Coder Social home page Coder Social logo

Comments (4)

worawit avatar worawit commented on July 20, 2024 1

exploit_nss_d9.py is likely to fail if any related configuration is not same as mine. When the exploit fail, "segmentation fault" is very likely. But your has no error.

exploit_userspec.py might fail but normally not this step.

So I suspect the sudo is patched. Do you check if sudo is vulnerable before running exploit?

from cve-2021-3156.

worawit avatar worawit commented on July 20, 2024

It is possible to exploit this vuln on debian 9.

exploit_nss_d9.py is for debian 9 with default configuration. exploit_userspec.py is for many targets but need bruteforcing.

from cve-2021-3156.

xhat007 avatar xhat007 commented on July 20, 2024

I have the following output when running (exploit_nss_d9.py) :

xhat@debian:~/Desktop$ python exploit_nss_d9.py
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt]
[-u user] file ...

and when runing (exploit_userspec.py) :

xhat@debian:~/Desktop$ python exploit_userspec.py

curr size: 0x1600

exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...

curr size: 0x1b00

exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...

curr size: 0x1d80

exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...

curr size: 0x1ec0

exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...

curr size: 0x1f60

exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...

curr size: 0x1fb0

exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...

curr size: 0x1fd0

exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...

curr size: 0x1fe0

exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...

curr size: 0x1ff0

exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...

has 2 holes. very big one is bad

curr size: 0xc00

exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...

curr size: 0x1000

exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...

curr size: 0x1400

exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...

curr size: 0x1800

exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...

curr size: 0x1c00

exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...

Traceback (most recent call last):
File "exploit_userspec.py", line 736, in
main()
File "exploit_userspec.py", line 652, in main
cmnd_size = find_cmnd_size()
File "exploit_userspec.py", line 173, in find_cmnd_size
assert found, "Cannot find cmnd size"
AssertionError: Cannot find cmnd size

Thanks.

from cve-2021-3156.

xhat007 avatar xhat007 commented on July 20, 2024

Hi, @worawit

You are right the sudo version package comes patched on this linux DISTR. sorry my bad i didn't check before runing the exploit.

$ uname -a
Linux localhost 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u6 (2018-10-08) x86_64 GNU/Linux

$ cat /etc/*-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

$ sudo --version
Sudo version 1.8.19p1
Sudoers policy plugin version 1.8.19p1
Sudoers file grammar version 45
Sudoers I/O plugin version 1.8.19p1

$ sudoedit -s '12345678901234567890'
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...

./thanks

from cve-2021-3156.

Related Issues (18)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.