Linux LPE using polkit-1 written in Rust.

Related tags

Security tools CVE-2021-4024-Rust
Overview

CVE-2021-4024-Rust

Linux LPE using polkit-1 written in Rust.

Build instructions

Install rust if you haven't already

git clone https://github.com/deoxykev/CVE-2021-4024-Rust
cd CVE-2021-4024-Rust
rustup target add x86_64-unknown-linux-musl
cargo build --release

Vuln Check

# check for pkexec
which pkexec || echo not vuln

# check suid permissions on pkexec
stat -c '%a' $(which pkexec) | grep -q 4755 || echo not vuln

# check patch date on pkexec
stat -c '%y' $(which pkexec)
# dates before 2022-01-12 may be unpatched & vulnerable

Opsec considerations

  • Writes exploit files to /dev/shm (ramdisk)
    • delete randomly generated directory afterwards
    • can be detected on file creation
    • shellcode is hardcoded, consider replacing with a polymorphic payload (ie: msfvenom output)
  • syscall to pkexec with null args can be detected
  • pkexec logs are visible in /var/log/auth.log
pkexec[121401]: user: The value for the SHELL variable was not found the /etc/shells file [USER=root] [TTY=/dev/pts/8] [CWD=/dev/shm/YWdQYnE3TSNlwNKMXEwYcGRVmdYipb] [COMMAND=GCONV_PATH=./tSq82ptZaDiyXWZz0BOybdH9fINqCG PATH=GCONV_PATH=. CHARSET=mgELtKAB9sXo0a9KJk00NNO0wa4x0J SHELL=mgELtKAB9sXo0a9KJk00NNO0wa4x0J]

Sigma Rule Detection

Credits

vuln disclosure - qualsys research team - https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034 shellcode - @johkrupp - https://saarsec.rocks/2020/05/14/golf.so.html

You might also like...
A simple password manager written in Rust
A simple password manager written in Rust

ripasso A simple password manager written in Rust. The root crate ripasso is a library for accessing and decrypting passwords stored in pass format (G

Joakim Lundborg 548 Dec 26, 2022
A fast, simple, recursive content discovery tool written in Rust.
A fast, simple, recursive content discovery tool written in Rust.

A simple, fast, recursive content discovery tool written in Rust 🦀 Releases ✨ Example Usage ✨ Contributing ✨ Documentation 🦀 😕 What the heck is a f

epi 3.6k Dec 30, 2022
link is a command and control framework written in rust
link is a command and control framework written in rust

link link is a command and control framework written in rust. Currently in alpha. Table of Contents Introduction Features Feedback Build Process Ackno

null 427 Dec 24, 2022
simple multi-threaded port scanner written in rust
simple multi-threaded port scanner written in rust

knockson simple multi-threaded port scanner written in rust Install Using AUR https://aur.archlinux.org/packages/knockson-bin/ yay -Syu knockson-bin M

Josh Münte 4 Oct 5, 2022
Multi-threaded Padding Oracle attacks against any service. Written in Rust.
Multi-threaded Padding Oracle attacks against any service. Written in Rust.

rustpad is a multi-threaded successor to the classic padbuster, written in Rust. It abuses a Padding Oracle vulnerability to decrypt any cypher text or encrypt arbitrary plain text without knowing the encryption key!

Kibouo 76 Dec 16, 2022
OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.

OpenSK This repository contains a Rust implementation of a FIDO2 authenticator. We developed OpenSK as a Tock OS application. We intend to bring a ful

Google 2.4k Jan 7, 2023
Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs

Alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients*, perfect for self-hosted deploy

Daniel García 21.5k Jan 8, 2023
An impish, cross-platform binary parsing crate, written in Rust
An impish, cross-platform binary parsing crate, written in Rust

libgoblin Documentation https://docs.rs/goblin/ changelog Usage Goblin requires rustc 1.40.0. Add to your Cargo.toml [dependencies] goblin = "0.4" Fea

null 891 Dec 29, 2022
rd is a record/replay debugger written in rust

rd The Record & Debug Tool The Record & Debug Tool (rd) is a Rust language port of the rr-debugger/rr debugger. With rd you can record Linux program e

Sidharth Kshatriya 947 Dec 8, 2022
Owner
Kevin Pham
keybase.io/deoxy
Kevin Pham
GitHub
A Rust program to control bias lighting on Linux and Windows.

displaylight_rs This Rust workspace is a rewrite of my DisplayLight project. It colors leds mounted behind the monitor with the colors shown on the di

Ivor Wanders 2 Sep 25, 2022
Linux anti-debugging and anti-analysis rust library

DebugOff Library Linux anti-analysis Rust library The goal of this library is to make both static and dynamic (debugging) analysis more difficult. The

null 65 Jan 7, 2023
A utility like pkg-audit for Arch Linux. Based on Arch Security Team data.

arch-audit pkg-audit-like utility for Arch Linux. Based on data from security.archlinux.org collected by the awesome Arch Security Team. Installation

Andrea Scarpino 316 Nov 22, 2022
Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps. 👻🐚

moonwalk Cover your tracks during Linux Exploitation / Penetration Testing by leaving zero traces on system logs and filesystem timestamps. ?? Table o

Mufeed VH 1.1k Jan 6, 2023
Attempts to suspend all known AV/EDRs processes on Windows using syscalls and the undocumented NtSuspendProcess API. Made with <3 for pentesters. Written in Rust.

Ronflex Attempts to suspend all known AV/EDRs processes on Windows using syscalls and the undocumented NtSuspendProcess API. Made with <3 for penteste

null 5 Apr 17, 2023
A simple port scanner built using rust-lang

A simple port scanner built using rust-lang

Krisna Pranav 1 Nov 6, 2021
An attempt to rewrite lite-client for TON Blockchain in Rust using ton-labs-adnl library.

An attempt to rewrite lite-client for TON Blockchain in Rust using ton-labs-adnl library.

TonStack 4 Nov 9, 2022
Cyg will help you to secure files in your repository directly using PGP encryption

cyg: Secure files in your repository Cyg will help you to secure files in your repository directly using PGP encryption. The name "cyg" was inspired b

Hisam Fahri 2 Aug 31, 2022
Using fibers to run in-memory code in a different and stealthy way.

Description A fiber is a unit of execution that must be manually scheduled by the application rather than rely on the priority-based scheduling mechan

Kurosh Dabbagh Escalante 121 Apr 20, 2023
An esoteric language/compiler written with Rust and Rust LLVM bindings

MeidoLang (メイドラング) A not so useful and esoteric language. The goal of this project was to contain some quirky or novel syntax in a stack-style program

null 0 Dec 24, 2021