Light

xawdxawdx / cve-2021-3156 Goto Github PK

View Code? Open in Web Editor NEW

This project forked from worawit/cve-2021-3156

0.0 1.0 0.0 69 KB

Sudo Baron Samedit Exploit

License: BSD 3-Clause "New" or "Revised" License

Assembly 3.01% Python 87.48% C 9.51%

cve-2021-3156's Introduction

CVE-2021-3156 (Sudo Baron Samedit)

This repository is CVE-2021-3156 exploit targeting Linux x64. For writeup, please visit https://datafarm-cybersecurity.medium.com/exploit-writeup-for-cve-2021-3156-sudo-baron-samedit-7a9a4282cb31
Credit to Braon Samedit of Qualys for the original advisory.

Files

Exploit on glibc with tcache

exploit_nss.py auto detect all requirements and number of entries in /etc/nsswitch.conf
exploit_nss_manual.py simplified version of exploit_nss.py for better exploit understanding
exploit_timestamp_race.c overwrite def_timestamp and race condition to modify /etc/passwd

Exploit on glibc without tcache

exploit_defaults_mailer.py the exploit overwrite struct defaults to modify mailer binary path. It requires sudo compiled without disable-root-mailer such as CentOS 6 and 7.
exploit_userspec.py the exploit overwrite struct userspec to bypass authentication and add a new user in /etc/passwd. Support only sudo version 1.8.9-1.8.23.
exploit_cent7_userspec.py simplified version of exploit_userspec.py for understanding but target only CentOS 7 with default configuration
exploit_nss_d9.py overwrite struct service_user on Debian 9 but support only default /etc/nsswith.conf
exploit_nss_u16.py overwrite struct service_user on Ubuntu 16.04 but support only default /etc/nsswith.conf
exploit_nss_u14.py overwrite struct service_user on Ubuntu 14.04 but support only default /etc/nsswith.conf

Others

asm/ tinyelf library and executable for embedded in python exploit
gdb/ scripts that used for debugging sudo heap

Choosing exploit

For Linux distributions that glibc has tcache support and enabled (CentOS 8, Ubuntu >= 17.10, Debian 10):

try exploit_nss.py first
If an error is not glibc tcache related, you can try exploit_timestamp_race.c next

For Linux distribution that glibc has no tcache support:

if a target is Debian 9, Ubuntu 16.04, or Ubuntu 14.04, try exploit_nss_xxx.py for specific version first
next, try exploit_defaults_mailer.py. If you know a target sudo is compiled with --disable-root-mailer, you can skip this exploit. The exploit attempt to check root mailer flag from sudo binary. But sudo permission on some Linux distribution is 4711 (-rws--x--x) which is impossible to check on target system. (Known work OS is CentOS 6 and 7)
last, try exploit_userspec.py

cve-2021-3156's People

Contributors

Watchers

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.