Comments (6)
worawit
commented on July 20, 2024
No. The user is not in /etc/sudoers should be easier.
the checking function iterates from last rule to first rule.
If the user is NOT in sudoers, overwriting only first userspec is enough.
If the user is in sudoers, you have to overwriting first userspec (for cleanup without a crash) and a userspec before the user one (because iterating do "curr->prev->prev->next" instead of "curr->prev").
Note:
- current exploit_userspec.py does not work when only 1 rule is in /etc/sudoers (including rules in /etc/sudoers.d/*). might fix if this case exists
- if the user is in /etc/sudoers (and no explicit PASSWD in the rule), you can overwrite only defaults (see exploit_defaults_mailer.py as an example) by setting def_authenticate to 0
from cve-2021-3156.
lalkh
commented on July 20, 2024
Note:
current exploit_userspec.py does not work when only 1 rule is in /etc/sudoers (including rules in /etc/sudoers.d/*). might fix if this case exists
yes, this situation is what I faced,because I‘m not clear what kind of data I have to overwrite. I have to say bruteforce stack_addr is really a genius idea,I found 0x7ffxxxx00000 is always 0x7ffexxx00000 on my system,I have modified that and It works on my system. By the way, It would be awesome that you would implement that scenario.
from cve-2021-3156.
worawit
commented on July 20, 2024
I added support 1 rule in /etc/sudoers for exploit_userspec.py.
Can you try it and give me a result?
from cve-2021-3156.
lalkh
commented on July 20, 2024
Yes, It is now work on my system. And I found it doesn't work on my ubuntu16.04.6
offset to first userspec: 0x370
offset_max: 0x280
offset_min: 0x180
at range: 0x0-0x70
cmnd size: 0x1230
offset to defaults: 0x60
offset to first userspec: 0x370
offset to userspec: 0x1d0
to skip finding offsets next time no this machine, run:
exploit_userspec.py 0x1230 0x60 0x370 0x1d0
invalid offset. exit code: 139
from cve-2021-3156.
worawit
commented on July 20, 2024
I totally forgot this case. Ubuntu 16.04 apport is enabled by default. So exit status is coredump (128) + sigsegv (11).
Fixed it.
Note: apport does coredump on all sigsegv, so the exploit will run much slower.
from cve-2021-3156.
lalkh
commented on July 20, 2024
When I was in docker,I think the chunks have some difference. bruteforce cannot success even I closed ASLR and use a correct stack addr.
from cve-2021-3156.
Related Issues (18)
- About Ubuntu 14.04 or 16.04 without tcache. HOT 1
- Exploit on Ubuntu Server 18.04.2 LTS Worked BUT.... HOT 2
- exploit is successful but the created account is blocked HOT 1
- Exploitation on CentOS 6.10 (Final) HOT 3
- invalid offset. exit code: 256 (Amazon Linux AMI release 2017.09 / libc 2.17 )
- Centos 8 can be used, but some configuration needs to be modified
- invalid offset. exit code: 256 (Cnetos 6.9 / libc 2.12 )
- Exploitation on Debian 10 cloud image HOT 5
- 'AssertionError' feedback HOT 3
- TypeError: bytes or integer address expected instead of str instance HOT 2
- not allowed to raise maximum limit HOT 1
- Can you make Exploit code in 32bit? (no tcache) HOT 2
- Exploitation on Debian 7 HOT 1
- Exploitation on Debian 9.5 stretch HOT 4
- Centos7.9 cannot use HOT 2
- Exploitation on Debian 8 (jessie) HOT 2
- Cannot find cmnd size Ubuntu 16 / GLIB 2.23 HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cve-2021-3156.