Comments (4)
exploit_nss_d9.py is likely to fail if any related configuration is not same as mine. When the exploit fail, "segmentation fault" is very likely. But your has no error.
exploit_userspec.py might fail but normally not this step.
So I suspect the sudo is patched. Do you check if sudo is vulnerable before running exploit?
from cve-2021-3156.
It is possible to exploit this vuln on debian 9.
exploit_nss_d9.py is for debian 9 with default configuration. exploit_userspec.py is for many targets but need bruteforcing.
from cve-2021-3156.
I have the following output when running (exploit_nss_d9.py) :
xhat@debian:~/Desktop$ python exploit_nss_d9.py
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt]
[-u user] file ...
and when runing (exploit_userspec.py) :
xhat@debian:~/Desktop$ python exploit_userspec.py
curr size: 0x1600
exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...
curr size: 0x1b00
exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...
curr size: 0x1d80
exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...
curr size: 0x1ec0
exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...
curr size: 0x1f60
exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...
curr size: 0x1fb0
exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...
curr size: 0x1fd0
exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...
curr size: 0x1fe0
exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...
curr size: 0x1ff0
exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...
has 2 holes. very big one is bad
curr size: 0xc00
exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...
curr size: 0x1000
exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...
curr size: 0x1400
exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...
curr size: 0x1800
exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...
curr size: 0x1c00
exit code: 256
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...
Traceback (most recent call last):
File "exploit_userspec.py", line 736, in
main()
File "exploit_userspec.py", line 652, in main
cmnd_size = find_cmnd_size()
File "exploit_userspec.py", line 173, in find_cmnd_size
assert found, "Cannot find cmnd size"
AssertionError: Cannot find cmnd size
Thanks.
from cve-2021-3156.
Hi, @worawit
You are right the sudo version package comes patched on this linux DISTR. sorry my bad i didn't check before runing the exploit.
$ uname -a
Linux localhost 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u6 (2018-10-08) x86_64 GNU/Linux
$ cat /etc/*-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
$ sudo --version
Sudo version 1.8.19p1
Sudoers policy plugin version 1.8.19p1
Sudoers file grammar version 45
Sudoers I/O plugin version 1.8.19p1
$ sudoedit -s '12345678901234567890'
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file ...
./thanks
from cve-2021-3156.
Related Issues (18)
- About Ubuntu 14.04 or 16.04 without tcache. HOT 1
- Exploit on Ubuntu Server 18.04.2 LTS Worked BUT.... HOT 2
- exploit is successful but the created account is blocked HOT 1
- Exploitation on CentOS 6.10 (Final) HOT 3
- invalid offset. exit code: 256 (Amazon Linux AMI release 2017.09 / libc 2.17 )
- Centos 8 can be used, but some configuration needs to be modified
- invalid offset. exit code: 256 (Cnetos 6.9 / libc 2.12 )
- Exploitation on Debian 10 cloud image HOT 5
- 'AssertionError' feedback HOT 3
- TypeError: bytes or integer address expected instead of str instance HOT 2
- not allowed to raise maximum limit HOT 1
- user not in /etc/sudoers HOT 6
- Can you make Exploit code in 32bit? (no tcache) HOT 2
- Exploitation on Debian 7 HOT 1
- Centos7.9 cannot use HOT 2
- Exploitation on Debian 8 (jessie) HOT 2
- Cannot find cmnd size Ubuntu 16 / GLIB 2.23 HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cve-2021-3156.