Showing posts from May, 2023

Exploit of SUDO vulnerability Heap-Based Overflow [CVE-2021-3156 ]

CVE-2021-3156 is a Heap-Based-Buffer overflow in sudo, in this blog I will share my walkthrough of this CVE and my final exploit for it, let's start with POC. First, I used AddressSanitizer(ASan) which is used to detect memory access errors such as use-after-free and memory leaks this is a sample output of it, and we can see the file which cause the crash with the line number and this is the command used to compile sudo with ASan We can check the root cause of the crash in gdb by passing the payload and breakpoint on line number 868 in file sudoers.c if we used the next instruction(ni) to follow the code and we can see when we reach the backslash(\) the code is passing the next value after it but our backslash is at the end of the string so what it will be passed? yes, it will be the Null Byte that is used to end the string, what do you think will happen if we do not have the end of our string? it will continue writing into the allocated memory and overflow it. The vulnerable code