search

worawit / CVE-2021-3156

Sudo Baron Samedit Exploit
BSD 3-Clause "New" or "Revised" License
737 stars 168 forks source link

'AssertionError' feedback #20

Open yasooknigth opened 2 years ago

yasooknigth commented 2 years ago

hi,worawit. I've learned a lot about heap overflow from your project.But I have a new error during my VMs testing, the size parameter of cmnd function can not be obtained accurately all the time. Here is the 'Error Message' below

[test@localhost tmp]$ python exploit_userspec.py

curr size: 0x1600

exit code: 11

curr size: 0x1100

exit code: 11

curr size: 0xe80

exit code: 11

curr size: 0xd40

exit code: 11

curr size: 0xca0

exit code: 11

curr size: 0xc50

exit code: 11

curr size: 0xc20

exit code: 11

curr size: 0xc10

exit code: 11

Traceback (most recent call last):
  File "exploit_userspec.py", line 736, in <module>
    main()
  File "exploit_userspec.py", line 652, in main
    cmnd_size = find_cmnd_size()
  File "exploit_userspec.py", line 154, in find_cmnd_size
    assert size_min == 0x2000 - 0x10
AssertionError

And,here is the version below:

[test@localhost tmp]$ sudo -V
Sudo version 1.8.23
Sudoers policy plugin version 1.8.23
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.23
[test@localhost tmp]$ hostnamectl
  Static hostname:  localhost
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 71a7851c7f64482cad825974248cc902
           Boot ID: d6b64d7f01684b8ca51f807d08079a03
    Virtualization: vmware
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-957.21.3.el7.x86_64
[test@localhost tmp]$ python -V
Python 2.7.5
[test@localhost tmp]$ sysctl -a --pattern randomiz
kernel.randomize_va_space = 2
[test@localhost tmp]$ ldd --version
ldd (GNU libc) 2.17
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

Also, I tried manually getting specific parameter values and specifying specific inputs(Some python code i've changed with local debugging)

exploit_userspec.py 0x2000 0
exploit_defaults_mailer.py 0x2000 0

The Error code still exists
Traceback (most recent call last):
  File "exploit_userspec.py", line 736, in <module>
    main()
  File "exploit_userspec.py", line 652, in main
    cmnd_size = find_cmnd_size()
  File "exploit_userspec.py", line 154, in find_cmnd_size
    assert size_min == 0x2000 - 0x10
AssertionError
yasooknigth commented 2 years ago

Emmmmm,about more?the cpu & cores are both OK...

gzz2000 commented 1 year ago

Have you solved this issue? I also encountered this on CentOS 7, sudo 1.8.6, and libc 2.17

gzz2000 commented 1 year ago

Below is how to reproduce this problem:

docker run -it --rm centos:centos7.1.1503
# below: inside docker
curl https://yum.oracle.com/repo/OracleLinux/OL7/3/base/x86_64/getPackage/sudo-1.8.6p7-20.el7.x86_64.rpm -o sudo-1.8.6p7-20.el7.x86_64.rpm
rpm -i sudo-1.8.6p7-20.el7.x86_64.rpm

adduser test
su test
# then download and run exploit_defaults_mailer.py, it will report AssertionError.