Like this repo? Give us a ⭐!

For educational and authorized security research purposes only.

@UNICORDev by (@NicPWNs and @Dev-Yeoj)

It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Use this exploit on a system with vulnerable Polkit software to add a new user with Sudo privileges. Specify a custom username and/or password as CLI arguments, if desired. Once the new user is created, su to this user and sudo su for full root privileges.

  python3 exploit-CVE-2021–3560.py [-u <username> -p <password>]
  python3 exploit-CVE-2021–3560.py -h

  -u    Custom username. Provide username to be created. (Optional)
  -p    Custom password. Provide password to be configured for user. (Optional)
  -h    Show this help menu.

Download exploit-CVE-2021-3560.py Here

• python3
• accountsservice
• gnome-control-center
• openssl
• sudo

User in privileged wheel group.

Polkit Version 0.105 (Ubuntu 20.04.2 LTS)

Polkit Versions 0.0 - 0.118

apt install accountsservice gnome-control-center openssl sudo

⚠️ Running this exploit on a system with a GUI may result in a pop-up password prompt that cannot be closed and may require a full system reboot. You may be able to close this pop-up by clicking "Cancel" repeatedly. However, this can fully be avoided if in an SSH or reverse shell session. Simply ssh localhost to avoid this issue.

• https://nvd.nist.gov/vuln/detail/CVE-2021-3560
• https://app.hackthebox.com/machines/Paper
• https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/
• https://github.com/Almorabea/Polkit-exploit/blob/main/CVE-2021-3560.py