forked from baka9moe/CVE-2021-3156-Exp
-
Notifications
You must be signed in to change notification settings - Fork 0
/
sudo_pwn.py
156 lines (73 loc) · 3.17 KB
/
sudo_pwn.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
#!/usr/bin/env python3
'''
We discovered a heap-based buffer overflow in Sudo
(https://www.sudo.ws/). This vulnerability:
- is exploitable by any local user (normal users and system users,
sudoers and non-sudoers), without authentication (i.e., the attacker
does not need to know the user's password);
- was introduced in July 2011 (commit 8255ed69), and affects all legacy
versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to
1.9.5p1, in their default configuration.
We developed three different exploits for this vulnerability, and
obtained full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10
(Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Other operating systems and
distributions are probably also exploitable.
'''
'''
The second crash that caught our attention is:
------------------------------------------------------------------------
Program received signal SIGSEGV, Segmentation fault.
0x00007f6bf9c294ee in nss_load_library (ni=ni@entry=0x55cf1a1dd040) at nsswitch.c:344
=> 0x7f6bf9c294ee <nss_load_library+46>: cmpq $0x0,0x8(%rbx)
rbx 0x41414141414141 18367622009667905
------------------------------------------------------------------------
The glibc's function nss_load_library() crashed (at line 344) because we
overwrote the pointer "library", a member of a heap-based struct
service_user:
------------------------------------------------------------------------
327 static int
328 nss_load_library (service_user *ni)
329 {
330 if (ni->library == NULL)
331 {
...
338 ni->library = nss_new_service (service_table ?: &default_table,
339 ni->name);
...
342 }
343
344 if (ni->library->lib_handle == NULL)
345 {
346 /* Load the shared library. */
347 size_t shlen = (7 + strlen (ni->name) + 3
348 + strlen (__nss_shlib_revision) + 1);
349 int saved_errno = errno;
350 char shlib_name[shlen];
351
352 /* Construct shared object name. */
353 __stpcpy (__stpcpy (__stpcpy (__stpcpy (shlib_name,
354 "libnss_"),
355 ni->name),
356 ".so"),
357 __nss_shlib_revision);
358
359 ni->library->lib_handle = __libc_dlopen (shlib_name);
------------------------------------------------------------------------
We can easily transform this struct service_user overwrite into an
arbitrary code execution:
- we overwrite ni->library with a NULL pointer, to enter the block at
lines 330-342, avoid the crash at line 344, and enter the block at
lines 344-359;
- we overwrite ni->name (an array of characters, initially "systemd")
with "X/X";
- lines 353-357 construct the name of a shared library "libnss_X/X.so.2"
(instead of "libnss_systemd.so.2");
- at line 359, we load our own shared library "libnss_X/X.so.2" from the
current working directory and execute our _init() constructor as root.
We successfully tested this second exploit on Ubuntu 20.04, Debian 10,
and Fedora 33.
'''
print("[*] Sudo Expoit")
while True:
i = input('# ')
print(i)