Skip to content

TheLeopard65/CVE-2021-3156-Baron-Samedit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
Dockerfile
Dockerfile
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
exploit.c
exploit.c
 
 
shellcode.c
shellcode.c
 
 

Repository files navigation

CVE-2021-3156 - "Baron Samedit" Lab & Exploit

This repository provides a self-contained, educational environment to understand and exploit CVE-2021-3156, a heap-based buffer overflow in sudo that allows any unprivileged user to gain root privileges on vulnerable systems (sudo versions prior to 1.9.5p2).

This material is for authorized security training and research only.

Unauthorized/Unethical use against systems you do not own is illegal.

Repository Contents

  • Dockerfile - Builds an Ubuntu 20.04 container with sudo 1.8.31 (vulnerable)
  • exploit.c - Main exploit payload (adapted for Ubuntu 20.04)
  • shellcode.c - Shared library constructor that spawns a root shell
  • Makefile - Compiles the exploit and the malicious library

Getting Started

Prerequisites

  • Docker (or Docker Engine)
  • Basic familiarity with C language
  • Basic familarity with Make
  • Knowledge of command‑line tools

Building and Running the Lab

  1. Clone this repository:
git clone https://github.com/Theleopard65/CVE-2021-3156-Baron-Samedit.git
cd CVE-2021-3156-Baron-Samedit
  1. Build the Docker image:
docker build -t cve-2021-3156-lab .
  1. Run the container:
    • You will be logged in as user poc inside the container.
    • The working directory is /home/exploit, which already contains source files.
docker run -it --rm --name baron_samedit_lab cve-2021-3156-lab

Compiling and Running the Exploit

  • Inside the container, the exploit is already compiled by the Docker build process. To run it manually:
cd /home/exploit
./exploit

If successful, you should see a root shell prompt (#). The exploit overwrites the service_user struct in sudo's heap and forces it to load the malicious library libnss_x/x.so.2, whose constructor executes the shellcode.

Manual Compilation (if needed)

  • To recompile:
make clean && make

This creates:

  • exploit - the main exploit binary
  • libnss_x/x.so.2 - the malicious shared library

How the Exploit Works

CVE-2021-3156 is a heap‑based overflow in sudoedit's command‑line argument handling. By supplying a specially crafted buffer and environment variables, an attacker can overwrite a service_user struct on the heap. This struct contains a function pointer that, when hijacked, can be made to point to a malicious library loaded via the NSS (Name Service Switch) mechanism. The library's constructor then executes arbitrary code with root privileges.

This exploit:

  1. Allocates a large buffer (buf) to trigger the overflow.
  2. Uses LC_MESSAGES, LC_TELEPHONE, and LC_MEASUREMENT environment variables to shape the heap layout.
  3. Overflows into files service_user struct, replacing its name with a path to our malicious lib (libnss_x/x.so.2).
  4. The malicious library's constructor (in shellcode.c) runs setuid(0), setgid(0), and spawns a root shell.

Cleaning Up

To remove the Docker image:

docker rmi cve-2021-3156-lab

References

License

This project is provided for educational purposes only. Use at your own risk.

About

A simple Docker lab and Exploit setup for CVE-2021-3156 - "Baron Samedit".

Topics

docker exploit sudo heap shellcode cve buffer-overflow lab-setup heap-overflow cve-2021-3156 baron-samedit

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages