# Exploit for CVE-2021-3560 (Polkit) - Local Privilege Escalation

![GitHub CVE Cover](

**Like this repo? Give us a โญ!**

*For educational and authorized security research purposes only.*

## Exploit Author
[@UNICORDev]( by ([@NicPWNs]( and [@Dev-Yeoj](

## Vulnerability Description
It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

## Exploit Description
Use this exploit on a system with vulnerable Polkit software to add a new user with Sudo privileges. Specify a custom username and/or password as CLI arguments, if desired. Once the new user is created, ```su``` to this user and ```sudo su``` for full root privileges.

## Usage
  python3 exploit-CVE-2021โ€“ [-u <username> -p <password>]
  python3 exploit-CVE-2021โ€“ -h

## Options
  -u    Custom username. Provide username to be created. (Optional)
  -p    Custom password. Provide password to be configured for user. (Optional)
  -h    Show this help menu.

## Download
[Download Here](

## Exploit Requirements
- python3
- accountsservice
- gnome-control-center
- openssl
- sudo

## Demo

*User in privileged ```wheel``` group.*

## Tested On
Polkit Version 0.105 (Ubuntu 20.04.2 LTS)

## Applies To
Polkit Versions 0.0 - 0.118

## Test Environment
apt install accountsservice gnome-control-center openssl sudo

## Warning
โš ๏ธ Running this exploit on a system with a GUI may result in a pop-up password prompt that cannot be closed and may require a full system reboot. You may be able to close this pop-up by clicking "Cancel" repeatedly. However, this can fully be avoided if in an SSH or reverse shell session. Simply ```ssh localhost``` to avoid this issue.

## Credits