pwncat module that automatically exploits CVE-2021-4034 (pwnkit)

Overview

pwncat_pwnkit

asciicast

Introduction

The purpose of this module is to attempt to exploit CVE-2021-4034 (pwnkit) on a target when using pwncat.

There is no need to setup any directories, compile any source or even have gcc on the remote target; the pwnkit module takes care of this automatically using the pwncat framework.

Setup and Use

  • Simply copy pwnkit.py somewhere on your host where pwncat-cs is installed. ie: /home/user/pwncat_mods
  • In pwncat, simply type: load /home/user/pwncat_mods
  • To confirm the module loaded, type: search pwnkit. You should see something like this:
(local) pwncat$ search pwnkit
                                                      Results                                                      
                   ╷                                                                                               
  Name             │ Description                                                                                   
 ══════════════════╪══════════════════════════════════════════════════════════════════════════════════════════════ 
  pwnkit           │ Exploit CVE-2021-4034 to privesc to root
  • To execute, simply type run pwnkit. If it's successful, you should see the UID change to 0, and now be root. ie:
(local) pwncat$ run pwnkit
[00:12:15] 10.10.184.131:47148: ran pwnkit. UID : Before(1000) | After(0)                            manager.py:955
           Module pwnkit completed successfully                                                          run.py:100
(local) pwncat$                                                                                                    
(remote) root@pwnkit:/# id
uid=0(root) gid=0(root) groups=0(root),1000(tryhackme)

Tips

  • If you don't want to always call load, you can have pwncat automatically load this module on startup by placing it in ~/.local/share/pwncat/modules
  • To use the cross-compiler to build the exploit on your machine and upload it to the target, you need to set the cross variable in your pwncatrc file. This file is typically found at ~/.local/share/pwncat/pwncatrc`. ie:
# Set the gcc path
set cross "/usr/bin/gcc"

Thanks

A special shout out to Caleb Stewart for being helpful as I pushed through learning the pwncat framework from a dev perspective. I will get a pull request to put this in the main pwncat escalate module someday when I have free time... I promise. :-)

You might also like...
CamRaptor is a tool that exploits several vulnerabilities in popular DVR cameras to obtain device credentials.

CamRaptor is a tool that exploits several vulnerabilities in popular DVR cameras to obtain device credentials.

 Collection Of Discord Hacking Tools / Fun Stuff / Exploits That Is Completely Made Using Python.
Collection Of Discord Hacking Tools / Fun Stuff / Exploits That Is Completely Made Using Python.

Venom Collection Of Discord Hacking Tools / Fun Stuff / Exploits That Is Completely Made Using Python. Report Bug · Request Feature Contributing Well,

Log4j exploit catcher, detect Log4Shell exploits and try to get payloads.

log4j_catcher Log4j exploit catcher, detect Log4Shell exploits and try to get payloads. This is a basic python server that listen on a port and logs i

Searches for potentially vulnerable websites to local file inclusion, throughout the web and then exploits them for LFI
Searches for potentially vulnerable websites to local file inclusion, throughout the web and then exploits them for LFI

LFI-Hunter Searches for potentially vulnerable websites to local file inclusion, throughout the web and then exploits them for LFI A script written in

聚合Github上已有的Poc或者Exp,CVE信息来自CVE官网。Auto Collect Poc Or CVE from Github by CVE ID.

PocOrExp in Github 聚合Github上已有的Poc或者Exp,CVE信息来自CVE官网 注意:只通过通用的CVE号聚合,因此对于MS17-010等Windows编号漏洞以及著名的有绰号的漏洞,还是自己检索一下比较好 Usage python3 exp.py -h usage: ex

CVE-2022-21907 - Windows HTTP协议栈远程代码执行漏洞 CVE-2022-21907

CVE-2022-21907 Description POC for CVE-2022-21907: Windows HTTP协议栈远程代码执行漏洞 creat

CVE-2022-22536 - SAP memory pipes(MPI) desynchronization vulnerability CVE-2022-22536

CVE-2022-22536 SAP memory pipes desynchronization vulnerability(MPI) CVE-2022-22

Cve-2022-23131 - Cve-2022-23131 zabbix-saml-bypass-exp
Cve-2022-23131 - Cve-2022-23131 zabbix-saml-bypass-exp

cve-2022-23131 cve-2022-23131 zabbix-saml-bypass-exp replace [zbx_signed_session

CVE-2022-22965 - CVE-2010-1622 redux

CVE-2022-22965 - vulnerable app and PoC Trial & error $ docker rm -f rce; docker build -t rce:latest . && docker run -d -p 8080:8080 --name rce rce:la

