Pack2TheRoot

This repository is a small standalone local privilege escalation exploit for CVE-2026-41651 affecting PackageKit on Linux. It contains one C source file and one README. The C program is the main exploit entry point and implements the full attack chain rather than just detection. It targets PackageKit 1.0.2 through 1.3.4 and abuses a TOCTOU condition in PackageKit transaction handling over the system D-Bus. The code defines PackageKit D-Bus identifiers (org.freedesktop.PackageKit, /org/freedesktop/PackageKit, and org.freedesktop.PackageKit.Transaction), indicating that the exploit interacts directly with the PackageKit daemon to trigger InstallFiles-style transactions. A notable capability is that the exploit constructs a minimal Debian package entirely in memory. Helper routines implement CRC32, gzip generation, tar entry creation, and ar archive member creation so the program can assemble a valid .deb without external tooling. The package includes a control file and a postinst maintainer script. The intended effect of the postinst is to create or copy a bash binary to /tmp/.suid_bash and set the SUID bit, yielding a reusable root shell primitive. The exploit then races PackageKit transaction state changes so that a simulated or authorization-bypassing transaction is replaced with the attacker-controlled payload package before dispatch. It monitors /var/lib/dpkg/lock to infer package processing timing and polls for the appearance of /tmp/.suid_bash. On success, it executes /tmp/.suid_bash -p -c id and then attempts to spawn an interactive privileged shell attached to the current TTY. Repository structure is minimal and purpose-built: README.md documents the vulnerability, affected versions, compilation, and usage; CVE-2026-41651.c contains all exploit logic, package-building routines, race orchestration, success checks, and shell execution. Overall, this is an operational local exploit with a hardcoded privilege-escalation payload, not a framework module and not merely a proof-of-concept detector.

This repository is a small standalone Python exploit repo containing one executable exploit script (cve-2026-41651.py) plus README/analysis documentation. The exploit targets CVE-2026-41651, a local TOCTOU privilege-escalation flaw in PackageKit/packagekitd affecting versions 1.0.2 through 1.3.4 and fixed in 1.3.5. The exploit is purely local and not framework-based. It communicates with PackageKit over the system D-Bus using org.freedesktop.PackageKit and its transaction interface. Its core capability is to abuse PackageKit's InstallFiles flow by issuing two asynchronous installation requests: first a simulated install of a benign dummy package to bypass polkit prompting, then a real install of a malicious package whose cached transaction state is used when the queued operation executes. The malicious package contains a postinst script that runs as root. A notable feature is that the script builds minimal Debian .deb archives entirely in Python without external packaging tools. It implements its own CRC-32, gzip writer, tar entry builder, and ar archive writer to assemble valid .deb files. The generated payload package embeds a ./postinst script. By default that script runs 'install -m 4755 /bin/bash /tmp/.suid_bash', creating a SUID root shell binary. After exploitation, the script either spawns an interactive shell via pty or runs a user-supplied command through the SUID bash. Cleanup removes temporary artifacts unless --no-cleanup is used. Repository structure is simple: README.md explains requirements and usage; ANALYSE.md provides a detailed walkthrough of the exploit logic; cve-2026-41651.py is the only code file and clear entry point. There are no network sockets, HTTP requests, C2 endpoints, or exfiltration logic. Fingerprintable targets are limited to local D-Bus names/object paths and local filesystem paths such as /bin/bash and the dropped SUID file under /tmp. Overall, this is an operational local privilege-escalation PoC with a built-in payload and optional custom post-install script support.

Repository contains a local Linux privilege-escalation PoC for CVE-2026-41651 targeting PackageKit. There are three files: a generic README, a Python exploit (poc.py), and a Bash port (poc.sh). The Python script is the primary implementation and uses python3-gi to talk to the system D-Bus PackageKit service. It detects whether dpkg-deb or rpmbuild is available, builds two local packages in /tmp (a dummy package and a payload package), then creates a PackageKit transaction and races two InstallFiles calls on the same transaction: first a simulated install, then a real install. The payload package contains a post-install script that copies /bin/bash to a writable executable location and sets mode 4755, producing a SUID-root shell binary named .suid_bash. The exploit then polls for that file and execs it with -p to obtain a root shell. The Bash script mirrors the same logic using dbus-send instead of Gio/GLib. Both variants are clearly exploit code rather than mere detection, although the Bash banner misleadingly calls itself a checker. The included comments also document defender-focused indicators such as D-Bus InstallFiles activity, packagekitd spawning shell from /tmp packages, and creation of SUID binaries in temporary directories. Overall, this is an operational local privilege-escalation PoC exploiting a TOCTOU flaw in PackageKit transaction handling, with hardcoded payload behavior and no remote C2 or external network infrastructure.

