Proof-of-concept for escalating privledges
This commit is contained in:
parent
6d5959587a
commit
13007358c5
|
@ -0,0 +1,77 @@
|
|||
#include <errno.h>
|
||||
#include <grp.h>
|
||||
#include <pwd.h>
|
||||
#include <limits.h>
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
/*
|
||||
todo:
|
||||
error if euid is not right
|
||||
*/
|
||||
|
||||
#ifndef NINJUTSU_SEC_GROUP
|
||||
#ifdef __APPLE__
|
||||
#define NINJUTSU_SEC_GROUP "staff"
|
||||
#else
|
||||
#define NINJUTSU_SEC_GROUP "wheel"
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#define NINJUTSU_SEC_EUID 0
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
if(argc < 2) {
|
||||
fprintf(stderr, "no command provided\n");
|
||||
return 1;
|
||||
} else if(NINJUTSU_SEC_EUID != geteuid()) {
|
||||
fprintf(stderr, "permissions are incorrect\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
struct passwd *entry = getpwuid(getuid());
|
||||
|
||||
if(!entry) {
|
||||
fprintf(stderr, "unable to get passwd entry: %s\n", strerror(errno));
|
||||
return 1;
|
||||
}
|
||||
|
||||
int groups[NGROUPS_MAX] = { 0 };
|
||||
int groups_sz = NGROUPS_MAX;
|
||||
|
||||
if(getgrouplist(entry->pw_name, entry->pw_gid, groups, &groups_sz) < 0) {
|
||||
fprintf(stderr, "unable to get full group list\n");
|
||||
}
|
||||
|
||||
struct group *group = getgrnam(NINJUTSU_SEC_GROUP);
|
||||
|
||||
if(!group) {
|
||||
fprintf(stderr, "unable to get group entry: %s\n", strerror(errno));
|
||||
return 1;
|
||||
}
|
||||
|
||||
uint8_t idx = 0;
|
||||
uint8_t found_group = 0;
|
||||
|
||||
for(; idx < groups_sz; idx += 1) {
|
||||
if(group->gr_gid == (unsigned int) groups[idx]) {
|
||||
found_group = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if(!found_group) {
|
||||
fprintf(stderr, "I'm sorry, %s. I'm afraid I can't do that.\n", entry->pw_name);
|
||||
return 1;
|
||||
} else if(setuid(geteuid()) < 0) {
|
||||
fprintf(stderr, "could not set uid: %s\n", strerror(errno));
|
||||
return 1;
|
||||
} else if(execvp(*(argv + 1), argv + 1) < 0) {
|
||||
fprintf(stderr, "could not run command: %s\n", strerror(errno));
|
||||
return 1;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
Loading…
Reference in New Issue