Comments
  • getting an error

    getting an error

    (local) pwncat$ run pwnkit ╭──────────────────────────────────────────────── Traceback (most recent call last) ─────────────────────────────────────────────────╮ │ │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/platform/linux.py:1065 in compile │ │ │ │ 1062 │ │ command = [gcc, "-o", output, *cflags, *real_sources, *ldflags] │ │ 1063 │ │ │ │ 1064 │ │ try: │ │ ❱ 1065 │ │ │ self.run(command, check=True) │ │ 1066 │ │ except pwncat.subprocess.CalledProcessError: │ │ 1067 │ │ │ self.run(["rm", "-f", output]) │ │ 1068 │ │ │ raise PlatformError("compilation failed") │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/platform/init.py:786 in run │ │ │ │ 783 │ │ if popen_class is None: │ │ 784 │ │ │ popen_class = self.Popen │ │ 785 │ │ │ │ ❱ 786 │ │ p = popen_class( │ │ 787 │ │ │ args, │ │ 788 │ │ │ stdin=stdin, │ │ 789 │ │ │ stdout=stdout, │ │ │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/platform/linux.py:1114 in Popen │ │ │ │ 1111 │ │ │ ) │ │ 1112 │ │ │ │ 1113 │ │ if isinstance(args, list): │ │ ❱ 1114 │ │ │ command = shlex.join(args) │ │ 1115 │ │ elif isinstance(args, str): │ │ 1116 │ │ │ command = args │ │ 1117 │ │ else: │ │ │ │ /usr/lib/python3.9/shlex.py:320 in join │ │ │ │ 317 │ │ 318 def join(split_command): │ │ 319 │ """Return a shell-escaped string from split_command.""" │ │ ❱ 320 │ return ' '.join(quote(arg) for arg in split_command) │ │ 321 │ │ 322 │ │ 323 _find_unsafe = re.compile(r'[^\w@%+=:,./-]', re.ASCII).search │ │ │ │ /usr/lib/python3.9/shlex.py:320 in │ │ │ │ 317 │ │ 318 def join(split_command): │ │ 319 │ """Return a shell-escaped string from split_command.""" │ │ ❱ 320 │ return ' '.join(quote(arg) for arg in split_command) │ │ 321 │ │ 322 │ │ 323 _find_unsafe = re.compile(r'[^\w@%+=:,./-]', re.ASCII).search │ │ │ │ /usr/lib/python3.9/shlex.py:329 in quote │ │ │ │ 326 │ """Return a shell-escaped version of the string s.""" │ │ 327 │ if not s: │ │ 328 │ │ return "''" │ │ ❱ 329 │ if _find_unsafe(s) is None: │ │ 330 │ │ return s │ │ 331 │ │ │ 332 │ # use single quotes, and put single quotes into double quotes │ ╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯ TypeError: expected string or bytes-like object

    During handling of the above exception, another exception occurred:

