Baron Samedit

This repository is a compact local privilege-escalation exploit for CVE-2021-3156 (Baron Samedit) targeting vulnerable sudo/sudoedit installations on Linux. The repo contains two main code files: exploit.c and shellcode.c, plus a Makefile, Dockerfile, and README. The Dockerfile builds a reproducible Ubuntu 20.04 test environment with sudo pinned to 1.8.31-1ubuntu1 and compiles the exploit as an unprivileged user. The Makefile builds both the launcher binary and a malicious shared object at libnss_x/x.so.2. The exploit capability is straightforward: exploit.c crafts argv and envp for execve("/usr/bin/sudoedit", ...) to trigger the heap-based overflow in sudoedit -s argument handling. It uses a controlled trailing backslash in the argument buffer and carefully shaped LC_* environment variables plus filler strings for heap feng shui. The overflow is intended to corrupt a service_user structure so that its name/path points to the attacker-controlled NSS library path. Once the corrupted sudo process loads the malicious shared object, shellcode.c runs automatically via its constructor. The payload in shellcode.c is minimal but effective: inline assembly issues setuid(0), setgid(0), and execve("/bin/sh") syscalls, yielding a root shell. This makes the exploit more than a pure proof of concept; it is an operational local privesc exploit with a hardcoded payload. There are no network callbacks, C2 endpoints, or remote targets. All observable targets are local file paths and environment-variable-based heap manipulation. The README explains the vulnerability mechanics, build/run steps, and expected result, and confirms the exploit is tested on Ubuntu 20.04 with sudo 1.8.31.

Repository purpose: an educational, self-contained lab and working local privilege escalation exploit for CVE-2021-3156 ("Baron Samedit"), demonstrating a heap-based buffer overflow in sudo/sudoedit leading to root. Structure and key files: - Dockerfile: Builds an Ubuntu 20.04 container pinned to a vulnerable sudo version (sudo=1.8.31-1ubuntu1), installs build tools, compiles the exploit, and runs as an unprivileged user (poc). This provides a reproducible vulnerable environment. - Makefile: Builds (1) a malicious NSS shared object at libnss_x/x.so.2 using -shared -nostdlib, and (2) the main exploit binary exploit. - exploit.c: Main trigger. Crafts argv for sudoedit ("sudoedit", "-s", <overflow buffer ending with backslash>) and a carefully constructed envp containing large buffers and many backslashes. The locale variables (LC_MESSAGES/LC_TELEPHONE/LC_MEASUREMENT) are used to groom heap layout. The overflow buffer is designed to overwrite the in-heap service_user structure (notably the 'files' entry) so that its name/path resolves to the attacker-controlled NSS module (x/x -> libnss_x/x.so.2). Finally, it calls execve("/usr/bin/sudoedit", argv, envp) to trigger the vulnerability. - shellcode.c: Payload library code. Implements a constructor (_init) with inline x86_64 assembly that adjusts the stack, calls setuid(0) and setgid(0) via syscalls, then execve("/bin/sh"), yielding a root shell when the library is loaded. - README.md: Explains setup, compilation, and the exploitation approach (heap overflow -> service_user corruption -> NSS library load -> constructor spawns root shell). Exploit capabilities: - Local privilege escalation (no network component) from an unprivileged user to root on vulnerable sudo versions. - Achieves code execution as root by forcing sudo to load an attacker-controlled NSS shared library and executing its constructor. Notable observables/fingerprintable targets: - Executes /usr/bin/sudoedit. - Drops/uses a malicious library at libnss_x/x.so.2. - Spawns /bin/sh as root. - Uses specific locale environment variables (LC_MESSAGES/LC_TELEPHONE/LC_MEASUREMENT) for heap grooming. Overall, this is an operational PoC-style exploit with a hardcoded payload (root shell) and a Docker-based vulnerable lab for safe reproduction.

