-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2021-3156 Sudo LPE (AKA: Baron Samedit) Improvements #14740
Conversation
Here's another recent writeup about the |
May it possible to add CentOS target? |
No one has developed offsets for CentOS yet. Check out this writeup for information on the exploitation technique and adding targets. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code looks good, however for some reason I can't reproduce this (and the original poc) on a Ubuntu 20.04.1 VM.
Works well on Ubuntu 18.04:
|
Release NotesImproved the CVE-2021-3156 (a.k.a. Baron Samedit) module with a couple of features that were left out of the first submission due to time constraints (e.g cleanup and randomisation of the payload library). Also added a target for Ubuntu 19.04. |
Also adds a target for Ubuntu 19.04. |
This makes a few improvements to the CVE-2021-3156 and adds a couple of features that were left out of the first submission due to time constraints. Unfortunately, I don't have any new targets to add yet. I made a couple of changes to the Linux mixins as well to facilitate what I was doing.
mkdir
mixin command to handle existing directories in the same way for meterpreter sessions as shell sessions (don't raise an exception).get_sysinfo
.get_sysinfo
to remove leading and trailing whitespace around theversion
keyWriteableDir
datastore option. This involved updating the compiler mixin as well to escape spaces with backslashes.Testing
use exploit/linux/local/sudo_baron_samedit
/tmp/Hello World
or something else with a space in it. Make sure the directory already exists on the target system, the module will not create it automatically.libnss_X/P0P_SH3LLZ_ .so.2
anymore)Example Output
Library Name
The library name is randomized now, however since it's part of the memory corruption chain there are some constraints on it. From my testing, I noticed that the randomized component:
/
which may be placed anywhere in the stringThe original C exploit was updated to take the library name as an option parameter at the end. If it's omitted the original
X/P0P_SH3LLZ_
value is used, allowing the exploit to still bbe compiled and run as a standalone unit.