin/snap" "/home/evil"

```

then you can use 
```bash
su - dirty_sock
dirty_sock (as password)
sudo bash
```
文件快照

 [4.0K]  /data/pocs/1a3dc4e78bf27e792fc758f1625957b5077f2913
├── [ 604]  exp.sh
├── [ 243]  install
├── [2.1K]  README.md
└── [ 203]  snap.yaml

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。