Repository purpose: a Baron Samedit (CVE-2021-3156) local privilege-escalation PoC targeting sudoedit on Linux. Structure: - README.md: states this is a PoC for CVE-2021-3156, tested on Ubuntu 20.04 (sudo 1.8.31, glibc 2.31). Describes components and how to build/run. - exploit.asm: x86_64 Linux assembly program that constructs a malicious argv and envp layout and then invokes execve("/usr/bin/sudoedit", argv, envp). It populates large buffers with repeated bytes and carefully placed backslashes (0x5c) and locale environment strings (LC_*) to trigger the sudoedit argument parsing heap overflow condition. - shellcode.c: builds a minimal shared object with a constructor (_init) that runs immediately upon library load; it performs setuid(0), setgid(0), then execve("/bin/sh", ...) to provide a root shell. - makefile: builds the shared object as libnss_x/x.so.2 (suggesting the exploit aims to get the target process to load this library via NSS/module loading side effects) and assembles/links exploit.asm into an executable named exploit. - LICENSE: Apache 2.0. Exploit capabilities: - Local code execution in the context of the vulnerable sudoedit process leading to privilege escalation. - Drops/uses a malicious shared object payload (libnss_x/x.so.2) that spawns a root shell. Network activity/endpoints: - No network I/O observed. All targets are local file paths and environment variables; primary execution target is /usr/bin/sudoedit and the final spawned program is /bin/sh.

This repository contains a proof-of-concept (PoC) exploit for CVE-2021-3156, a heap-based buffer overflow vulnerability in sudo (version 1.8.31 on Ubuntu 20.04). The repository includes a Dockerfile for setting up a vulnerable environment and a C source file (exploit.c) that implements the exploit. The exploit works by crafting a large buffer and passing it as an argument to sudoedit, triggering the vulnerability and potentially escalating privileges to root. The exploit is local-only and requires the attacker to have shell access to the target system. The main fingerprintable endpoints are the sudo binary (/usr/bin/sudo), the /etc/passwd file (used to verify privilege escalation), and /bin/false (used as a dummy askpass program). The repository is structured for ease of testing and demonstration, with clear setup and usage instructions embedded in the exploit source code.

This repository contains a single Bash script (CVE-2025-32463.sh) that exploits CVE-2025-32463, a local privilege escalation vulnerability. The script creates a temporary working directory, generates a C source file for a malicious shared library, and compiles it. The library, when loaded, sets the effective UID and GID to root and executes a shell or arbitrary command as root. The exploit manipulates NSS (Name Service Switch) configuration by creating a custom nsswitch.conf and library, then invokes 'sudo -R woot woot' to trigger the vulnerability. The script cleans up all artifacts after execution. The exploit is operational, providing a root shell or command execution on a vulnerable Linux system. No network endpoints are involved; all actions are local. The repository is well-structured for its purpose, with clear separation of setup, payload generation, exploitation, and cleanup steps.

This repository contains a working local privilege escalation exploit for CVE-2021-3156 (Baron Samedit), a heap-based buffer overflow in the sudoedit command of the sudo utility. The exploit is implemented in Python (exploit_nss.py) and targets Linux systems with vulnerable versions of sudo (<1.9.5p2) and glibc >= 2.26 (tcache enabled). The exploit works by crafting specific environment variables and arguments to trigger the heap overflow, manipulating NSS (Name Service Switch) configuration, and loading a malicious NSS library to achieve code execution as root. The exploit checks for required conditions (glibc version, tcache, nscd service status, and NSS configuration) before proceeding. Upon successful exploitation, the attacker gains a root shell. The README.md provides detailed usage instructions, prerequisites, and a demonstration of successful exploitation. The only code file, exploit_nss.py, is the main entry point and contains all exploit logic, including environment setup, heap manipulation, and payload execution. The exploit does not require network access and is purely local, with several fingerprintable file paths related to system configuration and the NSS mechanism.

This repository is a local privilege escalation exploit for CVE-2021-3156 (Baron Samedit), targeting the sudo program (version 1.8.31) on Linux (tested on Ubuntu 20.04.1 LTS). The exploit consists of two main C files: 'hax.c' and 'lib.c'. 'hax.c' is the main exploit driver, which crafts specific arguments and environment variables to trigger a heap-based buffer overflow in sudoedit. The exploit sets up a malicious NSS library ('libnss_X/P0P_SH3LLZ_ .so.2', built from 'lib.c') that, when loaded by the vulnerable sudoedit process, sets the effective UID and GID to 0 and spawns a root shell. The Makefile automates building the exploit binary and the malicious shared library. The exploit is operational and provides a root shell if successful, but requires local code execution on a vulnerable system. No network endpoints are involved; all actions are performed locally.

