Share
## https://sploitus.com/exploit?id=220FB384-4CFD-5648-A0B1-2CD1A59BA8A7
# CVE-2021-3156 — "Baron Samedit" Lab & Exploit

This repository provides a self-contained, educational environment to understand and exploit `CVE-2021-3156`, a heap-based buffer overflow in `sudo` that allows any unprivileged user to gain root privileges on vulnerable systems (sudo versions prior to `1.9.5p2`).

> This material is for **authorized security training and research only**.
> Unauthorized/Unethical use against systems you do not own is **illegal**.

## Repository Structure

- `Demo-Docker/` – Dockerized vulnerable lab environment
  - `Dockerfile` – Builds an Ubuntu `20.04` container with sudo `1.8.31` (vulnerable)
  - `docker-compose.yml` – Orchestrates the container with exploit source mounting
  - `entrypoint.sh` – Simple script to keep the container alive
- `Exploit/` – Public exploit code (originally by blasty) adapted for this lab
  - `hax.c` – Main exploit payload
  - `lib.c` – Shared library that spawns a root shell when loaded
  - `Makefile` – Compiles the exploit and the malicious library
  - `brute.sh` – Brute‑force helper to find working offsets for different targets

## Getting Started

### Prerequisites

- Docker & Docker Compose (or Docker Engine with Compose plugin)
- Basic familiarity with C language, Make, and command‑line tools

### Building and Running the Lab

1. **Clone this repository**

```bash
git clone https://github.com/Theleopard65/CVE-2021-3156-Baron-Samedit.git
cd CVE-2021-3156-Baron-Samedit
```

2. **Start vulnerable container**: The below command builds the image and starts a container named `baron_samedit_lab`.

```bash
cd Demo-Docker
docker compose up -d
```

3. **Access the container**:
	- You are logged in as `labuser` (password: `labpassword`).
	- The exploit source is mounted at `/home/labuser/exploit`.

```bash
docker exec -it baron_samedit_lab /bin/bash
```

4. **Compile the exploit inside container**: This creates `exploit` binary & malicious `libnss_X/P0P_SH3LLZ_ .so.2` library.

```bash
cd ~/exploit
make
```

5. **Run the exploit**: Choose a target from the list (e.g., target 1 for Ubuntu `20.04`):

```bash
./exploit 1
```

> If successful, you will see `[+] bl1ng bl1ng! We got it!` and a root shell.

---

### Brute‑forcing Offsets

- If the pre‑configured targets do not work on your specific system, use the brute‑forcing script:

```bash
cd ~/exploit
./brute.sh      
```

- Example (for a 64‑bit system with `libc‑2.31`):

```bash
./brute.sh 50 70 50 70 200 250
```

- The script uses GNU `parallel` to test many offset combinations and saves successful ones in `success.txt`.

### Manual Mode

- You can also supply custom offsets directly:

```bash
./exploit    
```

## How the Exploit Works

CVE-2021-3156 is a heap‑based overflow in `sudoedit`'s command‑line argument handling. By supplying a specially crafted `LC_ALL` environment variable and a series of backslash (`\`) arguments, an attacker can overwrite a `service_user` struct in heap memory, this struct contains a function pointer that when hijacked, can be made to point to a malicious library loaded via the `LIBNAMES` mechanism. The library’s constructor then executes arbitrary code with root privileges.

The exploit here:
1. Creates a directory `libnss_X/` containing a shared object `P0P_SH3LLZ_ .so.2` (Spaces is Intentional).
2. Overflows the heap to make sudo load `libnss_X/P0P_SH3LLZ_ .so.2` as if it were a system NSS library.
3. The library's constructor runs, spawning a root shell.

## Cleaning Up

- To stop and remove the container:

```bash
cd Demo-Docker
docker compose down
```

- To remove the built Docker image:

```bash
docker rmi cve-2021-3156-lab:latest
```

## References

- [Original advisory by Qualys](https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt)
- [Blasty’s PoC](https://github.com/blasty/CVE-2021-3156)
- [NIST NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2021-3156)

## License

> This project is provided for educational purposes only. Use at your own risk.

---