-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathnirugiri
executable file
·196 lines (162 loc) · 4.53 KB
/
nirugiri
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
#!/bin/bash
: '
UTILITY SCRIPT FOR KERNEL EXPLOIT @ SECCAMP23
This script helps misc operations for kernel exploit.
For usage, run with -h option.
For more rich functionality, use lysithea(https://github.com/smallkirby/lysithea).
Author : @smallkirby
LICENSE : MIT
'
set -euE -o pipefail
readonly C_RST="\e[0m"
readonly C_GREEN="\e[32m"
readonly C_RED="\e[31m"
function doerr() {
local REASON="$1"
echo ""
if [ -n "$REASON" ]; then
echo -e "[${C_RED}ERR${C_RST}] $REASON ($BASH_SOURCE @ L$BASH_LINENO)"
else
echo -e "[${C_RED}ERR${C_RST}] Exiting at ($BASH_SOURCE @ L$LINENUM)"
fi
exit 1
}
trap 'doerr "failed command: $BASH_COMMAND ${FUNCNAME[2]}" $LINENO' ERR
###############################################
readonly ROOTFS=rootfs.cpio.gz
readonly ROOTFS_UNCOMP=rootfs.cpio
readonly RUNSCRIPT=run.sh
readonly EXTRACTDIR=exted
readonly SYSTEM_SCRIPT=S999p3land
readonly SRCDIR=src
EXPLOITSRC=$SRCDIR/exploit.c
readonly ALPINE_DOCKER_IMAGE=lysithea-remote-builder
readonly ALPINE_DOCKER_CONTAINER="$ALPINE_DOCKER_IMAGE"-instance
function usage() {
echo -e "${C_GREEN}Usage${C_RST}:"
echo -e " $0 <command> [options]"
echo -e "${C_GREEN}Commands${C_RST}:"
echo -e " extract\tExtract rootfs into $EXTRACTDIR directory"
echo -e " compress\tCompress rootfs from $EXTRACTDIR directory"
echo -e " local\t\tRun exploit locally"
echo -e "${C_GREEN}Options${C_RST}:"
echo -e " -e\t\tSpecify exploit source file"
exit 0
}
###############################################
function extract() {
echo -e "[${C_GREEN}EXTRACT${C_RST}] Extracting rootfs..."
echo -e "[${C_GREEN}EXTRACT${C_RST}] $ROOTFS -> $EXTRACTDIR"
mkdir -p $EXTRACTDIR
cd $EXTRACTDIR
zcat ../$ROOTFS | cpio -idv 2>/dev/null
cd - >/dev/null
}
function compress() {
echo -e "[${C_GREEN}COMPRESS${C_RST}] Compressing rootfs..."
echo -e "[${C_GREEN}COMPRESS${C_RST}] $EXTRACTDIR -> $ROOTFS_UNCOMP"
if [ ! -d "$EXTRACTDIR" ]; then
doerr "run 'extract' command first"
fi
cd $EXTRACTDIR
echo -e "[${C_GREEN}COMPRESS${C_RST}] $ROOTFS_UNCOMP -> $ROOTFS"
find ./ -print0 | cpio --owner root --null -o --format=newc >../$ROOTFS_UNCOMP ||
doerr "failed to compress rootfs"
cd - >/dev/null
gzip -f $ROOTFS_UNCOMP
}
function pack_assets() {
echo -e "[${C_GREEN}PACK${C_RST}] Packing assets..."
cp $SYSTEM_SCRIPT $EXTRACTDIR/etc/init.d/
cp ./exploit $EXTRACTDIR/
}
function build_exploit() {
echo -e "[${C_GREEN}BUILD${C_RST}] Building exploit: $EXPLOITSRC"
gcc "$EXPLOITSRC" -o exploit --static -masm=intel -luring -pthread
}
function build_compact_exploit() {
echo -e "[${C_GREEN}COMPACT${C_RST}] Building exploit: $EXPLOITSRC"
local EXPLOIT=exploit
local image_existing="$(docker images | grep "$ALPINE_DOCKER_IMAGE" || :)"
if [ -z "$image_existing" ]; then
echo -e "[${C_GREEN}COMPACT${C_RST}] building docker image to build with musl-libc..."
echo -e " (this might take some minutes, but don't worry this is first-time only)"
docker build -t "$ALPINE_DOCKER_IMAGE" - <./Dockerfile
fi
docker container run \
-it \
--name "$ALPINE_DOCKER_CONTAINER" \
--rm \
-v "$PWD:$PWD" \
-w "$PWD" \
"$ALPINE_DOCKER_IMAGE" /bin/sh -c "gcc $EXPLOITSRC -o $EXPLOIT --static -masm=intel -lpthread -luring"
sleep 1
sudo chown "$USER" "$EXPLOIT"
strip "$EXPLOIT"
gzip "$EXPLOIT"
base64 "$EXPLOIT".gz >"$EXPLOIT".gz.b64
rm -f "$EXPLOIT".gz
}
function run_local() {
build_exploit
pack_assets
compress
echo -e "[${C_GREEN}LOCAL${C_RST}] Starting QEMU..."
./$RUNSCRIPT
echo -e "[${C_GREEN}LOCAL${C_RST}] QEMU exited."
}
function run_remote() {
build_compact_exploit
#local HOST=sc.skb.pw
local HOST=localhost
echo -e "[${C_GREEN}REMOTE${C_RST}] Starting remote exploit..."
EXPLOIT_BIN=exploit.gz.b64 \
EXPLOIT_HOST="$HOST" \
EXPLOIT_PORT="49409" \
python2 sender.py r
}
function main() {
if [ $# -eq 0 ]; then
usage
fi
local CMD=help
while [[ $# -gt 0 ]]; do
case "$1" in
-h | --help | help)
usage
;;
compress)
CMD="compress"
shift
;;
extract)
CMD="extract"
shift
;;
local)
CMD="run_local"
shift
;;
remote)
CMD="run_remote"
shift
;;
-e)
shift
if [ $# -eq 0 ]; then
doerr "specify exploit source with -e option"
fi
EXPLOITSRC=$1
shift
if [ ! -f "$EXPLOITSRC" ]; then
doerr "invalid exploit source: $EXPLOITSRC"
fi
;;
*)
doerr "invalid option: $1"
;;
esac
done
$CMD
}
main "$@"