search

r4j0x00 / exploits

BSD 2-Clause "Simplified" License
2.49k stars 692 forks source link

Doesnt work on LinuxLite #3

Closed Darkcast closed 3 years ago

Darkcast commented 3 years ago

The one shot exploit doesnt work on

Linux lite

sudoedit: QXKVvwCKFbQgszpjZpDJduUXZLfVpeRG4094 is owned by uid 1000, should be 0 sudoedit: no password was provided sudoedit: QXKVvwCKFbQgszpjZpDJduUXZLfVpeRG4095 is owned by uid 1000, should be 0 sudoedit: no password was provided Failed

VERSION="20.04.1 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Linux Lite 5.2" VERSION_ID="20.04" VERSION_CODENAME=focal UBUNTU_CODENAME=focal

Running Sudo version 1.8.31

and it created all of these folder on the desktop too.

Screen Shot 2021-02-03 at 10 49 25 AM

r4j0x00 commented 3 years ago

can you try this one https://github.com/r4j0x00/exploits/tree/master/CVE-2021-3156_one_shot ?

r4j0x00 commented 3 years ago

And well yeah you can remove those folders. You should've run the exploit at /tmp. It's just how the exploit works.

investlab commented 3 years ago

attacker I've run the exploit at /tmp but doesn't work. @r4j0x00

r4j0x00 commented 3 years ago

@wisoez it is because you are running a patched sudo version.

investlab commented 3 years ago

@wisoez it is because you are running a patched sudo version.

Sudo ver 1.8.21p2 same with your example https://camo.githubusercontent.com/a89bb5db201e08c98895ebee104a49f5e3d73355a8badc59af42847645e19c79/68747470733a2f2f692e696d6775722e636f6d2f386159525031472e706e67

Darkcast commented 3 years ago

Thank you for all your post, its interestig because that lab image is an old image(apparently not old enough) and i didnt update it before trying it. ill try with another image.

thank you again for all your help and great job to everyone

r4j0x00 commented 3 years ago

@wisoez it is because you are running a patched sudo version.

Sudo ver 1.8.21p2 same with your example https://camo.githubusercontent.com/a89bb5db201e08c98895ebee104a49f5e3d73355a8badc59af42847645e19c79/68747470733a2f2f692e696d6775722e636f6d2f386159525031472e706e67

No it's not, check apt-cache policy sudo

Darkcast commented 3 years ago

@wisoez it is because you are running a patched sudo version.

based on this mine should be vulnerabble https://nvd.nist.gov/vuln/detail/CVE-2021-3156

Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.

r4j0x00 commented 3 years ago

@wisoez it is because you are running a patched sudo version.

based on this mine should be vulnerabble https://nvd.nist.gov/vuln/detail/CVE-2021-3156

Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.

Yeah yours does look vulnerable. @wisoez was running a patched version. I'll ask again, have you tried running the one shot exploit? (https://github.com/r4j0x00/exploits/tree/master/CVE-2021-3156_one_shot) also yours doesn't look like a default ubuntu 20.04.1 install?

r4j0x00 commented 3 years ago

I've tested it on vanilla ubuntu 18.04 and 20.04.1 install (both ubuntu desktop and ubuntu server)