This repository contains a local privilege escalation exploit for CVE-2021-3156 (Baron Samedit), targeting Ubuntu 20.04.1 with sudo 1.8.31 and libc-2.31. The exploit consists of two main C files and a Makefile. 'exploit_launcher.c' constructs specific arguments and environment variables to trigger a heap-based buffer overflow in the sudoedit binary, causing it to load a malicious shared object ('libnss_X/P0P_SH3LLZ_ .so.2') built from 'exploit_payload.c'. The payload's constructor function sets the process's UID and GID to 0 and spawns a root shell. The Makefile automates building both the launcher and the payload. The exploit is operational and provides a root shell if successful. No network endpoints are involved; the attack vector is local, requiring code execution on the target system.

This repository contains a proof-of-concept (PoC) exploit for CVE-2021-3156 (Baron Samedit), a heap-based buffer overflow in the sudo program. The exploit targets vulnerable versions of sudo (1.8.2-1.8.31p2 and 1.9.0-1.9.5p1) on Unix-like systems. The exploit is implemented in C (exploit.c) and is designed to be run locally by any user. It leverages a race condition and a crafted environment to exploit the vulnerability in sudoedit, ultimately overwriting /etc/passwd with attacker-controlled data from a prepared file. This allows the attacker to inject a root user and gain full root privileges. The repository also includes a README.txt with a detailed advisory and a command.txt file with usage instructions. The exploit requires tuning of the race condition timing and preparation of a fake passwd file. No network endpoints are involved; the attack vector is purely local, targeting the sudoedit binary and the /etc/passwd file.

This repository is a comprehensive educational resource and exploit development lab for CVE-2021-3156 (Sudo Baron Samedit). It is structured as a series of 'episodes', each in its own directory, with Dockerfiles, Makefiles, and code for building isolated environments containing a vulnerable version of sudo (1.8.31p2). The project demonstrates the process of discovering, fuzzing, and analyzing the heap-based buffer overflow in sudoedit that leads to CVE-2021-3156. Key capabilities: - The repository provides Docker-based environments for safe, repeatable exploitation and fuzzing of sudo. - It includes custom harnesses (e.g., argv-fuzz-inl.h, afl2sudo.c) to enable fuzzing of command-line arguments using AFL/AFL++. - Several episodes show how to minimize crash testcases and analyze root causes using tools like AddressSanitizer (ASan) and GDB. - Python scripts (e.g., fengshui.py) are used for heap manipulation and further exploit development. - The exploit is local: it requires the attacker to execute commands on the target system with sudo installed. Notable endpoints include the instrumented sudo binary (/usr/local/bin/sudo), fuzzing harnesses, and minimized testcases that trigger the vulnerability. The repository does not provide a weaponized payload but demonstrates the full process from vulnerability discovery to proof-of-concept exploitation, including root shell access in the controlled environment. Overall, this is a high-quality, educational proof-of-concept exploit and research environment for CVE-2021-3156 targeting sudo 1.8.31p2 on Linux.

This repository is a local privilege escalation exploit for CVE-2021-3156 (Baron Samedit), a heap-based buffer overflow in sudoedit. The exploit is implemented in C and consists of two main files: 'exploit.c' and 'shellcode.c'. The 'exploit.c' file crafts specific arguments and environment variables to trigger the vulnerability in the sudoedit binary, causing it to load a malicious NSS (Name Service Switch) shared library ('libnss_x/x.so.2') built from 'shellcode.c'. The shellcode sets the effective UID and GID to 0 (root) and spawns a root shell (/bin/sh). The Makefile automates the build process, and a Dockerfile is provided for reproducible testing on Ubuntu 20.04 with the vulnerable sudo version. The exploit must be run locally on a system with the vulnerable sudo version, and if successful, it grants a root shell to the attacker. No network endpoints are involved; all actions are performed locally. The repository is well-structured for educational and testing purposes, with clear build and usage instructions.

