Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Compilation errors ! #3

Open
xhat007 opened this issue Mar 5, 2023 · 15 comments
Open

Compilation errors ! #3

xhat007 opened this issue Mar 5, 2023 · 15 comments

Comments

@xhat007
Copy link

xhat007 commented Mar 5, 2023

Hi,

Tried to compile the exploit on diffrent machine including centos 6.9 and ubuntu 20 i get these errors :

gcc exploit.c -o exploit agent.c agent.h -pthread -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -lgio-2.0 -lgobject-2.0 -lglib-2.0 -g -Wall -Werror -I/usr/include/dbus-1.0 -I/usr/lib/x86_64-linux-gnu/dbus-1.0/include -ldbus-1 -I/usr/include/dbus-1.0 -I/usr/lib/x86_64-linux-gnu/dbus-1.0/include -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -ldbus-glib-1 -ldbus-1 -lgobject-2.0 -lglib-2.0 
exploit.c: In function ‘main’:
exploit.c:100:36: error: ‘%s’ directive writing up to 1023 bytes into a region of size 1019 [-Werror=format-overflow=]
  100 |     sprintf(arguments->path, "/tmp/%s", arguments->name);
      |                                    ^~
exploit.c:100:5: note: ‘sprintf’ output between 6 and 1029 bytes into a destination of size 1024
  100 |     sprintf(arguments->path, "/tmp/%s", arguments->name);
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make: *** [Makefile:12: exploit] Error 1

Thank You.

@WinMin
Copy link
Owner

WinMin commented Mar 5, 2023

Hi,

This seems to be just a warning. Have you tried adding these two parameters?

@xhat007
Copy link
Author

xhat007 commented Mar 5, 2023

Hi WinMin,

on ubuntu i replaced the line 17

char path[1024]; with char path[PATH_MAX]; and the compilation succeed. but on CENTOS 6.9 i still don't now what the problem :

In file included from exploit.c:7: /usr/include/glib-2.0/gio/gdbusconnection.h:24:2: error: #error "Only <gio/gio.h> can be included directly." exploit.c: In function ‘method_call_start_service’: exploit.c:34: error: ‘G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION’ undeclared (first use in this function) exploit.c:34: error: (Each undeclared identifier is reported only once exploit.c:34: error: for each function it appears in.) exploit.c: In function ‘method_call_reload_systemd’: exploit.c:50: error: ‘G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION’ undeclared (first use in this function) exploit.c: In function ‘method_call_install_service’: exploit.c:68: error: ‘G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION’ undeclared (first use in this function) cc1: warnings being treated as errors exploit.c: In function ‘main’: exploit.c:107: error: implicit declaration of function ‘pthread_create’ exploit.c:120: error: ‘for’ loop initial declarations are only allowed in C99 mode exploit.c:120: note: use option -std=c99 or -std=gnu99 to compile your code In file included from agent.c:8: /usr/include/glib-2.0/gio/gdbusconnection.h:24:2: error: #error "Only <gio/gio.h> can be included directly." agent.c: In function ‘register_authentication_agent’: agent.c:88: error: ‘G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION’ undeclared (first use in this function) agent.c:88: error: (Each undeclared identifier is reported only once agent.c:88: error: for each function it appears in.) agent.c: In function ‘auth_agent_handle_begin_authentication’: agent.c:152: error: ‘G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION’ undeclared (first use in this function) make: *** [exploit] Error 1

Thanks.

