Share
## https://sploitus.com/exploit?id=D721BAA4-6B1C-584F-B38D-CE016CD81B0C
# CVE-2024-48990 PYTHONPATH Hijack - Privilege Escalation Exploit

This tool automates the exploitation of a privilege escalation vulnerability in `needrestart` version 3.7, identified as **CVE-2024-48990**.  
It achieves root execution by leveraging the insecure use of the `PYTHONPATH` environment variable when `needrestart` scans Python processes.

## Summary

The exploit works by:

1. Compiling a malicious shared object (`__init__.so`) that is triggered on import.
2. Serving the `.so` via a local HTTP server.
3. Connecting to the target via SSH and preparing a malicious `PYTHONPATH` environment.
4. Launching a Python bait process that continuously imports `importlib`.
5. Running `needrestart`, which inherits the manipulated `PYTHONPATH`, loads the malicious module, and executes the payload as root.
6. The payload creates a SUID binary (`/tmp/poc`), allowing root shell access.

## Usage

Run the exploit from your attacker machine:

    python3 conversor_one_shot.py --user  --host  --att-ip  --ssh-pass 

Parameters:

- --user SSH username on the target
- --host Target IP address
- --att-ip Attacker IP (used for hosting the payload)
- --ssh-pass SSH password (omit if using SSH keys)
- --http-port Optional HTTP port (default: 8000)

## CVE

- **CVE ID:** [CVE-2024-48990](https://vulners.com/cve/CVE-2024-48990)
- **Affected Software:** `needrestart` version 3.7
- **Vulnerability Type:** Insecure environment variable handling
- **Impact:** Local privilege escalation to root

## Cleanup

To remove exploit traces from the target:

    rm -rf /tmp/malicious /tmp/poc /tmp/exploit.sh

## Requirements

### Attacker machine:
- Python 3
- `pexpect` (`pip3 install pexpect`)
- `gcc` (for compiling the payload)
- Open SSH access to the target
- `python3 -m http.server` (automatically started by the script)

### Target machine:
- A vulnerable version of `needrestart` (v3.7)
- A non-root user with `sudo` NOPASSWD rights for `/usr/sbin/needrestart`
- Python 3 and `curl` installed

## Disclaimer

This tool is provided for educational and authorized security testing purposes only.
Do not use it on systems you do not own or without explicit permission.