Hi @worawit

I tried the exploit code exploit_defaults_mailer.py on CentOS 6.10, and got some error messages as the following.

Cannot determine disble-root-mailer flag

curr size: 0x1600

exit code: 11


curr size: 0x1100
*** glibc detected *** sudoedit: malloc(): memory corruption: 0x00005654d9e3d630 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x39ff475e5e)[0x2b2a32c83e5e]
/lib64/libc.so.6(+0x39ff47a41a)[0x2b2a32c8841a]
/lib64/libc.so.6(__libc_malloc+0x5c)[0x2b2a32c88b1c]
/usr/libexec/sudoers.so(+0x2f558)[0x2b2a331e2558]
/usr/libexec/sudoers.so(+0x29e52)[0x2b2a331dce52]
/usr/libexec/sudoers.so(+0x10d9d)[0x2b2a331c3d9d]
/usr/libexec/sudoers.so(+0xffda)[0x2b2a331c2fda]
/usr/libexec/sudoers.so(+0x124b0)[0x2b2a331c54b0]
/usr/libexec/sudoers.so(+0x13b4e)[0x2b2a331c6b4e]
sudoedit(+0xe8fc)[0x5654d966a8fc]
/lib64/libc.so.6(__libc_start_main+0x100)[0x2b2a32c2cd20]
sudoedit(+0x3ef9)[0x5654d965fef9]
======= Memory map: ========
2b2a321a0000-2b2a321c0000 r-xp 00000000 08:02 139429                     /lib64/ld-2.12.so
2b2a321c0000-2b2a321c1000 rw-p 00000000 00:00 0 
2b2a323c0000-2b2a323c1000 r--p 00020000 08:02 139429                     /lib64/ld-2.12.so
2b2a323c1000-2b2a323c2000 rw-p 00021000 08:02 139429                     /lib64/ld-2.12.so
2b2a323c2000-2b2a323c3000 rw-p 00000000 00:00 0 
2b2a323c3000-2b2a323db000 r-xp 00000000 08:02 139463                     /lib64/libaudit.so.1.0.0
2b2a323db000-2b2a325da000 ---p 00018000 08:02 139463                     /lib64/libaudit.so.1.0.0
2b2a325da000-2b2a325dc000 r--p 00017000 08:02 139463                     /lib64/libaudit.so.1.0.0
2b2a325dc000-2b2a325e7000 rw-p 00019000 08:02 139463                     /lib64/libaudit.so.1.0.0
2b2a325e7000-2b2a32604000 r-xp 00000000 08:02 139436                     /lib64/libselinux.so.1
2b2a32604000-2b2a32803000 ---p 0001d000 08:02 139436                     /lib64/libselinux.so.1
2b2a32803000-2b2a32804000 r--p 0001c000 08:02 139436                     /lib64/libselinux.so.1
2b2a32804000-2b2a32805000 rw-p 0001d000 08:02 139436                     /lib64/libselinux.so.1
2b2a32805000-2b2a32807000 rw-p 00000000 00:00 0 
2b2a32807000-2b2a32809000 r-xp 00000000 08:02 130443                     /lib64/libutil-2.12.so
2b2a32809000-2b2a32a08000 ---p 00002000 08:02 130443                     /lib64/libutil-2.12.so
2b2a32a08000-2b2a32a09000 r--p 00001000 08:02 130443                     /lib64/libutil-2.12.so
2b2a32a09000-2b2a32a0a000 rw-p 00002000 08:02 130443                     /lib64/libutil-2.12.so
2b2a32a0a000-2b2a32a0c000 r-xp 00000000 08:02 139435                     /lib64/libdl-2.12.so
2b2a32a0c000-2b2a32c0c000 ---p 00002000 08:02 139435                     /lib64/libdl-2.12.so
2b2a32c0c000-2b2a32c0d000 r--p 00002000 08:02 139435                     /lib64/libdl-2.12.so
2b2a32c0d000-2b2a32c0e000 rw-p 00003000 08:02 139435                     /lib64/libdl-2.12.so
2b2a32c0e000-2b2a32d99000 r-xp 00000000 08:02 139430                     /lib64/libc-2.12.so
2b2a32d99000-2b2a32f98000 ---p 0018b000 08:02 139430                     /lib64/libc-2.12.so
2b2a32f98000-2b2a32f9c000 r--p 0018a000 08:02 139430                     /lib64/libc-2.12.so
2b2a32f9c000-2b2a32f9e000 rw-p 0018e000 08:02 139430                     /lib64/libc-2.12.so
2b2a32f9e000-2b2a32fa5000 rw-p 00000000 00:00 0 
2b2a32fa5000-2b2a32fb2000 r-xp 00000000 08:02 130339                     /lib64/libnss_files-2.12.so
2b2a32fb2000-2b2a331b1000 ---p 0000d000 08:02 130339                     /lib64/libnss_files-2.12.so
2b2a331b1000-2b2a331b2000 r--p 0000c000 08:02 130339                     /lib64/libnss_files-2.12.so