This repository contains a comprehensive set of exploits for CVE-2021-3156 (Sudo Baron Samedit), a heap-based buffer overflow in the sudo program that allows local privilege escalation to root on many Linux distributions. The exploits are organized by target environment and sudo/glibc version, with both Python and C implementations. Key exploit files include: - Multiple Python exploits (e.g., exploit_nss.py, exploit_userspec.py, exploit_defaults_mailer.py) targeting different heap layouts and sudo configurations, with some requiring glibc tcache support and others not. - A C exploit (exploit_timestamp_race.c) that leverages a race condition to modify /etc/passwd. - Assembly files (asm/tinylib.asm, asm/tinysh.asm) for embedding minimal ELF binaries to spawn a root shell. - GDB scripts and helper Python scripts for debugging and analyzing heap behavior during exploitation. The main exploit strategy is to trigger a heap overflow in sudoedit, allowing the attacker to overwrite internal sudo structures and ultimately gain root privileges. The payloads typically add a new root user to /etc/passwd or create a SUID root shell in /tmp. The exploits require local access and specific system configurations (e.g., default /etc/nsswitch.conf, nscd service stopped, certain sudo versions). The repository is well-structured, with clear separation between exploit variants, debugging tools, and supporting assembly code.

This repository contains a full exploit chain for CVE-2021-3156 (Baron Samedit), a heap-based buffer overflow in sudo (specifically sudoedit) on Debian 10 with sudo 1.8.27 and glibc 2.28. The exploit is operational and weaponized for local privilege escalation. The main exploit logic is in 'exploit.c', which crafts environment variables and arguments to trigger the heap overflow in sudoedit, causing it to load a malicious NSS shared object ('libnss_XXXXXXX/XXXXXX.so.2'). This shared object, when loaded, sets the process UID and GID to 0 and spawns a root shell. The repository also includes a fuzzer (debug/fuzzer.py), test cases, and scripts for debugging and automating the exploit ('exploit.sh'). The exploit targets a specific configuration of Debian 10 and is not a generic detection script. The structure is typical for a research-grade exploit, with supporting code for analysis and debugging, and a clear focus on local privilege escalation via manipulation of environment variables and the NSS subsystem.

This repository is a proof-of-concept (PoC) exploit for CVE-2021-3156, a heap-based buffer overflow in sudo (Baron Samedit). The exploit targets specific versions of sudo on Ubuntu 18.04.5, Ubuntu 20.04.1, and Debian 10.0, as listed in the code. The main exploit logic is in 'hax.c', which constructs a specially crafted environment and arguments to trigger the vulnerability in sudoedit. The exploit loads a malicious shared library ('lib.c'), which, when executed, escalates privileges and spawns a root shell (/bin/sh). The Makefile automates building the exploit binary and the shared library. The exploit is local and requires execution on a vulnerable system. The repository is well-structured, with clear separation between the exploit logic and the payload, and includes a README with usage instructions.

This repository contains a local privilege escalation exploit for CVE-2021-3156 (Baron Samedit), a heap-based buffer overflow in sudoedit on Linux. The exploit targets vulnerable versions of sudo (1.8.2-1.8.31sp12 and 1.9.0-1.9.5sp1) and is designed to be run locally on the target system. The structure includes: - A detailed README.md explaining the vulnerability, exploitation steps, environment setup, and debugging tips. - exp/exp.c: The main exploit code, which crafts environment variables and arguments to trigger the heap overflow in sudoedit, causing it to load a malicious NSS library. - exp/lib.c: The payload, a shared library that, when loaded, sets UID/GID to 0 and spawns a root shell (/bin/sh). - exp/run.sh: A build script to compile the exploit and payload. The exploit is operational and provides a root shell if successful. It requires local access and a vulnerable sudo configuration. The README provides extensive guidance for adapting the exploit to different environments and for debugging. The main fingerprintable endpoints are the sudoedit binary, the malicious shared library, and the shell path.

