Closed Darkcast closed 3 years ago
can you try this one https://github.com/r4j0x00/exploits/tree/master/CVE-2021-3156_one_shot ?
And well yeah you can remove those folders. You should've run the exploit at /tmp. It's just how the exploit works.
I've run the exploit at /tmp but doesn't work. @r4j0x00
@wisoez it is because you are running a patched sudo version.
@wisoez it is because you are running a patched sudo version.
Sudo ver 1.8.21p2 same with your example https://camo.githubusercontent.com/a89bb5db201e08c98895ebee104a49f5e3d73355a8badc59af42847645e19c79/68747470733a2f2f692e696d6775722e636f6d2f386159525031472e706e67
Thank you for all your post, its interestig because that lab image is an old image(apparently not old enough) and i didnt update it before trying it. ill try with another image.
thank you again for all your help and great job to everyone
@wisoez it is because you are running a patched sudo version.
Sudo ver 1.8.21p2 same with your example https://camo.githubusercontent.com/a89bb5db201e08c98895ebee104a49f5e3d73355a8badc59af42847645e19c79/68747470733a2f2f692e696d6775722e636f6d2f386159525031472e706e67
No it's not, check apt-cache policy sudo
@wisoez it is because you are running a patched sudo version.
based on this mine should be vulnerabble https://nvd.nist.gov/vuln/detail/CVE-2021-3156
Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
@wisoez it is because you are running a patched sudo version.
based on this mine should be vulnerabble https://nvd.nist.gov/vuln/detail/CVE-2021-3156
Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
Yeah yours does look vulnerable. @wisoez was running a patched version. I'll ask again, have you tried running the one shot exploit? (https://github.com/r4j0x00/exploits/tree/master/CVE-2021-3156_one_shot) also yours doesn't look like a default ubuntu 20.04.1 install?
I've tested it on vanilla ubuntu 18.04 and 20.04.1 install (both ubuntu desktop and ubuntu server)
The one shot exploit doesnt work on
Linux lite
sudoedit: QXKVvwCKFbQgszpjZpDJduUXZLfVpeRG4094 is owned by uid 1000, should be 0 sudoedit: no password was provided sudoedit: QXKVvwCKFbQgszpjZpDJduUXZLfVpeRG4095 is owned by uid 1000, should be 0 sudoedit: no password was provided Failed
VERSION="20.04.1 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Linux Lite 5.2" VERSION_ID="20.04" VERSION_CODENAME=focal UBUNTU_CODENAME=focal
Running Sudo version 1.8.31
and it created all of these folder on the desktop too.