2b2a331b2000-2b2a331b3000 rw-p 0000d000 08:02 130339                     /lib64/libnss_files-2.12.so
2b2a331b3000-2b2a331f9000 r-xp 00000000 08:02 678288                     /usr/libexec/sudoers.so
2b2a331f9000-2b2a333f8000 ---p 00046000 08:02 678288                     /usr/libexec/sudoers.so
2b2a333f8000-2b2a333f9000 r--p 00045000 08:02 678288                     /usr/libexec/sudoers.so
2b2a333f9000-2b2a333fb000 rw-p 00046000 08:02 678288                     /usr/libexec/sudoers.so
2b2a333fb000-2b2a33401000 rw-p 00000000 00:00 0 
2b2a3340d000-2b2a33419000 r-xp 00000000 08:02 139464                     /lib64/libpam.so.0.82.2
2b2a33419000-2b2a33619000 ---p 0000c000 08:02 139464                     /lib64/libpam.so.0.82.2
2b2a33619000-2b2a3361a000 r--p 0000c000 08:02 139464                     /lib64/libpam.so.0.82.2
2b2a3361a000-2b2a3361b000 rw-p 0000d000 08:02 139464                     /lib64/libpam.so.0.82.2
2b2a3361b000-2b2a33669000 r-xp 00000000 08:02 130729                     /lib64/libldap-2.4.so.2.10.3
2b2a33669000-2b2a33868000 ---p 0004e000 08:02 130729                     /lib64/libldap-2.4.so.2.10.3
2b2a33868000-2b2a3386a000 r--p 0004d000 08:02 130729                     /lib64/libldap-2.4.so.2.10.3
2b2a3386a000-2b2a3386c000 rw-p 0004f000 08:02 130729                     /lib64/libldap-2.4.so.2.10.3
2b2a3386c000-2b2a33881000 r-xp 00000000 08:02 139437                     /lib64/libz.so.1.2.3
2b2a33881000-2b2a33a80000 ---p 00015000 08:02 139437                     /lib64/libz.so.1.2.3
2b2a33a80000-2b2a33a81000 r--p 00014000 08:02 139437                     /lib64/libz.so.1.2.3
2b2a33a81000-2b2a33a82000 rw-p 00015000 08:02 139437                     /lib64/libz.so.1.2.3
2b2a33a82000-2b2a33a89000 r-xp 00000000 08:02 130312                     /lib64/libcrypt-2.12.so
2b2a33a89000-2b2a33c89000 ---p 00007000 08:02 130312                     /lib64/libcrypt-2.12.so
2b2a33c89000-2b2a33c8a000 r--p 00007000 08:02 130312                     /lib64/libcrypt-2.12.so
2b2a33c8a000-2b2a33c8b000 rw-p 00008000 08:02 130312                     /lib64/libcrypt-2.12.so
2b2a33c8b000-2b2a33cb9000 rw-p 00000000 00:00 0 
2b2a33cb9000-2b2a33cc7000 r-xp 00000000 08:02 139470                     /lib64/liblber-2.4.so.2.10.3
2b2a33cc7000-2b2a33ec6000 ---p 0000e000 08:02 139470                     /lib64/liblber-2.4.so.2.10.3
2b2a33ec6000-2b2a33ec7000 r--p 0000d000 08:02 139470                     /lib64/liblber-2.4.so.2.10.3
2b2a33ec7000-2b2a33ec8000 rw-p 0000e000 08:02 139470                     /lib64/liblber-2.4.so.2.10.3
2b2a33ec8000-2b2a33ede000 r-xp 00000000 08:02 139451                     /lib64/libresolv-2.12.so
2b2a33ede000-2b2a340de000 ---p 00016000 08:02 139451                     /lib64/libresolv-2.12.so
2b2a340de000-2b2a340df000 r--p 00016000 08:02 139451                     /lib64/libresolv-2.12.so
2b2a340df000-2b2a340e0000 rw-p 00017000 08:02 139451                     /lib64/libresolv-2.12.so
2b2a340e0000-2b2a340e2000 rw-p 00000000 00:00 0 
2b2a340e2000-2b2a340fb000 r-xp 00000000 08:02 683479                     /usr/lib64/libsasl2.so.2.0.23
2b2a340fb000-2b2a342fa000 ---p 00019000 08:02 683479                     /usr/lib64/libsasl2.so.2.0.23
2b2a342fa000-2b2a342fb000 r--p 00018000 08:02 683479                     /usr/lib64/libsasl2.so.2.0.23
2b2a342fb000-2b2a342fc000 rw-p 00019000 08:02 683479                     /usr/lib64/libsasl2.so.2.0.23
2b2a342fc000-2b2a34350000 r-xp 00000000 08:02 683482                     /usr/lib64/libssl3.so
2b2a34350000-2b2a3454f000 ---p 00054000 08:02 683482                     /usr/lib64/libssl3.so
exit code: 6