This repository contains a local privilege escalation exploit targeting Ubuntu 18.04 and 20.04 systems, specifically exploiting the 'sudoedit' binary. The exploit works by crafting a malicious environment and argument list to 'sudoedit', causing it to load a custom NSS (Name Service Switch) library from a local directory ('libnss_X'). The malicious shared object (X.so.2), when loaded, sets the process UID to 0 (root) and spawns a root shell. The repository includes a Makefile to build both the exploit binary and the malicious shared object, a README with usage instructions, and two C source files: 'exploit.c' (the main exploit logic) and 'sice.c' (the payload library). The exploit requires local access to the target system and is operational, providing a root shell if successful. No network endpoints are involved; all actions are performed locally.

This repository is a working exploit for CVE-2021-3156 (Baron Samedit), a heap-based buffer overflow in the sudo program (specifically sudoedit) on Linux systems. The exploit is written in C and consists of two main code files: 'exploit.c' and 'shellcode.c'. The 'exploit.c' file orchestrates the attack by crafting environment variables and arguments to trigger the vulnerability in sudoedit, ultimately allowing the attacker to execute arbitrary commands as root. The exploit expects a command as an argument, which it will execute with root privileges if successful. The 'shellcode.c' file is compiled into a shared library (libnss_x/x.so.2) that, when loaded, sets the UID and GID to 0 and spawns a root shell. The Makefile automates the build process for both the exploit and the malicious shared library. The README provides usage instructions and context, confirming that the exploit has been tested on Ubuntu 20.04 and 17.10 with vulnerable versions of sudo. The attack vector is local, requiring the attacker to have access to a shell on the target system. The main fingerprintable endpoints are the target binary '/usr/bin/sudoedit', the malicious shared library 'libnss_x/x.so.2', and the shell '/bin/sh' used by the payload.

This repository is a functional local privilege escalation exploit for CVE-2021-3156 (Baron Samedit), a heap-based buffer overflow in sudo's sudoedit. The exploit is implemented in C (hax.c, lib.c) and includes a Bash script (brute.sh) for brute-forcing parameters on unlisted targets. The Makefile automates building the main exploit binary (sudo-hax-me-a-sandwich) and the malicious shared library (libnss_X/P0P_SH3LLZ_ .so.2). The main exploit (hax.c) targets specific Linux distributions (Ubuntu 18.04.5, 20.04.1, Debian 10.0) and can be run in manual or brute-force mode. Upon successful exploitation, the payload (lib.c) sets UID/GID to 0 and spawns a root shell (/bin/sh). The exploit does not modify system files and is designed for local execution on vulnerable systems. The repository is well-structured, with clear usage instructions and parameterization for different targets.

This repository contains a proof-of-concept (PoC) exploit for CVE-2021-3156, a heap-based buffer overflow vulnerability in sudo (also known as 'Baron Samedit'). The exploit is implemented in a single C file ('exploit.c') and is designed to achieve local privilege escalation by exploiting a race condition in the sudoedit utility. The exploit works by repeatedly attempting to overwrite the /etc/passwd file with attacker-controlled contents (a fake passwd file with the attacker's UID set to 0), leveraging the heap overflow to bypass normal file protections. The README provides detailed usage instructions, including the need to update the modification time of /etc/passwd and to prepare a fake passwd file. The exploit is tested on Ubuntu 18.04 and 20.04 with specific vulnerable sudo versions. The main attack vector is local, requiring shell access to the target system. The only code file is 'exploit.c', which contains all exploit logic, while the other files are a README and a license.

This repository provides a working local privilege escalation exploit for CVE-2021-3156 (Baron Samedit) targeting vulnerable versions of sudo on Linux distributions (Ubuntu 20.04, Debian 10, Fedora 33). The main exploit logic is implemented in 'bufferof.c' and 'mybufferof.c', which craft environment variables and arguments to trigger a heap-based buffer overflow in sudoedit, loading a malicious shared object ('libnss_X/X.so.2') compiled from 'shell_tool.c'. The payload sets the process UID to root, executes commands to exfiltrate all SSH private keys from user and root accounts (via 'get_all_ssh_keys.sh'), creates a persistent SUID root shell ('privshell' via 'create_privshell.sh'), and finally spawns a root shell. The exploit also attempts to download a root shell binary from a remote server (http://192.168.100.168/privshell), indicating potential for further post-exploitation or persistence. The repository includes a Makefile for compilation and automation scripts for post-exploitation tasks. The exploit requires local access to a vulnerable system and is operational, providing both privilege escalation and credential exfiltration capabilities.

