search

worawit / CVE-2021-3156

Sudo Baron Samedit Exploit
BSD 3-Clause "New" or "Revised" License
737 stars 168 forks source link

Exploitation on Debian 8 (jessie) #8

Open xhat007 opened 3 years ago

xhat007 commented 3 years ago

Hi @worawit

Is exploitation possible on Debian 8 ?

$ sudo --version Sudo version 1.8.10p3 Sudoers policy plugin version 1.8.10p3 Sudoers file grammar version 43 Sudoers I/O plugin version 1.8.10p3

$ uname -r 3.16.0-4-amd64

$ sudoedit -s '01234567890123456789\' Error in `sudoedit': malloc(): memory corruption: 0x00005637fc4a7ea0 Aborted

I tried the following exploits : () () ()

$ python exploit_nss_u14.py Segmentation fault

$ python exploit_nss_u16.py Segmentation fault

$ python exploit_nss_d9.py Segmentation fault

$ python exploit_userspec.py

curr size: 0x1600

exit code: 6 Error in `sudoedit': malloc(): memory corruption: 0x00005634c93fcbd0

curr size: 0x1b00

exit code: 6 Error in `sudoedit': malloc(): memory corruption: 0x000055bbd93f80d0

curr size: 0x1d80

exit code: 6 Error in `sudoedit': malloc(): memory corruption: 0x000055a8debe8350

curr size: 0x1ec0

exit code: 6 Error in `sudoedit': malloc(): memory corruption: 0x0000562e47bd3490

curr size: 0x1f60

exit code: 6 Error in `sudoedit': malloc(): memory corruption: 0x0000561a4e9e9530

curr size: 0x1fb0

exit code: 6 Error in `sudoedit': malloc(): memory corruption: 0x00005564bab37580

curr size: 0x1fd0

exit code: 6 Error in `sudoedit': malloc(): memory corruption: 0x000055bcb07335a0

curr size: 0x1fe0

exit code: 6 Error in `sudoedit': malloc(): memory corruption: 0x000055fd181b45b0

curr size: 0x1ff0

exit code: 6 Error in `sudoedit': malloc(): memory corruption: 0x00005587a03975c0

has 2 holes. very big one is bad

curr size: 0xc00

exit code: 6 Error in `sudoedit': malloc(): memory corruption: 0x00005651a540e1e0

curr size: 0x1000

exit code: 6 Error in `sudoedit': malloc(): memory corruption: 0x000055f198e1f5e0

curr size: 0x1400

exit code: 6 Error in `sudoedit': malloc(): memory corruption: 0x0000563b20a3d9e0

curr size: 0x1800

exit code: 6 Error in `sudoedit': malloc(): memory corruption: 0x000055b4f44c6de0

curr size: 0x1c00

exit code: 6 Error in `sudoedit': malloc(): memory corruption: 0x000055d6e1c371e0

Traceback (most recent call last): File "exploit_userspec.py", line 736, in main() File "exploit_userspec.py", line 652, in main cmnd_size = find_cmnd_size() File "exploit_userspec.py", line 173, in find_cmnd_size assert found, "Cannot find cmnd size" AssertionError: Cannot find cmnd size

Any help would be appreciated!

worawit commented 3 years ago

I have no test on Debian 8. From sudo and glibc version, it should be exploitable.

From output, my exploit fail at first step. I cannot help you for this case because debugging is needed.

xhat007 commented 3 years ago

Hi @worawit

What do i need to do to debug ?

Thanks.