pwncat module that automatically exploits CVE-2021-4034 (pwnkit)

Related tags

Security related resourcespwncat_pwnkit
Overview

pwncat_pwnkit

asciicast

Introduction

The purpose of this module is to attempt to exploit CVE-2021-4034 (pwnkit) on a target when using pwncat.

There is no need to setup any directories, compile any source or even have gcc on the remote target; the pwnkit module takes care of this automatically using the pwncat framework.

Setup and Use

  • Simply copy pwnkit.py somewhere on your host where pwncat-cs is installed. ie: /home/user/pwncat_mods
  • In pwncat, simply type: load /home/user/pwncat_mods
  • To confirm the module loaded, type: search pwnkit. You should see something like this:
(local) pwncat$ search pwnkit
                                                      Results                                                      
                   ╷                                                                                               
  Name             │ Description                                                                                   
 ══════════════════╪══════════════════════════════════════════════════════════════════════════════════════════════ 
  pwnkit           │ Exploit CVE-2021-4034 to privesc to root
  • To execute, simply type run pwnkit. If it's successful, you should see the UID change to 0, and now be root. ie:
(local) pwncat$ run pwnkit
[00:12:15] 10.10.184.131:47148: ran pwnkit. UID : Before(1000) | After(0)                            manager.py:955
           Module pwnkit completed successfully                                                          run.py:100
(local) pwncat$                                                                                                    
(remote) [email protected]:/# id
uid=0(root) gid=0(root) groups=0(root),1000(tryhackme)

Tips

  • If you don't want to always call load, you can have pwncat automatically load this module on startup by placing it in ~/.local/share/pwncat/modules
  • To use the cross-compiler to build the exploit on your machine and upload it to the target, you need to set the cross variable in your pwncatrc file. This file is typically found at ~/.local/share/pwncat/pwncatrc`. ie:
# Set the gcc path
set cross "/usr/bin/gcc"

Thanks

A special shout out to Caleb Stewart for being helpful as I pushed through learning the pwncat framework from a dev perspective. I will get a pull request to put this in the main pwncat escalate module someday when I have free time... I promise. :-)

Owner
Dana Epp
Security (de)engineering for fun and profit.
Dana Epp
GitHub Repository
Discord-keylogger - Discord keylogger With Python

Discord-keylogger Usage python dlogger.py -t [Time interval in sec] if not speci

Satwik Sinha 1 Jan 30, 2022
PoC encrypted diary in Python 3

Encrypted diary Sample program to store confidential data. Provides encryption in the form of AES-256 with bcrypt KDF. Does not provide authentication

1 Dec 25, 2021
Whois-Python - Get Whois Domain with Python GUI

Whois-Python-GUI Get Whois Domain with Python - GUI :) WARNING Dont Copy ! - W

MR.D3F417 3 Feb 21, 2022
Show apps recorded storage files by jailbreak

0x101 Show registered storage files of apps by jailbreak Legal disclaimer: Usage of insTof for attacking targets without prior mutual consent is illeg

0x 4 Oct 24, 2022
Simple tool to create passwords.

PasswordGenerator Simple password generator: -Simplisitc Window Application -Allows Numbers, Symbols & letters upper and lowercase -Restricts rows of

DM 1 Jan 10, 2022
Js File Scanner This is Js File Scanner

Js File Scanner This is Js File Scanner . Which are scan in js file and find juicy information Toke,Password Etc.

122 Dec 12, 2022
带回显版本的漏洞利用脚本

CVE-2021-21978 带回显版本的漏洞利用脚本,更简单的方式 0. 漏洞信息 VMware View Planner Web管理界面存在一个上传日志功能文件的入口,没有进行认证且写入的日志文件路径用户可控,通过覆盖上传日志功能文件log_upload_wsgi.py,即可实现RCE 漏洞代码

3ky7in4 24 Nov 09, 2022
All in One CRACKER911181's Tool. This Tool For Hacking and Pentesting.🎭

This is A Python & Bash Programming Based Termux-Tool Created By CRACKER911181. This Tool Created For Hacking and Pentesting. If You Use This Tool To Evil Purpose,The Owner Will Never be Responsible

CRACKER911181 1 Jan 10, 2022
Proof-of-concept obfuscation toolkit for C# post-exploitation tools

InvisibilityCloak Proof-of-concept obfuscation toolkit for C# post-exploitation tools. This will perform the below actions for a C# visual studio proj

259 Dec 19, 2022
IDA loader for Apple's iBoot, SecureROM and AVPBooter

IDA iBoot Loader IDA loader for Apple's iBoot, SecureROM and AVPBooter Installation Copy iboot-loader.py to the loaders folder in IDA directory. Credi

matteyeux 74 Dec 23, 2022
command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.

CVE-2021-36260 CVE-2021-36260 POC command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validatio

Aiminsun 165 Dec 21, 2022
Code to do NF in HDR,HEVC,HPL,MPL

Netflix-DL 6.0 |HDR-HEVC-MPL-HPL NOT Working| ! Buy working netflix cdm from [em

4 Dec 28, 2021
SCodeScanner stands for Source Code scanner where the user can scans the source code for finding the Critical Vulnerabilities.

The SCodeScanner stands for Source Code Scanner, where you can scan your source code files like PHP and get identify the vulnerabilities inside it. The tool can use by Pentester, Developer to quickly

136 Dec 13, 2022
Malware-analysis-writeups - Some of my Malware Analysis writeups

About This repo contains some malware analysis writeups i've created over time m

Itay Migdal 14 Jun 22, 2022
Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potential blockers.

Fuzz introspector Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potenti

Open Source Security Foundation (OpenSSF) 221 Jan 01, 2023
Unicode fuzzer for various purposes

UnicodeToy Unicode fuzzer for various purposes Unicode based on version 14.0 features Generate the shortest xss domain payload Generate unicode str, u

33 Nov 27, 2022
Lnkbomb - Malicious shortcut generator for collecting NTLM hashes from insecure file shares

Lnkbomb Lnkbomb is used for uploading malicious shortcut files to insecure file

Joe Helle 216 Jan 08, 2023
A Python replicated exploit for Webmin 1.580 /file/show.cgi Remote Code Execution

CVE-2012-2982 John Hammond | September 4th, 2021 Checking searchsploit for Webmin 1.580 I only saw a Metasploit module for the /file/show.cgi Remote C

John Hammond 25 Dec 08, 2022
List of S3 Hacks

s3-leaks List of AWS S3 Leaks Feel free to send in a PR if you know of other leaks Date Description Notes Aug2020 S3 bucket mess up exposed 182GB of s

Nag 291 Dec 28, 2022
S2-061 的payload,以及对应简单的PoC/Exp

S2-061 脚本皆根据vulhub的struts2-059/061漏洞测试环境来写的,不具普遍性,还望大佬多多指教 struts2-061-poc.py(可执行简单系统命令) 用法:python struts2-061-poc.py http://ip:port command 例子:python

dreamer 46 Oct 20, 2022