Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-37706 PoC — Enlightenment 权限许可和访问控制问题漏洞

Source
https://github.com/d3ndr1t30x/CVE-2022-37706
Associated Vulnerability
Title:Enlightenment 权限许可和访问控制问题漏洞 (CVE-2022-37706)
Description:Enlightenment是美国Debian社区的一种 X11 的高级窗口管理器。 Enlightenment 存在权限许可和访问控制问题漏洞。目前尚无此漏洞的相关信息,请随时关注CNNVD或厂商公告。
Description
Privilege escaltion exploit script for Boardlight machine on HackTheBox. I had access as the Larissa user and ran this script from the /tmp directory; script has been adjusted accordingly.
Readme
# CVE-2022-37706 Exploit: Enlightenment v0.25.3 Privilege Escalation

## Description
This repository contains an exploit for **CVE-2022-37706**, a local privilege escalation vulnerability in **Enlightenment v0.25.3** and earlier. The vulnerability exists due to improper handling of pathnames starting with the `/dev/..` substring in the `enlightenment_sys` binary, which is SUID-root by default. By exploiting this behavior, attackers can execute arbitrary commands as root, resulting in full system control.

## Exploit Details
- **Vulnerable Binary**: `enlightenment_sys` (setuid-root)
- **CVE**: [CVE-2022-37706](https://nvd.nist.gov/vuln/detail/CVE-2022-37706)
- **Severity**: Critical
- **Tested On**: Ubuntu 22.10 (Kinetic Kudu)

### Exploit Workflow
1. The vulnerable binary is located, ensuring it is SUID and accessible.
2. Malicious directories and payloads are created to abuse the binary's improper pathname handling.
3. The exploit triggers the binary with crafted mount options, executing the payload as root.
4. Cleanup routines are included to remove evidence after exploitation.

## Usage
### Prerequisites
- Access to the vulnerable system as a low-privileged user.
- Vulnerable version of Enlightenment installed (`<0.25.3`).

### Exploit Execution
1. Clone or copy the exploit to the target system. Run from /tmp if using on the Boardlight HTB machine.
2. Save the exploit script as `exploit.sh` and make it executable:
```chmod +x exploit.sh```
   
4. Execute the script:
   ```./exploit.sh```
5. If successful, a root shell (#) will be opened.

Example Output
```CVE-2022-37706 Exploit Initiated```
```[*] Using known path to vulnerable binary```
```[+] Vulnerable SUID binary found at: /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys```
```[*] Preparing exploit directories and files```
```[+] Exploit script created. Attempting to escalate privileges```
```[+] Welcome to the rabbit hole :)```
```root@target:~#```
File Snapshot

 [4.0K]  /data/pocs/62501f4dbf4ee435dd813c239cb9cd7df1087c17
├── [1.0K]  exploit.sh
└── [1.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.