@WinMin
Copy link
Owner

WinMin commented Mar 5, 2023

Would you like to try using my makefile directly?

run command: make

@xhat007
Copy link
Author

xhat007 commented Mar 5, 2023

Yes the following output is from the "make command"

[xhat@localhost CVE-2021-3560]$ make

gcc exploit.c -o exploit agent.c agent.h -pthread -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include  -pthread -lgio-2.0 -lgobject-2.0 -lgmodule-2.0 -lgthread-2.0 -lrt -lglib-2.0   -g -Wall -Werror -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include  -L/lib64 -ldbus-1 -lpthread -lrt   -pthread -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include  -pthread -L/lib64 -ldbus-glib-1 -ldbus-1 -lpthread -lgobject-2.0 -lgthread-2.0 -lrt -lglib-2.0   
In file included from exploit.c:7:
/usr/include/glib-2.0/gio/gdbusconnection.h:24:2: error: #error "Only <gio/gio.h> can be included directly."
exploit.c: In function ‘method_call_start_service’:
exploit.c:34: error: ‘G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION’ undeclared (first use in this function)
exploit.c:34: error: (Each undeclared identifier is reported only once
exploit.c:34: error: for each function it appears in.)
exploit.c: In function ‘method_call_reload_systemd’:
exploit.c:50: error: ‘G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION’ undeclared (first use in this function)
exploit.c: In function ‘method_call_install_service’:
exploit.c:68: error: ‘G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION’ undeclared (first use in this function)
cc1: warnings being treated as errors
exploit.c: In function ‘main’:
exploit.c:107: error: implicit declaration of function ‘pthread_create’
exploit.c:120: error: ‘for’ loop initial declarations are only allowed in C99 mode
exploit.c:120: note: use option -std=c99 or -std=gnu99 to compile your code
In file included from agent.c:8:
/usr/include/glib-2.0/gio/gdbusconnection.h:24:2: error: #error "Only <gio/gio.h> can be included directly."
agent.c: In function ‘register_authentication_agent’:
agent.c:88: error: ‘G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION’ undeclared (first use in this function)
agent.c:88: error: (Each undeclared identifier is reported only once
agent.c:88: error: for each function it appears in.)
agent.c: In function ‘auth_agent_handle_begin_authentication’:
agent.c:152: error: ‘G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION’ undeclared (first use in this function)
make: *** [exploit] Error 1

@WinMin
Copy link
Owner

WinMin commented Mar 5, 2023

Sorry, this exploit was written and tested on Ubuntu. I haven't tried it on CentOS yet. If I have time tomorrow, I will give it a try.

@xhat007
Copy link
Author

xhat007 commented Mar 5, 2023

Thank you WinMin,

If you have time please give it a try.

@WinMin
Copy link
Owner

WinMin commented Mar 6, 2023

I tried compiling on CentOS 8 and it worked.

CentOS Linux release 8.5.2111, First, install dependencies:

yum makecache --refresh
yum install dbus-glib-devel dbus-devel glib2-devel

Try to compile.

[root@iZ8vbehx37i2ttr1qqynnzZ CVE-2021-3560]# make
gcc exploit.c -o exploit agent.c agent.h -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -pthread -lgio-2.0 -lgobject-2.0 -lglib-2.0  -g -Wall -Werror -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -ldbus-1  -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -ldbus-glib-1 -ldbus-1 -lgobject-2.0 -lglib-2.0
[root@iZ8vbehx37i2ttr1qqynnzZ CVE-2021-3560]# ls
agent.c  agent.h  exploit  exploit.c  Makefile  README.md
[root@iZ8vbehx37i2ttr1qqynnzZ CVE-2021-3560]#

I have no problem. Would you like to try again?

@xhat007
Copy link
Author

xhat007 commented Mar 6, 2023

On centos 6.9 it still throw compilation erros :

root@localhost CVE-2021-3560]# ls
agent.c agent.h exploit.c Makefile README.md
[root@localhost CVE-2021-3560]# yum install dbus-glib-devel dbus-devel glib2-devel

Loaded plugins: fastestmirror, refresh-packagekit, security
Setting up Install Process
Repository base is listed more than once in the configuration
Repository updates is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository epel is listed more than once in the configuration
Loading mirror speeds from cached hostfile
base                                                                                                                                                                                                                  | 3.7 kB     00:00     
epel                                                                                                                                                                                                                  | 4.7 kB     00:00     
extras                                                                                                                                                                                                                | 3.4 kB     00:00     
updates                                                                                                                                                                                                               | 3.4 kB     00:00     
Package dbus-glib-devel-0.86-6.el6.x86_64 already installed and latest version
Package 1:dbus-devel-1.2.24-11.el6_10.x86_64 already installed and latest version
Package glib2-devel-2.28.8-10.el6.x86_64 already installed and latest version
Nothing to do