This repository is a small local privilege-escalation PoC/lab for a claimed PackageKit race condition identified as CVE-2026-41651. It contains two exploit implementations, one in C and one in Python, plus a Docker-based environment to reproduce the issue. The core exploit logic is the same in both versions: generate two Debian packages locally, obtain a PackageKit transaction over the system D-Bus, then issue two InstallFiles requests in quick succession—first a simulated install using a dummy package and then a real install using a malicious package. The malicious package includes a postinst script that runs 'install -m 4755 /bin/bash /tmp/.suid_bash', creating a SUID-root bash binary. The exploit then polls for that file and executes it with '-p' to obtain a root shell. Repository structure: exploit.c is the primary native implementation using GLib/GIO D-Bus APIs; exploit.py is a Python equivalent using gi.repository Gio/GLib; entrypoint.sh starts dbus-daemon, polkitd, and packagekitd inside the container and switches to an unprivileged user; Dockerfile builds a Debian trixie container with dbus, polkitd, and PackageKit 1.3.1-1 installed and copies in the compiled exploit binary; README.md provides a high-level description and reference link. The exploit is clearly local, not remote, and is operational because it includes a working privilege-escalation payload rather than mere detection logic.

This repository is a Dockerized lab for CVE-2026-41651 (Pack2TheRoot), centered on local privilege escalation in PackageKit. It contains three main environments: a vulnerable Fedora-based CTF container with a deliberately permissive polkit rule, a patched comparison container with hardened polkit policy, and an exploit container that builds vulnerable PackageKit 1.3.4 from source and runs a real C-based TOCTOU exploit against the PackageKit D-Bus interface. Repository structure: README and docs explain the challenge, hints, solution, threat model, and diagrams; exploit/ contains the main exploit implementation (Dockerfile, Makefile, entrypoint, and exploit/src/cve-2026-41651.c); vulnerable/ and patched/ define the two comparison lab targets and their polkit rules; scripts/ contains defensive and validation tooling such as version checks, IOC monitoring, mitigation deployment, and environment comparison. Main exploit capability: exploit/src/cve-2026-41651.c is a local C exploit that targets PackageKit transaction handling over D-Bus. It creates two crafted .deb packages in memory, then issues two asynchronous InstallFiles calls on the same PackageKit transaction: first with FLAG_SIMULATE against a benign dummy package to bypass polkit, then immediately with FLAG_NONE against a malicious payload package. The exploit relies on three documented logic flaws in pk-transaction.c: unconditional overwrite of cached flags/paths, silent rejection of backward state transitions, and deferred use of cached flags at dispatch time. The malicious package's postinst creates /tmp/.suid_bash with mode 4755, after which the exploit executes it to obtain euid=0. Secondary exploit path: the vulnerable container is not the TOCTOU bug itself but a training environment for the same privilege boundary. It exposes PackageKit over SSH on localhost:2222 and installs a permissive polkit rule granting org.freedesktop.packagekit.package-install-untrusted and install-untrusted without authentication. This allows an unprivileged user to install a crafted RPM via pkcon install-local --allow-untrusted and execute arbitrary root commands in the RPM %post scriptlet. Notable endpoints and targets include the PackageKit D-Bus service org.freedesktop.PackageKit, object path /org/freedesktop/PackageKit, transaction interface org.freedesktop.PackageKit.Transaction, local payload path /tmp/.suid_bash, root target file /root/flag.txt, and SSH ports 2222/2223 for the vulnerable and patched containers. The repo also includes defender-oriented scripts to detect IOC strings such as pk_transaction_finished_emit, emitted_finished, and pk-transaction.c:514 in logs. Overall, this is a real exploit lab rather than a detection-only repository. It is operational, self-contained, and designed for local privilege-escalation research, validation, and training.