    ╭──────────────────────────────────────────────── Traceback (most recent call last) ─────────────────────────────────────────────────╮ │ │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/commands/init.py:591 in run │ │ │ │ 588 │ │ │ │ if line == "": │ │ 589 │ │ │ │ │ continue │ │ 590 │ │ │ │ │ │ ❱ 591 │ │ │ │ self.dispatch_line(line) │ │ 592 │ │ │ # We used to catch only KeyboardException, but this prevents a │ │ 593 │ │ │ # badly written command from completely killing our remote │ │ 594 │ │ │ # connection. │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/commands/init.py:672 in dispatch_line │ │ │ │ 669 │ │ │ │ args = line │ │ 670 │ │ │ │ │ 671 │ │ │ # Run the command │ │ ❱ 672 │ │ │ command.run(self.manager, args) │ │ 673 │ │ │ │ │ 674 │ │ │ if prog_name: │ │ 675 │ │ │ │ command.parser.prog = prog_name │ │ │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/commands/run.py:67 in run │ │ │ │ 64 │ │ config_values.update(values) │ │ 65 │ │ │ │ 66 │ │ try: │ │ ❱ 67 │ │ │ result = manager.target.run(module_name, **config_values) │ │ 68 │ │ │ │ │ 69 │ │ │ if args.module is not None: │ │ 70 │ │ │ │ manager.config.back() │ │ │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/manager.py:652 in run │ │ │ │ 649 │ │ if module.PLATFORM is not None and type(self.platform) not in module.PLATFORM: │ │ 650 │ │ │ raise pwncat.modules.IncorrectPlatformError(module_name) │ │ 651 │ │ │ │ ❱ 652 │ │ return module.run(self, **kwargs) │ │ 653 │ │ │ 654 │ def find_module(self, pattern: str, base=None, exact: bool = False): │ │ 655 │ │ """Locate a module by a glob pattern. This is an generator │ │ │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/modules/init.py:239 in decorator │ │ │ │ 236 │ │ │ │ │ with session.task(description=self.name, status="...") as task: │ │ 237 │ │ │ │ │ │ # Collect results │ │ 238 │ │ │ │ │ │ results = [] │ │ ❱ 239 │ │ │ │ │ │ for item in result_object: │ │ 240 │ │ │ │ │ │ │ session.update_task(task, status=item.title(session)) │ │ 241 │ │ │ │ │ │ │ if not isinstance(item, Status): │ │ 242 │ │ │ │ │ │ │ │ results.append(item) │ │ │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/modules/pwnkit.py:94 in run │ │ │ │ 91 │ │ │ │ 92 │ │ # Compile pwnkit binary │ │ 93 │ │ try: │ │ ❱ 94 │ │ │ pwnkit = session.platform.compile( │ │ 95 │ │ │ │ [StringIO(pwnkit_source)], │ │ 96 │ │ │ │ cflags=["-shared", "-fPIC"], │ │ 97 │ │ │ │ output=str((scratch_path / "pwnkit" / "pwnkit.so")) │ │ │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/platform/linux.py:1071 in compile │ │ │ │ 1068 │ │ │ raise PlatformError("compilation failed") │ │ 1069 │ │ finally: │ │ 1070 │ │ │ try: │ │ ❱ 1071 │ │ │ │ self.run(["rm", "-f", *real_sources], check=True) │ │ 1072 │ │ │ except pwncat.subprocess.CalledProcessError: │ │ 1073 │ │ │ │ # Removing sources failed. Add them as tampers │ │ 1074 │ │ │ │ for source in real_sources: │ │ │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/platform/init.py:786 in run │ │ │ │ 783 │ │ if popen_class is None: │ │ 784 │ │ │ popen_class = self.Popen │ │ 785 │ │ │ │ ❱ 786 │ │ p = popen_class( │ │ 787 │ │ │ args, │ │ 788 │ │ │ stdin=stdin, │ │ 789 │ │ │ stdout=stdout, │ │ │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/platform/linux.py:1114 in Popen │ │ │ │ 1111 │ │ │ ) │ │ 1112 │ │ │ │ 1113 │ │ if isinstance(args, list): │ │ ❱ 1114 │ │ │ command = shlex.join(args) │ │ 1115 │ │ elif isinstance(args, str): │ │ 1116 │ │ │ command = args │ │ 1117 │ │ else: │ │ │ │ /usr/lib/python3.9/shlex.py:320 in join │ │ │ │ 317 │ │ 318 def join(split_command): │ │ 319 │ """Return a shell-escaped string from split_command.""" │ │ ❱ 320 │ return ' '.join(quote(arg) for arg in split_command) │ │ 321 │ │ 322 │ │ 323 _find_unsafe = re.compile(r'[^\w@%+=:,./-]', re.ASCII).search │ │ │ │ /usr/lib/python3.9/shlex.py:320 in │ │ │ │ 317 │ │ 318 def join(split_command): │ │ 319 │ """Return a shell-escaped string from split_command.""" │ │ ❱ 320 │ return ' '.join(quote(arg) for arg in split_command) │ │ 321 │ │ 322 │ │ 323 _find_unsafe = re.compile(r'[^\w@%+=:,./-]', re.ASCII).search │ │ │ │ /usr/lib/python3.9/shlex.py:329 in quote │ │ │ │ 326 │ """Return a shell-escaped version of the string s.""" │ │ 327 │ if not s: │ │ 328 │ │ return "''" │ │ ❱ 329 │ if _find_unsafe(s) is None: │ │ 330 │ │ return s │ │ 331 │ │ │ 332 │ # use single quotes, and put single quotes into double quotes │ ╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯ TypeError: expected string or bytes-like object (local) pwncat$

    opened by wangdangel 1
Owner
Dana Epp
Security (de)engineering for fun and profit.
Dana Epp
ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065)

ExProlog ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065) Usage: exprolog.py [OPTIONS] ExProlog -

Herwono W. Wijaya 130 Dec 15, 2022
FTP-Exploits is a tool made in python that contains 4 diffrent types of ftp exploits that can be used in Penetration Testing.

FTP-exploits FTP-exploits is a tool which is used for Penetration Testing that can run many kinds of exploits on port 21(FTP) Commands and Exploits Ex

null 1 Dec 26, 2021
DNSpooq - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685)

dnspooq DNSpooq PoC - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685) For educational purposes only Requirements Docker compo

Teppei Fukuda 80 Nov 28, 2022
This is a simple PoC for the newly found Polkit error names PwnKit

A Python3 and a BASH PoC for CVE-2021-4034 by Kim Schulz

Kim Schulz 16 Sep 6, 2022
ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF->GetWebShell)

ProxyLogon For Python3 ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF->GetWebShell) usage: python ProxyLogon.py --host=exchang

null 112 Dec 1, 2022
Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket.

PrintNightmare Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket. Installtion $ pip3 install impacket

Oliver Lyak 140 Dec 27, 2022
Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user Known issues it will not work outside kali , i will update it

Hossam 867 Dec 22, 2022
Exploiting CVE-2021-42278 and CVE-2021-42287

noPac Exploiting CVE-2021-42278 and CVE-2021-42287 原项目noPac在实现上可能有点问题,导致在本地没有打通,于是参考sam-the-admin项目进行修改。 使用 pip3 install -r requirements.txt # GetShel

W4ter 2 Jun 23, 2022
Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

About Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user Changed from sam-the-admin. Usage SAM THE ADMIN CVE-202

Evi1cg 500 Jan 6, 2023
Details,PoC and patches for CVE-2021-45383 & CVE-2021-45384

CVE-2021-45383 & CVE-2021-45384 There are several network-layer vulnerabilities in the official server of Minecraft: Bedrock Edition (aka Bedrock Serv

null 20 Apr 7, 2022