[root@localhost CVE-2021-3560]# make

gcc exploit.c -o exploit agent.c agent.h -pthread -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include  -pthread -lgio-2.0 -lgobject-2.0 -lgmodule-2.0 -lgthread-2.0 -lrt -lglib-2.0   -g -Wall -Werror -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include  -L/lib64 -ldbus-1 -lpthread -lrt   -pthread -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include  -pthread -L/lib64 -ldbus-glib-1 -ldbus-1 -lpthread -lgobject-2.0 -lgthread-2.0 -lrt -lglib-2.0   
In file included from exploit.c:7:
/usr/include/glib-2.0/gio/gdbusconnection.h:24:2: error: #error "Only <gio/gio.h> can be included directly."
exploit.c: In function ‘method_call_start_service’:
exploit.c:34: error: ‘G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION’ undeclared (first use in this function)
exploit.c:34: error: (Each undeclared identifier is reported only once
exploit.c:34: error: for each function it appears in.)
exploit.c: In function ‘method_call_reload_systemd’:
exploit.c:50: error: ‘G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION’ undeclared (first use in this function)
exploit.c: In function ‘method_call_install_service’:
exploit.c:68: error: ‘G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION’ undeclared (first use in this function)
cc1: warnings being treated as errors
exploit.c: In function ‘main’:
exploit.c:107: error: implicit declaration of function ‘pthread_create’
exploit.c:120: error: ‘for’ loop initial declarations are only allowed in C99 mode
exploit.c:120: note: use option -std=c99 or -std=gnu99 to compile your code
In file included from agent.c:8:
/usr/include/glib-2.0/gio/gdbusconnection.h:24:2: error: #error "Only <gio/gio.h> can be included directly."
agent.c: In function ‘register_authentication_agent’:
agent.c:88: error: ‘G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION’ undeclared (first use in this function)
agent.c:88: error: (Each undeclared identifier is reported only once
agent.c:88: error: for each function it appears in.)
agent.c: In function ‘auth_agent_handle_begin_authentication’:
agent.c:152: error: ‘G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION’ undeclared (first use in this function)
make: *** [exploit] Error 1

@xhat007
Copy link
Author

xhat007 commented Mar 6, 2023

Can you send over the compiled file so i can try it on my centos 6.9 ?

@WinMin
Copy link
Owner

WinMin commented Mar 6, 2023

@xhat007
Copy link
Author

xhat007 commented Mar 6, 2023

[xhat@localhost CVE-2021-3560]$ ls
agent.c agent.h exploit exploit.c Makefile README.md
[xhat@localhost CVE-2021-3560]$ chmod +x exploit
[xhat@localhost CVE-2021-3560]$ ./exploit
./exploit: /lib64/libc.so.6: version GLIBC_2.14' not found (required by ./exploit)`

[xhat@localhost CVE-2021-3560]$ ldd --version | grep libc
ldd (GNU libc) 2.12

It seem that the exploit was compiled using GLIBC_2.14 which is not found on centos 6.9 ? the installed version is 2.12 ?

@WinMin
Copy link
Owner

WinMin commented Mar 6, 2023

Sorry, I couldn't find 6.9 for testing. I guess it's because the corresponding function or global variable definition is missing in the header file?

