CVE-2021-4034 PoC — polkit 缓冲区错误漏洞

Source

https://github.com/DanaEpp/pwncat_pwnkit

Associated Vulnerability

Title:polkit 缓冲区错误漏洞 (CVE-2021-4034)
Description:A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

Description

pwncat module that automatically exploits CVE-2021-4034 (pwnkit)

Readme

# pwncat_pwnkit
[![asciicast](https://asciinema.org/a/n3DRuvT0hr8yslrXX7RsGG1LW.svg)](https://asciinema.org/a/n3DRuvT0hr8yslrXX7RsGG1LW)
## Introduction
The purpose of this module is to attempt to exploit CVE-2021-4034 (pwnkit) on a target when using pwncat.

There is no need to setup any directories, compile any source or even have gcc on the remote target; the pwnkit module takes care of this automatically using the pwncat framework.

## Setup and Use
- Simply copy `pwnkit.py` somewhere on your host where pwncat-cs is installed. ie: /home/user/pwncat_mods
- In pwncat, simply type: `load /home/user/pwncat_mods`
- To confirm the module loaded, type: `search pwnkit`. You should see something like this:
```
(local) pwncat$ search pwnkit
                                                      Results                                                      
                   ╷                                                                                               
  Name             │ Description                                                                                   
 ══════════════════╪══════════════════════════════════════════════════════════════════════════════════════════════ 
  pwnkit           │ Exploit CVE-2021-4034 to privesc to root
``` 
- To execute, simply type `run pwnkit`. If it's successful, you should see the UID change to 0, and now be root. ie:
```
(local) pwncat$ run pwnkit
[00:12:15] 10.10.184.131:47148: ran pwnkit. UID : Before(1000) | After(0)                            manager.py:955
           Module pwnkit completed successfully                                                          run.py:100
(local) pwncat$                                                                                                    
(remote) root@pwnkit:/# id
uid=0(root) gid=0(root) groups=0(root),1000(tryhackme)
```

## Tips
- If you don't want to always call `load`, you can have pwncat automatically load this module on startup by placing it in `~/.local/share/pwncat/modules`
- To use the cross-compiler to build the exploit on your machine and upload it to the target, you need to set the **cross** variable in your pwncatrc file. This file is typically found at ~/.local/share/pwncat/pwncatrc`. ie:
```
# Set the gcc path
set cross "/usr/bin/gcc"
```

## Thanks
A special shout out to [Caleb Stewart](https://github.com/calebstewart/pwncat) for being helpful as I pushed through learning the pwncat framework from a dev perspective. I will get a pull request to put this in the main pwncat escalate module someday when I have free time... I promise. :-)

File Snapshot


 [4.0K]  /data/pocs/5e35337897c77addafd4c8be1f0dca2bbcf05f25
├── [1.0K]  LICENSE
├── [6.1K]  pwnkit.py
└── [2.8K]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!