Repository contains two files: a detailed README and one Python exploit/test script. The Python file is the main entry point and implements a local privilege escalation proof-of-concept for CVE-2026-41651 against vulnerable PackageKit versions on Linux. The exploit is not remote; it targets the system D-Bus PackageKit service as an unprivileged local user. Core capability: the script builds two local packages in /tmp, opens a system D-Bus connection, creates a PackageKit transaction, then issues two asynchronous InstallFiles calls against the same transaction object: first with FLAG_SIMULATE using a benign dummy package, then immediately with FLAG_NONE using a malicious payload package. On vulnerable PackageKit versions lacking a transaction state guard, the second call overwrites the queued parameters before authorization resolves. When PackageKit proceeds, it installs the attacker-controlled package as root. Payload behavior: the malicious package contains a post-install script (%post for RPM or postinst for DEB) that runs 'install -m 4755 /bin/bash /tmp/.suid_bash'. The script then polls for /tmp/.suid_bash to appear as a root-owned SUID binary and finally execs '/tmp/.suid_bash -p' to obtain a root shell. This makes the exploit operational rather than a pure detection script. Repository structure and purpose: README.md documents the vulnerability, attack chain, affected versions, remediation, and defender-focused indicators of compromise. cve-2026-41651-purpleteam.py contains all exploit logic: package manager detection, DEB/RPM package construction, D-Bus transaction creation, race triggering, success polling, cleanup, and shell execution. The overall purpose is a purple-team validation artifact for testing exploitability and generating telemetry on authorized systems.

This repository is a small standalone local privilege-escalation PoC consisting of a README and one C source file. The README describes CVE-2026-41651 as a Linux privilege-escalation issue tied to a so-called 'Pack2TheRoot' vulnerability, but the actual exploit code targets PackageKit over the system D-Bus rather than a separate remote service. The main file, cve-2026-41651.c, builds two temporary Debian packages under /tmp: a dummy package and a payload package. The helper function mkpkg() creates a minimal Debian package structure, writes a control file, optionally writes a postinst shell script, then invokes dpkg-deb to build the package. The payload package’s postinst script runs 'install -m 4755 /bin/bash /tmp/.suid_bash', which would create a SUID-root bash binary if executed with elevated privileges. In main(), the exploit connects to the system D-Bus using GLib/GIO, calls PackageKit's CreateTransaction method, and then issues two asynchronous InstallFiles calls against the returned transaction object: one with a flag value of 4 against the dummy package and one with a flag value of 0 against the payload package. The printed message 'Racing: SIMULATE -> REAL...' indicates the exploit is attempting to abuse a race condition or state confusion in PackageKit transaction handling. After flushing the D-Bus connection, it polls for up to 60 seconds for /tmp/.suid_bash to appear with the SUID bit set. If successful, it executes that binary with '-p' to preserve privileges and obtain a root shell. Capabilities: local exploitation only; package generation; interaction with PackageKit over D-Bus; execution of a post-install payload as root if the vulnerability is present; spawning of a root shell. There are no external network callbacks, C2 endpoints, or remote targets in the code. The most fingerprintable artifacts are the D-Bus service/interface names, the temporary .deb files in /tmp, the temporary build directories, and the final SUID shell path /tmp/.suid_bash.

This repository is a compact local privilege-escalation exploit for CVE-2026-41651 in PackageKit. It is not part of a larger exploit framework. The main exploit is src/cve-2026-41651.c, supported by a Makefile for compilation, a Dockerfile that builds a reproducible vulnerable lab, and src/entrypoint.sh that launches dbus, polkitd, and packagekitd before executing the exploit as an unprivileged user. Core capability: the C program abuses a TOCTOU flaw in PackageKit transaction handling by issuing two asynchronous D-Bus InstallFiles requests on the same transaction. The first uses the SIMULATE flag to bypass polkit authorization and move the transaction into a READY state. Before the queued idle callback dispatches, the second call overwrites cached flags and file paths with attacker-controlled values while the state transition back to WAITING_FOR_AUTH is silently rejected. When PackageKit later executes the transaction, it installs the attacker’s payload package as root. The payload package’s maintainer script creates a SUID bash at /tmp/.suid_bash, which the exploit then executes with -p to obtain euid 0 and optionally an interactive root shell. Repository structure and purpose: - src/cve-2026-41651.c: primary exploit implementation in C. It contains helper routines to build Debian package artifacts in memory/runtime, communicates with PackageKit over D-Bus, monitors installation progress, checks /var/lib/dpkg/lock, and launches the resulting SUID shell. - Makefile: compiles the exploit against gio-2.0 and cleans temporary package artifacts and the SUID shell. - Dockerfile: creates a two-stage Ubuntu 24.04 environment, clones vulnerable PackageKit source from GitHub, checks out commit 2149735, builds/install it, creates a non-root victim user, compiles the exploit, and sets the container entrypoint. - src/entrypoint.sh: starts system D-Bus, polkitd, and packagekitd, prints environment info, then runs the exploit as user victim. - README.md: documents the vulnerability mechanics, exploit flow, usage, Docker demo, and references. The exploit is operational rather than a mere PoC because it includes a working payload path and automated privilege-escalation steps, but it is still narrowly tailored to the vulnerable PackageKit behavior and Debian-package installation path rather than being a generalized weaponized framework.