From 13007358c5afb35acdb5feefc07be34414e5ae66 Mon Sep 17 00:00:00 2001
From: Nick Chambers <uplime@spookyinternet.com>
Date: Fri, 22 Jul 2022 19:54:06 -0500
Subject: [PATCH] Proof-of-concept for escalating privledges

---
 c/ninjutsu.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)
 create mode 100644 c/ninjutsu.c

diff --git a/c/ninjutsu.c b/c/ninjutsu.c
new file mode 100644
index 0000000..ceb1c6b
--- /dev/null
+++ b/c/ninjutsu.c
@@ -0,0 +1,77 @@
+#include <errno.h>
+#include <grp.h>
+#include <pwd.h>
+#include <limits.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+/*
+todo:
+error if euid is not right
+*/
+
+#ifndef NINJUTSU_SEC_GROUP
+#ifdef __APPLE__
+#define NINJUTSU_SEC_GROUP "staff"
+#else
+#define NINJUTSU_SEC_GROUP "wheel"
+#endif
+#endif
+
+#define NINJUTSU_SEC_EUID 0
+
+int main(int argc, char **argv) {
+  if(argc < 2) {
+    fprintf(stderr, "no command provided\n");
+    return 1;
+  } else if(NINJUTSU_SEC_EUID != geteuid()) {
+    fprintf(stderr, "permissions are incorrect\n");
+    return 1;
+  }
+
+  struct passwd *entry = getpwuid(getuid());
+
+  if(!entry) {
+    fprintf(stderr, "unable to get passwd entry: %s\n", strerror(errno));
+    return 1;
+  }
+
+  int groups[NGROUPS_MAX] = { 0 };
+  int groups_sz = NGROUPS_MAX;
+
+  if(getgrouplist(entry->pw_name, entry->pw_gid, groups, &groups_sz) < 0) {
+    fprintf(stderr, "unable to get full group list\n");
+  }
+
+  struct group *group = getgrnam(NINJUTSU_SEC_GROUP);
+
+  if(!group) {
+    fprintf(stderr, "unable to get group entry: %s\n", strerror(errno));
+    return 1;
+  }
+
+  uint8_t idx = 0;
+  uint8_t found_group = 0;
+
+  for(; idx < groups_sz; idx += 1) {
+    if(group->gr_gid == (unsigned int) groups[idx]) {
+      found_group = 1;
+      break;
+    }
+  }
+
+  if(!found_group) {
+    fprintf(stderr, "I'm sorry, %s. I'm afraid I can't do that.\n", entry->pw_name);
+    return 1;
+  } else if(setuid(geteuid()) < 0) {
+    fprintf(stderr, "could not set uid: %s\n", strerror(errno));
+    return 1;
+  } else if(execvp(*(argv + 1), argv + 1) < 0) {
+    fprintf(stderr, "could not run command: %s\n", strerror(errno));
+    return 1;
+  }
+
+  return 1;
+}