## https://sploitus.com/exploit?id=220FB384-4CFD-5648-A0B1-2CD1A59BA8A7
# CVE-2021-3156 — "Baron Samedit" Lab & Exploit
This repository provides a self-contained, educational environment to understand and exploit `CVE-2021-3156`, a heap-based buffer overflow in `sudo` that allows any unprivileged user to gain root privileges on vulnerable systems (sudo versions prior to `1.9.5p2`).
> This material is for **authorized security training and research only**.
> Unauthorized/Unethical use against systems you do not own is **illegal**.
## Repository Structure
- `Demo-Docker/` – Dockerized vulnerable lab environment
- `Dockerfile` – Builds an Ubuntu `20.04` container with sudo `1.8.31` (vulnerable)
- `docker-compose.yml` – Orchestrates the container with exploit source mounting
- `entrypoint.sh` – Simple script to keep the container alive
- `Exploit/` – Public exploit code (originally by blasty) adapted for this lab
- `hax.c` – Main exploit payload
- `lib.c` – Shared library that spawns a root shell when loaded
- `Makefile` – Compiles the exploit and the malicious library
- `brute.sh` – Brute‑force helper to find working offsets for different targets
## Getting Started
### Prerequisites
- Docker & Docker Compose (or Docker Engine with Compose plugin)
- Basic familiarity with C language, Make, and command‑line tools
### Building and Running the Lab
1. **Clone this repository**
```bash
git clone https://github.com/Theleopard65/CVE-2021-3156-Baron-Samedit.git
cd CVE-2021-3156-Baron-Samedit
```
2. **Start vulnerable container**: The below command builds the image and starts a container named `baron_samedit_lab`.
```bash
cd Demo-Docker
docker compose up -d
```
3. **Access the container**:
- You are logged in as `labuser` (password: `labpassword`).
- The exploit source is mounted at `/home/labuser/exploit`.
```bash
docker exec -it baron_samedit_lab /bin/bash
```
4. **Compile the exploit inside container**: This creates `exploit` binary & malicious `libnss_X/P0P_SH3LLZ_ .so.2` library.
```bash
cd ~/exploit
make
```
5. **Run the exploit**: Choose a target from the list (e.g., target 1 for Ubuntu `20.04`):
```bash
./exploit 1
```
> If successful, you will see `[+] bl1ng bl1ng! We got it!` and a root shell.
---
### Brute‑forcing Offsets
- If the pre‑configured targets do not work on your specific system, use the brute‑forcing script:
```bash
cd ~/exploit
./brute.sh
```
- Example (for a 64‑bit system with `libc‑2.31`):
```bash
./brute.sh 50 70 50 70 200 250
```
- The script uses GNU `parallel` to test many offset combinations and saves successful ones in `success.txt`.
### Manual Mode
- You can also supply custom offsets directly:
```bash
./exploit
```
## How the Exploit Works
CVE-2021-3156 is a heap‑based overflow in `sudoedit`'s command‑line argument handling. By supplying a specially crafted `LC_ALL` environment variable and a series of backslash (`\`) arguments, an attacker can overwrite a `service_user` struct in heap memory, this struct contains a function pointer that when hijacked, can be made to point to a malicious library loaded via the `LIBNAMES` mechanism. The library’s constructor then executes arbitrary code with root privileges.
The exploit here:
1. Creates a directory `libnss_X/` containing a shared object `P0P_SH3LLZ_ .so.2` (Spaces is Intentional).
2. Overflows the heap to make sudo load `libnss_X/P0P_SH3LLZ_ .so.2` as if it were a system NSS library.
3. The library's constructor runs, spawning a root shell.
## Cleaning Up
- To stop and remove the container:
```bash
cd Demo-Docker
docker compose down
```
- To remove the built Docker image:
```bash
docker rmi cve-2021-3156-lab:latest
```
## References
- [Original advisory by Qualys](https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt)
- [Blasty’s PoC](https://github.com/blasty/CVE-2021-3156)
- [NIST NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2021-3156)
## License
> This project is provided for educational purposes only. Use at your own risk.
---