def main(): immunity.set_cap("cap_setgid,cap_setuid,cap_sys_admin,cap_sys_chroot,cap_setpcap+p") sudo_user = os.getenv("SUDO_USER") xauth_data = get_xauth(sudo_user) clear_environment() switch_user("immunity-" + sudo_user) new_namespace() fake_filesystem() set_xauth(xauth_data)
def fake_filesystem(): immunity.set_cap("cap_sys_admin+ep cap_sys_chroot,cap_setpcap,cap_mknod+p") mount_tmpfs("/mnt") immunity.remount("/") mount_bind("/bin") mount_bind("/etc/X11") mount_bind("/etc/alternatives") mount_bind("/etc/fonts") mount_bind("/etc/gai.conf") mount_bind("/etc/gconf") mount_bind("/etc/gnome-vfs-2.0") mount_bind("/etc/group") mount_bind("/etc/gtk-2.0") mount_bind("/etc/host.conf") mount_bind("/etc/hosts") mount_bind("/etc/iceweasel") mount_bind("/etc/ld.so.cache") mount_bind("/etc/locale.alias") mount_bind("/etc/localtime") mount_bind("/etc/mailcap") mount_bind("/etc/mime.types") mount_bind("/etc/nsswitch.conf") mount_bind("/etc/orbitrc") mount_bind("/etc/pango") mount_bind("/etc/passwd") mount_bind("/etc/resolv.conf") mount_bind("/etc/resolvconf") mount_bind("/lib") mount_bind("/proc") mount_bind("/tmp/.X11-unix") mount_bind("/usr/bin") mount_bind("/usr/lib") mount_bind("/usr/share") mount_bind("/var/cache/fontconfig") mount_bind("/var/lib/defoma") mount_bind("/var/lib/gconf") mount_bind("/var/lib/immunity") immunity.set_cap("cap_mknod+ep cap_sys_chroot,cap_setpcap+p") copy_node("/dev/null") for alsa_device in glob.glob("/dev/snd/*"): copy_node(alsa_device) immunity.set_cap("cap_sys_chroot+ep cap_setpcap+p") os.chroot("/mnt") immunity.set_cap("cap_setpcap+ep") immunity.lock_caps() immunity.set_cap("") os.chdir(os.getcwd())
def switch_sudo_user(target_user): immunity.set_cap("cap_setgid+ep cap_setuid,cap_sys_admin,cap_sys_chroot,cap_setpcap,cap_mknod+p") os.setgroups([]) pwd_data = pwd.getpwnam(target_user) os.setgid(pwd_data.pw_gid) immunity.set_cap("cap_setgid+p cap_setuid+ep cap_sys_admin,cap_sys_chroot,cap_setpcap,cap_mknod+p") immunity.keep_caps() os.setuid(pwd_data.pw_uid) immunity.set_cap("cap_setgid,cap_setuid,cap_sys_admin,cap_sys_chroot,cap_setpcap,cap_mknod+p")
def switch_sudo_user(target_user): immunity.set_cap("cap_setgid+ep cap_setuid,cap_sys_admin,cap_sys_chroot,cap_setpcap+p") os.setgroups([]) pwd_data = pwd.getpwnam(target_user) os.setgid(pwd_data.pw_gid) grp_data = grp.getgrnam("audio") os.setgroups([grp_data.gr_gid]) immunity.set_cap("cap_setgid+p cap_setuid+ep cap_sys_admin,cap_sys_chroot,cap_setpcap+p") immunity.keep_caps() os.setuid(pwd_data.pw_uid) immunity.set_cap("cap_setgid,cap_setuid,cap_sys_admin,cap_sys_chroot,cap_setpcap+p")
def switch_user(target_user): pwd_data = pwd.getpwnam(target_user) immunity.set_cap("cap_setgid+ep cap_setuid,cap_sys_admin,cap_sys_chroot,cap_setpcap+p") os.setgid(pwd_data.pw_gid) immunity.set_cap("cap_setuid+ep cap_sys_admin,cap_sys_chroot,cap_setpcap+p") os.setuid(pwd_data.pw_uid) immunity.set_cap("cap_sys_admin,cap_sys_chroot,cap_setpcap+p") os.putenv("USER", pwd_data.pw_name) homedir = pwd_data.pw_dir os.putenv("HOME", homedir) os.chdir(homedir)
def fake_filesystem(): immunity.set_cap("cap_sys_admin+ep cap_mknod,cap_sys_chroot+p") mount_tmpfs("/mnt") mount_bind("/bin") mount_bind("/dev/null") mount_bind("/etc/X11") mount_bind("/etc/alternatives") mount_bind("/etc/fonts") mount_bind("/etc/gai.conf") mount_bind("/etc/gconf") mount_bind("/etc/gnome-vfs-2.0") mount_bind("/etc/gtk-2.0") mount_bind("/etc/host.conf") mount_bind("/etc/hosts") mount_bind("/etc/iceweasel") mount_bind("/etc/ld.so.cache") mount_bind("/etc/locale.alias") mount_bind("/etc/localtime") mount_bind("/etc/mime.types") mount_bind("/etc/nsswitch.conf") mount_bind("/etc/orbitrc") mount_bind("/etc/pango") mount_bind("/etc/passwd") mount_bind("/etc/resolv.conf") mount_bind("/etc/resolvconf") mount_bind("/lib") mount_bind("/proc") mount_bind("/tmp/.X11-unix") mount_bind("/usr/bin") mount_bind("/usr/lib") mount_bind("/usr/share") mount_bind("/var/cache/fontconfig") mount_bind("/var/lib/defoma") mount_bind("/var/lib/gconf") mount_bind("/var/lib/immunity") os.chmod("/mnt/tmp", 0777) immunity.set_cap("cap_mknod+ep cap_sys_chroot+p") alsa() immunity.set_cap("cap_sys_chroot+ep") os.chroot("/mnt") immunity.set_cap("") os.chdir(os.getcwd())
def new_namespace(): immunity.set_cap("cap_sys_admin+ep cap_sys_chroot,cap_setpcap+p") immunity.unshare_newns() immunity.set_cap("cap_sys_admin,cap_sys_chroot,cap_setpcap+p")
def main(): immunity.set_cap("") os.execl("/usr/bin/xauth", "xauth", "nlist", ":0")
#!/usr/bin/python import immunity, os, sys, tempfile immunity.set_cap("") xauthfile, name = tempfile.mkstemp() os.spawnl(os.P_WAIT, "/usr/bin/xauth", "xauth", "-f", name, "generate", ":0", ".", "trusted", "timeout", "1200") xauthfile = open(name, "r") sys.stdout.write(xauthfile.read()) os.remove(name)