curr size: 0x1380

exit code: 11


curr size: 0x1240

exit code: 11


curr size: 0x11a0

exit code: 11


curr size: 0x1150

exit code: 256
sudoedit: no askpass program specified, try setting SUDO_ASKPASS


curr size: 0x1160

exit code: 11

found cmnd size: 0x1150

cmnd size: 0x1150
offset to defaults: 0x0
invalid offset. exit code: 256

$ sudo -V Sudo version 1.8.6p3 Sudoers policy plugin version 1.8.6p3 Sudoers file grammar version 42 Sudoers I/O plugin version 1.8.6p3

$ ldd --version ldd (GNU libc) 2.12

$ uname -r 2.6.32-754.el6.x86_64

After running the exploit, the folder 'gg' was added in /tmp folder. drwxrwxrwt. 19 root root 4096 Jul 20 19:36 . -rwxr-xr-x. 1 user user 97 Jul 20 19:36 gg

Also, CentOS 6.10 was installed on VMware.

Thanks, Any ideas would be appreciated.

Hi!, I want to make exploit code in 32 bit environment.

There have been various attempts, but the most fundamental problem is that there is only one space(Unsorted bin) in the bins just before the overflow buffer is allocated.

Is there any way to increase this? (i want to use small bins, fast bins... but always Only unsorted bins remain.)

**

In the exploit code: exploit_nss_u14.py or exploit_nss_u16.py, you wrote "the glibc with tcache" in the beginning comment. However, In the README.md, you wrote "For Linux distribution that glibc has no tcache support". Which one is typo? By the way, can you tell me the glibc version that you tested of Ubuntu 14.04 and 16.04? Thanks for your sharing.

#!/usr/bin/python
'''
Exploit for CVE-2021-3156 on Ubuntu 16.04 by sleepya
This exploit requires:
- glibc with tcache

For Linux distribution that glibc has no tcache support:

if a target is Debian 9, Ubuntu 16.04, or Ubuntu 14.04, try exploit_nss_xxx.py for specific version first

This adds a license file to the project, specifically the BSD 3-clause license. I'm hoping to have this incorporated into Metasploit via rapid7/metasploit-framework#15146 which would require that it be under a compatible license such as this.