@RicterZ
Copy link
Collaborator

RicterZ commented Mar 18, 2023

remove -Wall -Werror flags from compile options

@xhat007
Copy link
Author

xhat007 commented Mar 18, 2023

Hi, RicterZ,

I tried to remove the compiler flags -Wall -Werror from the MakeFile but the compilation still failed on CentOS 6.9 with the following errors:

[xhat@localhost CVE-2021-3560]$ make
gcc exploit.c -o exploit agent.c agent.h -pthread -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -pthread -lgio-2.0 -lgobject-2.0 -lgmodule-2.0 -lgthread-2.0 -lrt -lglib-2.0 -g -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -L/lib64 -ldbus-1 -lpthread -lrt -pthread -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -pthread -L/lib64 -ldbus-glib-1 -ldbus-1 -lpthread -lgobject-2.0 -lgthread-2.0 -lrt -lglib-2.0

In file included from exploit.c:7:
/usr/include/glib-2.0/gio/gdbusconnection.h:24:2: error: #error "Only <gio/gio.h> can be included directly."
exploit.c: In function ‘method_call_start_service’:
exploit.c:34: error: ‘G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION’ undeclared (first use in this function)
exploit.c:34: error: (Each undeclared identifier is reported only once
exploit.c:34: error: for each function it appears in.)
exploit.c: In function ‘method_call_reload_systemd’:
exploit.c:50: error: ‘G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION’ undeclared (first use in this function)
exploit.c: In function ‘method_call_install_service’:
exploit.c:68: error: ‘G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION’ undeclared (first use in this function)
exploit.c: In function ‘main’:
exploit.c:120: error: ‘for’ loop initial declarations are only allowed in C99 mode
exploit.c:120: note: use option -std=c99 or -std=gnu99 to compile your code
In file included from agent.c:8:
/usr/include/glib-2.0/gio/gdbusconnection.h:24:2: error: #error "Only <gio/gio.h> can be included directly."
agent.c: In function ‘register_authentication_agent’:
agent.c:88: error: ‘G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION’ undeclared (first use in this function)
agent.c:88: error: (Each undeclared identifier is reported only once
agent.c:88: error: for each function it appears in.)
agent.c: In function ‘auth_agent_handle_begin_authentication’:
agent.c:152: error: ‘G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION’ undeclared (first use in this function)
make: *** [exploit] Error 1

@xhat007
Copy link
Author

xhat007 commented Mar 18, 2023

I managed to make the compilation succeed on centos 6.9 by editing some header in both exploit.c and agent.c

exploit.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <dbus/dbus.h>
#include <unistd.h>
#include <gio/gio.h>
#include <dbus/dbus-glib-lowlevel.h>
#include "agent.h"
#include <pthread.h>

#ifndef G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION
#define G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION (1<<2)
#endif

Removed the header <gio/gdbusconnection.h> from both exploit.c and agent.c

agent.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <dbus/dbus.h>
#include <unistd.h>
#include <gio/gio.h>
#include <dbus/dbus-glib-lowlevel.h>
#include <pthread.h>

#ifndef G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION
#define G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION (1<<2)
#endif

Compiled with :

gcc exploit.c -o exploit agent.c agent.h -std=gnu99 -pthread -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -pthread -lgio-2.0 -lgobject-2.0 -lgmodule-2.0 -lgthread-2.0 -lrt -lglib-2.0 -g -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -L/lib64 -ldbus-1 -lpthread -lrt -pthread -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -pthread -L/lib64 -ldbus-glib-1 -ldbus-1 -lpthread -lgobject-2.0 -lgthread-2.0 -lrt -lglib-2.0

[xhat@localhost CVE-2021-3560]$ ls
agent.c agent.h exploit exploit.c Makefile README.md
[xhat@localhost CVE-2021-3560]$ ./exploit

pid:3287 - [ polkit CVE-2021-3560 exploit ] - RicterZ @ 360 Noah Lab, C writed by Swing @ chaitin
pid:3287 - [*] main process running ...
pid:3289 - [*] starting polkit authentication agent ...
pid:3288 - [*] starting polkit authentication agent ...
pid:3291 - [*] starting polkit authentication agent ...
pid:3287 - [-] exploit failed, please try again

but exploit failed

[xhat@localhost CVE-2021-3560]$ rpm -q polkit
polkit-0.96-11.el6.x86_64

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants