POC详情: 5e35337897c77addafd4c8be1f0dca2bbcf05f25

来源
https://github.com/DanaEpp/pwncat_pwnkit
关联漏洞
标题: polkit 缓冲区错误漏洞 (CVE-2021-4034)
描述:polkit是一个在类 Unix操作系统中控制系统范围权限的组件。通过定义和审核权限规则,实现不同优先级进程间的通讯。 polkit 的 pkexec application存在缓冲区错误漏洞,攻击者可利用该漏洞通过精心设计环境变量诱导pkexec执行任意代码。成功执行攻击后,如果目标计算机上没有权限的用户拥有管理权限,攻击可能会导致本地权限升级。
描述
pwncat module that automatically exploits CVE-2021-4034 (pwnkit)
介绍
# pwncat_pwnkit
[![asciicast](https://asciinema.org/a/n3DRuvT0hr8yslrXX7RsGG1LW.svg)](https://asciinema.org/a/n3DRuvT0hr8yslrXX7RsGG1LW)
## Introduction
The purpose of this module is to attempt to exploit CVE-2021-4034 (pwnkit) on a target when using pwncat.

There is no need to setup any directories, compile any source or even have gcc on the remote target; the pwnkit module takes care of this automatically using the pwncat framework.

## Setup and Use
- Simply copy `pwnkit.py` somewhere on your host where pwncat-cs is installed. ie: /home/user/pwncat_mods
- In pwncat, simply type: `load /home/user/pwncat_mods`
- To confirm the module loaded, type: `search pwnkit`. You should see something like this:
```
(local) pwncat$ search pwnkit
                                                      Results                                                      
                   ╷                                                                                               
  Name             │ Description                                                                                   
 ══════════════════╪══════════════════════════════════════════════════════════════════════════════════════════════ 
  pwnkit           │ Exploit CVE-2021-4034 to privesc to root
``` 
- To execute, simply type `run pwnkit`. If it's successful, you should see the UID change to 0, and now be root. ie:
```
(local) pwncat$ run pwnkit
[00:12:15] 10.10.184.131:47148: ran pwnkit. UID : Before(1000) | After(0)                            manager.py:955
           Module pwnkit completed successfully                                                          run.py:100
(local) pwncat$                                                                                                    
(remote) root@pwnkit:/# id
uid=0(root) gid=0(root) groups=0(root),1000(tryhackme)
```

## Tips
- If you don't want to always call `load`, you can have pwncat automatically load this module on startup by placing it in `~/.local/share/pwncat/modules`
- To use the cross-compiler to build the exploit on your machine and upload it to the target, you need to set the **cross** variable in your pwncatrc file. This file is typically found at ~/.local/share/pwncat/pwncatrc`. ie:
```
# Set the gcc path
set cross "/usr/bin/gcc"
```

## Thanks
A special shout out to [Caleb Stewart](https://github.com/calebstewart/pwncat) for being helpful as I pushed through learning the pwncat framework from a dev perspective. I will get a pull request to put this in the main pwncat escalate module someday when I have free time... I promise. :-)
文件快照

 [4.0K]  /data/pocs/5e35337897c77addafd4c8be1f0dca2bbcf05f25
├── [1.0K]  LICENSE
├── [6.1K]  pwnkit.py
└── [2.8K]  README.md

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。