If you'd prefer a different license just let me know and I can get it changed over to whatever you'd prefer.

hi,worawit. I've learned a lot about heap overflow from your project.But I have a new error during my VMs testing, the size parameter of cmnd function can not be obtained accurately all the time. Here is the 'Error Message' below

[test@localhost tmp]$ python exploit_userspec.py

curr size: 0x1600

exit code: 11


curr size: 0x1100

exit code: 11


curr size: 0xe80

exit code: 11


curr size: 0xd40

exit code: 11


curr size: 0xca0

exit code: 11


curr size: 0xc50

exit code: 11


curr size: 0xc20

exit code: 11


curr size: 0xc10

exit code: 11

Traceback (most recent call last):
  File "exploit_userspec.py", line 736, in <module>
    main()
  File "exploit_userspec.py", line 652, in main
    cmnd_size = find_cmnd_size()
  File "exploit_userspec.py", line 154, in find_cmnd_size
    assert size_min == 0x2000 - 0x10
AssertionError

And,here is the version below:

[test@localhost tmp]$ sudo -V
Sudo version 1.8.23
Sudoers policy plugin version 1.8.23
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.23
[test@localhost tmp]$ hostnamectl
  Static hostname:  localhost
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 71a7851c7f64482cad825974248cc902
           Boot ID: d6b64d7f01684b8ca51f807d08079a03
    Virtualization: vmware
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-957.21.3.el7.x86_64
[test@localhost tmp]$ python -V
Python 2.7.5
[test@localhost tmp]$ sysctl -a --pattern randomiz
kernel.randomize_va_space = 2
[test@localhost tmp]$ ldd --version
ldd (GNU libc) 2.17
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

Also, I tried manually getting specific parameter values and specifying specific inputs(Some python code i've changed with local debugging)

exploit_userspec.py 0x2000 0
exploit_defaults_mailer.py 0x2000 0

The Error code still exists
Traceback (most recent call last):
  File "exploit_userspec.py", line 736, in <module>
    main()
  File "exploit_userspec.py", line 652, in main
    cmnd_size = find_cmnd_size()
  File "exploit_userspec.py", line 154, in find_cmnd_size
    assert size_min == 0x2000 - 0x10
AssertionError

Hi @worawit

Use exploit: exploit_defaults_mailer.py

does this mean that this configuration is not usable or needs some work? End output:

cmnd size: 0x1150 offset to defaults: 0x0 sudoedit: option `mail_always' does not take a value sudoedit: you are not permitted to use the -C option invalid offset. exit code: 256

$ sudo -V

Sudo version 1.8.6p3 Sudoers policy plugin version 1.8.6p3 Sudoers file grammar version 42 Sudoers I/O plugin version 1.8.6p3

$ uname -r

2.6.32-696.16.1.el6.x86_64

$ ldd --version

ldd (GNU libc) 2.12 Copyright (C) 2010 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Written by Roland McGrath and Ulrich Drepper.

Hello, this pull requests makes sure the pwned file does not exist prior exploitation.

I've just experienced one case like that, and obviously the condition os.stat(PWNED_PATH).st_uid != 0 gave a false positive.

exploit_nss.py文件的187行 proc = subprocess.Popen(['ip', 'addr'], stdout=subprocess.PIPE, bufsize=1, universal_newlines=True)

Generally, ip addr cannot be used directly under low authority. It can be modified to /sbin/ip and modified to ['/sbin/ip','addr']

Hi @worawit

does this mean that this configuration is not usable or needs some work? End output:

offset to defaults: 0x60 sudoedit: option `mail_always' does not take a value sudoedit: you are not permitted to use the -C option invalid offset. exit code: 256

$ sudo -V

Sudo version 1.8.6p3 Sudoers policy plugin version 1.8.6p3 Sudoers file grammar version 42 Sudoers I/O plugin version 1.8.6p3

$ uname -r

4.9.75-25.55.amzn1.x86_64

$ ldd --version

ldd (GNU libc) 2.17 Copyright (C) 2012 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Written by Roland McGrath and Ulrich Drepper.