Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2019-18634 PoC — Sudo 缓冲区错误漏洞

Source
https://github.com/aesophor/CVE-2019-18634
Associated Vulnerability
Title:Sudo 缓冲区错误漏洞 (CVE-2019-18634)
Description:In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.
Description
My n-day exploit for CVE-2019-18634 (local privilege escalation)
Readme
## CVE-2019-18634 N-Day Exploit

<img src="/.meta/cover.png">

## Slides

https://docs.google.com/presentation/d/11DpUy9Ll_HeuPRSgzaTARHPwlq01v_yyqbnJURlG9Ss/edit?usp=sharing

## Requirements

* Ubuntu 20.04
* sudo 1.8.25 (see below for how to build it manually)
* Python3
* [pwntools](https://github.com/Gallopsled/pwntools#installation)

## Enable pwfeedback

```
sudo visudo
```

Change this line

```
Defaults env_reset
```

To this

```
Defaults env_reset,pwfeedback
```

## Checkout sudo 1.8.25

```
git clone https://github.com/sudo-project/sudo
cd sudo
git fetch --all --tags
git checkout SUDO_1_8_25
```
## Install Pwntools

```
sudo apt-get update
sudo apt-get install python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential
sudo python3 -m pip install --upgrade pip
sudo python3 -m pip install --upgrade pwntools
```

## Configure and Build

```
./configure --prefix=/usr/local
make
sudo make install
```

## Clone this repo and Run

```
git clone https://github.com/aesophor/CVE-2019-18634
cd CVE-2019-18634
./exploit.py
```
File Snapshot

 [4.0K]  /data/pocs/d6d3e934f5a82c333668b3c1b5fb5c78a425254d
├── [1.5K]  exploit.py
└── [1.0K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →