Inside CVE-Exploits: Dissecting Real-World Memory Corruption Techniques in C

Hook

The sudo vulnerability CVE-2021-3156 affected virtually every Unix-like system for a decade before discovery. Understanding how it was exploited tells you more about memory safety than a thousand theoretical security lectures.

Context

Security research exists in a paradox: to defend systems effectively, you must think like an attacker. Academic papers describe vulnerabilities in abstract terms—buffer overflows, heap corruption, use-after-free conditions—but these descriptions rarely bridge the gap between theory and practice. When a CVE is published, system administrators and security teams need to understand the actual risk: Can this vulnerability be exploited in the real world? What does exploitation look like? How would an attacker chain these primitives together?

The lockedbyte/CVE-Exploits repository addresses this gap by providing working proof-of-concept code for high-impact vulnerabilities in critical infrastructure software. Rather than being a comprehensive exploit database like Exploit-DB, this collection focuses on quality over quantity—five carefully crafted exploits that target sudo, Exim, and ProFTPd. Each exploit demonstrates the practical techniques required to turn a memory safety bug into code execution, serving as both a validation tool for security teams and an educational resource for understanding modern exploitation.

Technical Insight

The repository's architecture is deliberately simple: each CVE gets its own directory containing standalone C programs that demonstrate exploitation without dependencies on frameworks or libraries. This design choice makes the exploits readable and educational, allowing researchers to understand the core techniques without navigating framework abstractions.

Take CVE-2021-3156, the Baron Samedit vulnerability, as a case study. This heap-based buffer overflow in sudo's command-line parsing existed for nearly 10 years. The exploit demonstrates a sophisticated technique: heap grooming to control memory layout, followed by precise overflow manipulation to overwrite function pointers. The vulnerable code path occurs when sudo processes command-line arguments in shell mode. By carefully crafting the argument structure, an attacker can overflow a heap buffer and corrupt adjacent heap metadata.

Here's a simplified view of the exploitation primitive:

// Heap grooming phase: allocate controlled chunks
for (int i = 0; i < HEAP_SPRAY_COUNT; i++) {
    spray_chunks[i] = malloc(CHUNK_SIZE);
    memset(spray_chunks[i], 'A', CHUNK_SIZE);
}

// Free alternating chunks to create predictable layout
for (int i = 0; i < HEAP_SPRAY_COUNT; i += 2) {
    free(spray_chunks[i]);
}

// Trigger vulnerability with crafted argument
char *overflow_arg = malloc(VULNERABLE_SIZE + OVERFLOW_LEN);
memset(overflow_arg, '\\', VULNERABLE_SIZE);
memcpy(overflow_arg + VULNERABLE_SIZE, &target_pointer, sizeof(void*));

execve("/usr/bin/sudo", crafted_argv, crafted_envp);

The exploit leverages sudo's setuid bit to transform a heap overflow into local privilege escalation. The key insight is understanding how glibc's malloc implementation (ptmalloc2) manages heap chunks—by controlling allocation patterns, you can position your overflow target precisely where the overflow will reach.

Another notable exploit targets CVE-2019-15846 (Exim 4.92), a heap use-after-free vulnerability in the SMTP server's TLS negotiation code. This exploit showcases a different primitive: rather than overflowing a buffer, it forces Exim to reference freed memory, then reallocates that memory with attacker-controlled data. The timing is critical—the exploit must win a race condition between the free operation and the dangling pointer dereference:

// Trigger the use-after-free
send_smtp_command(sock, "STARTTLS\r\n");
// Server frees the TLS context structure

// Quickly reallocate with controlled data
for (int i = 0; i < RECLAIM_ATTEMPTS; i++) {
    spray_buffer[i] = malloc(TLS_CONTEXT_SIZE);
    memcpy(spray_buffer[i], &fake_vtable, sizeof(void*));
}

// Trigger dereference of "freed" memory
// which now contains our fake function pointer
send_smtp_command(sock, "QUIT\r\n");

The ProFTPd exploit (CVE-2019-12815) demonstrates yet another technique: an off-by-one buffer overflow in file path handling. This is particularly interesting because off-by-one vulnerabilities seem benign—how much damage can one byte do? The exploit shows how a single null byte overflow can corrupt heap metadata, eventually leading to arbitrary write primitives when combined with careful heap manipulation.

What makes this repository valuable isn't just the working exploits, but how they're structured for learning. Each exploit is self-contained with clear phases: heap grooming, vulnerability triggering, and post-exploitation. The C code is readable without excessive obfuscation, making it possible to trace execution flow and understand each step. For security researchers developing detection rules or testing patches, having reference implementations is invaluable—you can verify that your defensive measures actually prevent exploitation, not just check for vulnerability presence.

Gotcha

The repository's biggest limitation is documentation—or rather, the lack of it. Each exploit is essentially raw C code with minimal comments. There are no README files explaining which software versions are vulnerable, what the target environment should look like, or how to compile and run the exploits safely. If you're trying to use CVE-2021-3156.c, you'll need to research independently which sudo versions are affected, whether the exploit needs modification for your kernel version, and what compilation flags are required. This isn't necessarily bad for experienced security researchers, but it creates a steep learning curve.

The repository also hasn't been updated recently, with only five exploits total. This isn't a living database like Exploit-DB that's continuously updated with new CVEs. If you're looking for exploits beyond these specific vulnerabilities, you'll need to look elsewhere. Additionally, the exploits target specific software versions and may require modification for different environments—heap layouts change between libc versions, kernel mitigations vary across distributions, and ASLR/PIE configurations affect exploit reliability. The code demonstrates concepts but won't necessarily work out-of-the-box on arbitrary systems. You'll need to understand the underlying techniques well enough to adapt them, which is perhaps the point—these are learning tools and research references, not weaponized exploits designed for broad applicability.

Verdict

Use if: you're a security researcher or penetration tester who needs reference implementations of real-world exploits for these specific CVEs, you're studying memory corruption techniques and want to see how theoretical vulnerabilities become practical exploits, you're developing defensive tooling and need test cases to validate detection rules, or you're a system administrator who wants to verify whether patches actually prevent exploitation. This repository excels as an educational resource for understanding modern exploitation primitives—heap manipulation, use-after-free exploitation, and privilege escalation techniques. Skip if: you need a comprehensive exploit database with regular updates (use Exploit-DB instead), you want ready-to-run exploits with documentation and usage instructions, you're looking for exploits beyond these five specific CVEs, or you don't have the security research background to adapt these exploits to your environment. This is a curated collection for researchers, not a production red team toolkit. Always ensure you have proper authorization before using any exploit code, and only run these in isolated lab environments designed for security testing.