Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-18634 PoC — Sudo 缓冲区错误漏洞

Source
https://github.com/Plazmaz/CVE-2019-18634
Associated Vulnerability
Title:Sudo 缓冲区错误漏洞 (CVE-2019-18634)
Description:In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.
Description
A functional exploit for CVE-2019-18634, a BSS overflow in sudo's pwfeedback feature that allows for for privesc
Readme
# CVE-2019-18634

**:warning: This code has only been tested on sudo 1.8.25. The bug impacts <1.8.30, but there are differences in character handling that prevent this PoC from executing (this does not mitigate the exploitability of the bug). See [#1](https://github.com/Plazmaz/CVE-2019-18634/issues/1) :warning:**  
  
Functional exploit for CVE-2019-18634, a heap buffer overflow that leads to privilege escalation on sudo <=1.8.30 if pwfeedback is enabled.  
[https://dylankatz.com/Analysis-of-CVE-2019-18634/](https://dylankatz.com/Analysis-of-CVE-2019-18634/)  
This repo contains both a single-file script (`self-contained.sh`), and the scripts used to generate it (under `src`)  
Thanks to yuu and Anonymous_ for help in developing this exploit and these scripts.  
Credit to Joe Vennix and William Bowling for the original discovery of the bug and the information on exploiting through 1.8.30.
File Snapshot

 [4.0K]  /data/pocs/1dca040d9f0fa9c4039abb41df6b44f7a4336031
├── [ 905]  README.md
├── [1.3K]  self-contained.sh
└── [4.0K]  src
    ├── [ 554]  exec.c
    ├── [ 346]  run.sh
    └── [ 440]  xpl.pl

1 directory, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →