This repository contains an exploit of CVE-2021-4034, a local privilege escalation in pkexec

Overview

pwnkit (CVE-2021-4034) Privilege Escalation exploit sample

This repository contains an exploit of CVE-2021-4034, a local privilege escalation in pkexec. This implementation is based on that described in the CVE disclosure, which you should read.

If this works on your machine, it means you are vulnerable. To address this, either update polkit to a patched version, or disable the setuid bit on pkexec with the following:

$ sudo chmod a-s $(which pkexec)

This exploit is dangerously easy to write based on the information in the disclosure, so patch all of your machines ASAP.

Using this repo

To run this exploit, simply run make in the top level directory. This will compile exploit.c, which runs the exploit, and gconv/badconv.c, which contains the payload.

If your system is vulnerable, you will be dropped into a shell as root.

This implementation should work on any vulnerable systems, including Fedora 34+ and some versions of OpenSUSE which seem to not be vulnerable to some implementations. Specifically, this will work even if your system has a version of polkit which disables GVFS (added here).

You might also like...
PoC (DoS) for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)
PoC (DoS) for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)

CallbackHell DoS PoC for CVE-2021-40449 (Win32k - LPE) CallbackHell Description Technical Writeup PoC References Description CVE-2021-40449 is a use-a

CVE-2021-4034 POC and Docker and Analysis write up
CVE-2021-4034 POC and Docker and Analysis write up

CVE-2021-4034 POC and Docker and Analysis write up

Proof of Concept (PoC) CVE-2021-4034
Proof of Concept (PoC) CVE-2021-4034

PwnKit-Exploit CVE-2021-4034 @c0br40x help to make this section in README!! Proof of Concept [email protected]:~/PwnKit-Exploit$ make cc -Wall exploit.

PoC for cve-2021-4034

cve-2021-4034 PoC for cve-2021-4034 Based on the PoC by https://haxx.in: https://haxx.in/files/blasty-vs-pkexec.c. Probably he's https://github.com/bl

Pre-compiled builds for CVE-2021-4034

CVE-2021-4034 Precompiled builds for CVE-2021-4034. Of course you shouldn't trust precompiled builds :) This release works slightly different: first a

Bring your own print driver privilege escalation tool

Concealed Position Concealed Position is a local privilege escalation attack against Windows using the concept of "Bring Your Own Vulnerability". Spec

SystemGap - Maintenance Tools after privilege escalation
SystemGap - Maintenance Tools after privilege escalation

SystemGap 适用于解决不稳定Windows漏洞提权成功后进行权限驻守的办法 SystemGap - 监听者 SystemGap 负责监听一个任意用户可读写的匿名管道,从管道中读取命令进行执行 SystemGapClient - 发送者 SystemGapClient 负责向匿名管道中传入指令

Just another
Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin.

RemotePotato0 Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin. RemotePotato0 is an exploit that allows you to escalate

Exploit to SYSTEM for CVE-2021-21551
Exploit to SYSTEM for CVE-2021-21551

CVE-2021-21551 Exploit to SYSTEM for CVE-2021-21551 SpoolPrinter Privesc using SeImpersonatePrivileges was made thanks to

Comments
  • Not working on older versions of Ubuntu and Debian

    Not working on older versions of Ubuntu and Debian

    On older versions of Ubuntu and Debian with pkexec version 0.105 I get the following error:

    $ make
    gcc -o exploit exploit.c
    make -C ./gconv BADCONV.so
    make[1]: Entering directory '/home/ate/pwnkit-exploit/gconv'
    gcc -fPIC -shared badconv.c -o BADCONV.so
    make[1]: Leaving directory '/home/ate/pwnkit-exploit/gconv'
    ./exploit
    Running exploit...
    pkexec --version |
           --help |
           --disable-internal-agent |
           [--user username] PROGRAM [ARGUMENTS...]
    
    See the pkexec manual page for more details.
    Makefile:12: recipe for target 'run-exploit' failed
    make: *** [run-exploit] Error 1
    

    It seems like pkexec refuses to execute without being supplied a command as argument.

    opened by R-VdP 1
Owner
Peter Gottesman
Peter Gottesman
An exploit for CVE-2021-4034 aka Pwnkit: Local Privilege Escalation in polkit's pkexec

CVE-2021-4034 Exploit Usage $ git clone https://github.com/whokilleddb/CVE-2021-4034 $ cd CVE-2021-4034 $ make [!] CVE-2021-4034 Exploit By whokilledd

whokilleddb 3 Jun 30, 2022
PoC for PwnKit: Local Privilege Escalation Vulnerability in polkit’s pkexec (CVE-2021-4034)

CVE-2021-4034 PoC for PwnKit: Local Privilege Escalation Vulnerability in polkit’s pkexec (CVE-2021-4034) https://seclists.org/oss-sec/2022/q1/80 http

Andris Raugulis 924 Nov 21, 2022
CVE-2021-4034: Local Privilege Escalation in polkit's pkexec proof of concept

CVE-2021-4034 Proof of Concept Qualys researches found a pretty cool local privilege escalation vulnerability in Polkit's pkexec: writeup, tweet. This

Marco Bonelli 20 Jun 22, 2022
CVE-2021-4034 Add Root User - Pkexec Local Privilege Escalation

CVE-2021-4034 CVE-2021-4034 Add Root User - Pkexec Local Privilege Escalation 根据CVE-2021-4034进行了加强,执行Exploit将会默认添加用户名rooter,密码[email protected],并且rooter用户将具

倾旋 88 Oct 16, 2022
CVE-2021-4034 One day for the polkit privilege escalation exploit

CVE-2021-4034 One day for the polkit privilege escalation exploit Just execute make, ./cve-2021-4034 and enjoy your root shell. The original advisory

Davide Berardi 1.7k Nov 26, 2022
Local Privilege Escalation Edition for CVE-2021-1675

Local Privilege Escalation Edition of CVE-2021-1675/CVE-2021-34527 Local Privilege Escalation implementation of the CVE-2021-1675/CVE-2021-34527 (a.k.

Halil Dalabasmaz 334 Nov 16, 2022
CVE-2021-24084 Windows Local Privilege Escalation Left officially unpatched since 2020. Hence, its still a zero day

WindowsMDM-LPE-0Day Works best on Windows 11 CVE-2021-24084 Windows Local Privilege Escalation Left officially unpatched since 2020. Hence, its still

Exploit Blizzard 35 Nov 9, 2022
Plex media server local privilige escalation poc - CVE-2021-42835

Local Privilege PlEXcalasion - CVE-2021-42835 Plex Media Server for Windows prior to version 1.25.0.5282, vulnerable to Time Of Check Time Of Use (TOC

null 6 May 24, 2022
Exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)

CallbackHell Exploit for CVE-2021-40449 (Win32k - LPE) CallbackHell Description Technical Writeup PoC References Description CVE-2021-40449 is a use-a

Oliver Lyak 425 Nov 19, 2022