This repository contains a Python exploit for CVE-2021-3156 (Baron Samedit), a heap-based buffer overflow vulnerability in sudo (sudoedit) affecting versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 on CentOS 7. The exploit (CVE-2021-3156.py) is designed to be run by a non-root user on a vulnerable system. It crafts environment variables and arguments to trigger the vulnerability in sudoedit, ultimately allowing the attacker to append a new line to /etc/passwd that grants root privileges to a user. The README provides usage instructions and affected versions. The exploit is operational and demonstrates a working privilege escalation attack, requiring the attacker to supply a crafted passwd line in the script. The main fingerprintable endpoints are the sudo binary (/usr/bin/sudo) and the /etc/passwd file, which is modified to achieve privilege escalation.

This repository is a local privilege escalation exploit for CVE-2021-3156 (Baron Samedit), a heap-based buffer overflow in sudoedit. The exploit targets specific versions of sudo on Ubuntu 20.04.1 and Debian 10.0. The main exploit logic is in 'hax.c', which constructs a carefully crafted environment and argument list to trigger the vulnerability in /usr/bin/sudoedit. The exploit uses a malicious NSS library ('libnss_X/P0P_SH3LLZ_ .so.2', built from 'lib.c') that, when loaded, sets the process's UID and GID to 0 and spawns a root shell (/bin/sh). The Makefile automates building the exploit binary and the malicious library. The exploit must be run locally on a vulnerable system and, if successful, provides a root shell to the attacker. No network endpoints are involved; all actions are performed locally. The repository is well-structured, with clear separation between the exploit logic and the payload.

This repository provides a comprehensive analysis and practical exploit for the Baron Samedit vulnerability (CVE-2021-3156) in sudo (version 1.8.27 and similar). The exploit leverages a heap-based buffer overflow in sudoedit, allowing an attacker to manipulate environment variables and arguments to corrupt heap structures. This corruption enables the attacker to hijack the dynamic loading mechanism of the Name Service Switch (NSS), causing sudoedit to load a malicious shared object (libnss_XXX/XXX.so.2) crafted by the attacker. The payload in this shared object sets the process UID and GID to 0 and spawns a root shell, effectively granting root access to a local attacker. The repository is organized into several directories: - **Exploit/**: Contains the main exploit code (`exploit.c`), a helper script (`exploit.sh`) for automating the attack, and the malicious shared object source (`libnss_XXX/XXX.c`). - **Fuzzing/**: Provides tools and documentation for fuzzing the sudo binary to understand the vulnerability, including a Dockerfile for environment setup and a modified version of sudo for fuzzing. - **Patch/**: Contains simulation and patch code demonstrating how the vulnerability can be fixed. - **Visualization/**: Includes scripts to visualize memory layout and argument parsing relevant to the exploit. - **README.md** and subdirectory READMEs: Offer detailed explanations of the vulnerability, exploitation process, fuzzing techniques, and patching approaches. The exploit is operational and demonstrates a full privilege escalation from a local user to root on vulnerable systems. The attack vector is local, requiring the ability to execute code and supply crafted environment variables. The main fingerprintable endpoints are the target binary (`/usr/bin/sudoedit`), the malicious shared object (`libnss_XXX/XXX.so.2`), and the shell (`/bin/sh`) spawned as root.

This repository contains a proof-of-concept exploit for CVE-2021-3156, a heap-based buffer overflow in the sudo utility affecting multiple Linux distributions. The exploit is implemented in Python (sudo_pwn.py) and is designed to be run locally by any user, regardless of sudo privileges. The exploit works by manipulating internal structures in glibc's nss_load_library() function, causing sudo to load a malicious shared library (e.g., libnss_X/X.so.2) from the current directory and execute its code as root. The README provides a brief description and credits the original vulnerability researchers. The code file contains detailed comments explaining the vulnerability and the exploitation technique, but the actual Python code is a placeholder and does not implement the full exploit logic. The repository is structured as a single exploit script and a README, and is intended as a proof-of-concept for local privilege escalation on vulnerable Linux systems.